logo

CWE-129 - Improper Validation of Array Index

CWE-129 High

  • Abstraction:
  • Variant
  • Structure:
  • Simple
  • Status:
  • Draft
Weakness Name

Improper Validation of Array Index

Description

The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array.

Common Consequences

Scope: Integrity, Availability

Impact: DoS: Crash, Exit, or Restart

Notes: Use of an index that is outside the bounds of an array will very likely result in the corruption of relevant memory and perhaps instructions, leading to a crash, if the values are outside of the valid memory area.

Scope: Integrity

Impact: Modify Memory

Notes: If the memory corrupted is data, rather than instructions, the system will continue to function with improper values.

Scope: Confidentiality, Integrity

Impact: Modