CWE-754
Allowed-with-ReviewImproper Check for Unusual or Exceptional Conditions
Abstraction: Class · Status: Incomplete
The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.
905 vulnerabilities reference this CWE, most recent first.
GHSA-CV9P-C62C-7F95
Vulnerability from github – Published: 2022-05-17 02:35 – Updated: 2022-05-17 02:35Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.
{
"affected": [],
"aliases": [
"CVE-2016-8209"
],
"database_specific": {
"cwe_ids": [
"CWE-754"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-05-08T18:29:00Z",
"severity": "HIGH"
},
"details": "Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.",
"id": "GHSA-cv9p-c62c-7f95",
"modified": "2022-05-17T02:35:15Z",
"published": "2022-05-17T02:35:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-8209"
},
{
"type": "WEB",
"url": "https://www.brocade.com/content/dam/common/documents/content-types/security-bulletin/brocade-security-advisory-2017-315.htm"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1038402"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CVG5-HJH8-246X
Vulnerability from github – Published: 2023-02-16 21:30 – Updated: 2023-03-06 21:30Improper condition check in some Intel(R) SPS firmware before version SPS_E3_06.00.03.300.0 may allow a privileged user to potentially enable denial of service via local access.
{
"affected": [],
"aliases": [
"CVE-2022-36794"
],
"database_specific": {
"cwe_ids": [
"CWE-754"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-16T20:15:00Z",
"severity": "MODERATE"
},
"details": "Improper condition check in some Intel(R) SPS firmware before version SPS_E3_06.00.03.300.0 may allow a privileged user to potentially enable denial of service via local access.",
"id": "GHSA-cvg5-hjh8-246x",
"modified": "2023-03-06T21:30:18Z",
"published": "2023-02-16T21:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36794"
},
{
"type": "WEB",
"url": "http://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00718.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CWJ5-FC98-66QG
Vulnerability from github – Published: 2024-07-12 15:31 – Updated: 2025-11-04 00:30In the Linux kernel, the following vulnerability has been resolved:
mips: bmips: BCM6358: make sure CBR is correctly set
It was discovered that some device have CBR address set to 0 causing kernel panic when arch_sync_dma_for_cpu_all is called.
This was notice in situation where the system is booted from TP1 and BMIPS_GET_CBR() returns 0 instead of a valid address and !!(read_c0_brcm_cmt_local() & (1 << 31)); not failing.
The current check whether RAC flush should be disabled or not are not enough hence lets check if CBR is a valid address or not.
{
"affected": [],
"aliases": [
"CVE-2024-40963"
],
"database_specific": {
"cwe_ids": [
"CWE-754"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-12T13:15:18Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmips: bmips: BCM6358: make sure CBR is correctly set\n\nIt was discovered that some device have CBR address set to 0 causing\nkernel panic when arch_sync_dma_for_cpu_all is called.\n\nThis was notice in situation where the system is booted from TP1 and\nBMIPS_GET_CBR() returns 0 instead of a valid address and\n!!(read_c0_brcm_cmt_local() \u0026 (1 \u003c\u003c 31)); not failing.\n\nThe current check whether RAC flush should be disabled or not are not\nenough hence lets check if CBR is a valid address or not.",
"id": "GHSA-cwj5-fc98-66qg",
"modified": "2025-11-04T00:30:55Z",
"published": "2024-07-12T15:31:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40963"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/10afe5f7d30f6fe50c2b1177549d0e04921fc373"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2cd4854ef14a487bcfb76c7980675980cad27b52"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/36d771ce6028b886e18a4a8956a5d23688e4e13d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6c0f6ccd939166f56a904c792d7fcadae43b9085"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/89167072fd249e5f23ae2f8093f87da5925cef27"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ce5cdd3b05216b704a704f466fb4c2dff3778caf"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/da895fd6da438af8d9326b8f02d715a9c76c3b5b"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CWQ8-6F96-G3Q4
Vulnerability from github – Published: 2026-04-02 21:24 – Updated: 2026-05-06 02:39Summary
Security Scan Failure Does Not Block Plugin Installation (Fail-Open)
Current Maintainer Triage
- Status: open
- Normalized severity: low
- Assessment: Real in shipped v2026.3.28 plugin install flow, but low severity fits because it still requires an operator to choose installation of an untrusted package and the scan failure was visible rather than silent.
Affected Packages / Versions
- Package:
openclaw(npm) - Latest published npm version:
2026.3.31 - Vulnerable version range:
<=2026.3.28 - Patched versions:
>= 2026.3.31 - First stable tag containing the fix:
v2026.3.31
Fix Commit(s)
7a953a52271b9188a5fa830739a4366614ff9916— 2026-03-30T15:36:08+01:0044b993613601280d46a5b88190e46669fc13d669— 2026-03-31T23:16:11+09:000d7f1e2c84eca65df7dee890d9c30e2a841c030a— 2026-03-31T23:27:20+09:00bf96c67fd1954740aeabfadc7cfe3098bcfc6b68— 2026-03-31T15:53:29+01:00
OpenClaw thanks @davidluzsilva for reporting.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2026.3.28"
},
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.3.31"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-41377"
],
"database_specific": {
"cwe_ids": [
"CWE-636",
"CWE-754"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-02T21:24:03Z",
"nvd_published_at": "2026-04-28T19:37:40Z",
"severity": "LOW"
},
"details": "## Summary\nSecurity Scan Failure Does Not Block Plugin Installation (Fail-Open)\n\n## Current Maintainer Triage\n- Status: open\n- Normalized severity: low\n- Assessment: Real in shipped v2026.3.28 plugin install flow, but low severity fits because it still requires an operator to choose installation of an untrusted package and the scan failure was visible rather than silent.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `\u003c=2026.3.28`\n- Patched versions: `\u003e= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `7a953a52271b9188a5fa830739a4366614ff9916` \u2014 2026-03-30T15:36:08+01:00\n- `44b993613601280d46a5b88190e46669fc13d669` \u2014 2026-03-31T23:16:11+09:00\n- `0d7f1e2c84eca65df7dee890d9c30e2a841c030a` \u2014 2026-03-31T23:27:20+09:00\n- `bf96c67fd1954740aeabfadc7cfe3098bcfc6b68` \u2014 2026-03-31T15:53:29+01:00\n\nOpenClaw thanks @davidluzsilva for reporting.",
"id": "GHSA-cwq8-6f96-g3q4",
"modified": "2026-05-06T02:39:04Z",
"published": "2026-04-02T21:24:03Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-cwq8-6f96-g3q4"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41377"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/0d7f1e2c84eca65df7dee890d9c30e2a841c030a"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/44b993613601280d46a5b88190e46669fc13d669"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/7a953a52271b9188a5fa830739a4366614ff9916"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/bf96c67fd1954740aeabfadc7cfe3098bcfc6b68"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/0d7f1e2c84eca65df7dee890d9c30e2a841c030a"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/44b993613601280d46a5b88190e46669fc13d669"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/bf96c67fd1954740aeabfadc7cfe3098bcfc6b68"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-fail-open-security-scan-bypass-in-plugin-installation"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw: Security Scan Failure Does Not Block Plugin Installation (Fail-Open)"
}
GHSA-CWX6-6G6C-MMWM
Vulnerability from github – Published: 2022-05-24 17:34 – Updated: 2022-06-02 00:00Improper conditions check in Intel BIOS platform sample code for some Intel(R) Processors before may allow a privileged user to potentially enable escalation of privilege via local access.
{
"affected": [],
"aliases": [
"CVE-2020-8738"
],
"database_specific": {
"cwe_ids": [
"CWE-754"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-11-12T18:15:00Z",
"severity": "MODERATE"
},
"details": "Improper conditions check in Intel BIOS platform sample code for some Intel(R) Processors before may allow a privileged user to potentially enable escalation of privilege via local access.",
"id": "GHSA-cwx6-6g6c-mmwm",
"modified": "2022-06-02T00:00:22Z",
"published": "2022-05-24T17:34:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8738"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20210122-0008"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00390"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CX8V-4599-XPCF
Vulnerability from github – Published: 2022-05-04 00:00 – Updated: 2022-05-12 00:01Given the TEE is compromised and controlled by the attacker, improper state maintenance in StrongBox allows attackers to change Android ROT during device boot cycle after compromising TEE. The patch is applied in Galaxy S22 to prevent change of Android ROT after first initialization at boot time.
{
"affected": [],
"aliases": [
"CVE-2022-28793"
],
"database_specific": {
"cwe_ids": [
"CWE-754"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-03T20:15:00Z",
"severity": "MODERATE"
},
"details": "Given the TEE is compromised and controlled by the attacker, improper state maintenance in StrongBox allows attackers to change Android ROT during device boot cycle after compromising TEE. The patch is applied in Galaxy S22 to prevent change of Android ROT after first initialization at boot time.",
"id": "GHSA-cx8v-4599-xpcf",
"modified": "2022-05-12T00:01:20Z",
"published": "2022-05-04T00:00:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28793"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2022\u0026month=5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-F27H-G923-68HW
Vulnerability from github – Published: 2024-11-25 00:31 – Updated: 2025-01-09 15:50In OpenStack Neutron before 25.0.1, neutron/extensions/tagging.py can use an incorrect ID during policy enforcement. It does not apply the proper policy check for changing network tags. An unprivileged tenant is able to change (add and clear) tags on network objects that do not belong to the tenant, and this action is not subjected to the proper policy authorization check. This affects 23 before 23.2.1, 24 before 24.0.2, and 25 before 25.0.1.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "neutron"
},
"ranges": [
{
"events": [
{
"introduced": "23.0.0"
},
{
"fixed": "23.2.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "neutron"
},
"ranges": [
{
"events": [
{
"introduced": "24.0.0"
},
{
"fixed": "24.0.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "neutron"
},
"ranges": [
{
"events": [
{
"introduced": "25.0.0"
},
{
"fixed": "25.0.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-53916"
],
"database_specific": {
"cwe_ids": [
"CWE-345",
"CWE-754"
],
"github_reviewed": true,
"github_reviewed_at": "2024-11-25T15:29:24Z",
"nvd_published_at": "2024-11-25T00:15:04Z",
"severity": "MODERATE"
},
"details": "In OpenStack Neutron before 25.0.1, neutron/extensions/tagging.py can use an incorrect ID during policy enforcement. It does not apply the proper policy check for changing network tags. An unprivileged tenant is able to change (add and clear) tags on network objects that do not belong to the tenant, and this action is not subjected to the proper policy authorization check. This affects 23 before 23.2.1, 24 before 24.0.2, and 25 before 25.0.1.",
"id": "GHSA-f27h-g923-68hw",
"modified": "2025-01-09T15:50:49Z",
"published": "2024-11-25T00:31:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53916"
},
{
"type": "PACKAGE",
"url": "https://github.com/openstack/neutron"
},
{
"type": "WEB",
"url": "https://github.com/openstack/neutron/blob/363ffa6e9e1ab5968f87d45bc2f1cb6394f48b9f/neutron/extensions/tagging.py#L138-L232"
},
{
"type": "WEB",
"url": "https://review.opendev.org/c/openstack/neutron/+/935883"
},
{
"type": "WEB",
"url": "https://review.opendev.org/q/project:openstack/neutron"
},
{
"type": "WEB",
"url": "https://security.openstack.org/ossa/OSSA-2024-005.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/12/03/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenStack Neutron can use an incorrect ID during policy enforcement"
}
GHSA-F292-7GW4-3Q3V
Vulnerability from github – Published: 2022-08-19 00:00 – Updated: 2022-08-25 00:00An issue was discovered in Nginx NJS v0.7.5. The JUMP offset for a break instruction was not set to a correct offset during code generation, leading to a segmentation violation.
{
"affected": [],
"aliases": [
"CVE-2022-35173"
],
"database_specific": {
"cwe_ids": [
"CWE-754"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-18T06:15:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in Nginx NJS v0.7.5. The JUMP offset for a break instruction was not set to a correct offset during code generation, leading to a segmentation violation.",
"id": "GHSA-f292-7gw4-3q3v",
"modified": "2022-08-25T00:00:28Z",
"published": "2022-08-19T00:00:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35173"
},
{
"type": "WEB",
"url": "https://github.com/nginx/njs/issues/553"
},
{
"type": "WEB",
"url": "https://github.com/nginx/njs/commit/404553896792b8f5f429dc8852d15784a59d8d3e"
},
{
"type": "WEB",
"url": "http://hg.nginx.org/njs/rev/b7c4e0f714a9"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-F2F3-HCJW-63P3
Vulnerability from github – Published: 2022-05-24 17:05 – Updated: 2026-05-29 15:30A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists in Modicon M580, Modicon M340, Modicon Quantum, Modicon Premium (see security notification for specific versions) which could cause a Denial of Service when reading data with invalid index using Modbus TCP.
{
"affected": [],
"aliases": [
"CVE-2018-7794"
],
"database_specific": {
"cwe_ids": [
"CWE-754"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-01-06T23:15:00Z",
"severity": "MODERATE"
},
"details": "A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists in Modicon M580, Modicon M340, Modicon Quantum, Modicon Premium (see security notification for specific versions) which could cause a Denial of Service when reading data with invalid index using Modbus TCP.",
"id": "GHSA-f2f3-hcjw-63p3",
"modified": "2026-05-29T15:30:21Z",
"published": "2022-05-24T17:05:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-7794"
},
{
"type": "WEB",
"url": "https://www.se.com/ww/en/download/document/SEVD-2019-344-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-F2Q2-PV27-HGJF
Vulnerability from github – Published: 2025-04-19 21:30 – Updated: 2025-04-19 21:307-Zip through 24.09 does not report an error for certain invalid xz files, involving block flags and reserved bits.
{
"affected": [],
"aliases": [
"CVE-2022-47111"
],
"database_specific": {
"cwe_ids": [
"CWE-754"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-19T21:15:45Z",
"severity": "LOW"
},
"details": "7-Zip through 24.09 does not report an error for certain invalid xz files, involving block flags and reserved bits.",
"id": "GHSA-f2q2-pv27-hgjf",
"modified": "2025-04-19T21:30:28Z",
"published": "2025-04-19T21:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47111"
},
{
"type": "WEB",
"url": "https://github.com/boofish/semantic-bugs"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-3
Strategy: Language Selection
- Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- Choose languages with features such as exception handling that force the programmer to anticipate unusual conditions that may generate exceptions. Custom exceptions may need to be developed to handle unusual business-logic conditions. Be careful not to pass sensitive exceptions back to the user (CWE-209, CWE-248).
Mitigation
Check the results of all functions that return a value and verify that the value is expected.
Mitigation
If using exception handling, catch and throw specific exceptions instead of overly-general exceptions (CWE-396, CWE-397). Catch and handle exceptions as locally as possible so that exceptions do not propagate too far up the call stack (CWE-705). Avoid unchecked or uncaught exceptions where feasible (CWE-248).
Mitigation MIT-39
- Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success.
- If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files.
- Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not.
- Exposing additional information to a potential attacker in the context of an exceptional condition can help the attacker determine what attack vectors are most likely to succeed beyond DoS.
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Mitigation MIT-38
If the program must fail, ensure that it fails gracefully (fails closed). There may be a temptation to simply let the program fail poorly in cases such as low memory conditions, but an attacker may be able to assert control before the software has fully exited. Alternately, an uncontrolled failure could cause cascading problems with other downstream components; for example, the program could send a signal to a downstream process so the process immediately knows that a problem has occurred and has a better chance of recovery.
Mitigation
Use system limits, which should help to prevent resource exhaustion. However, the product should still handle low resource conditions since they may still occur.
No CAPEC attack patterns related to this CWE.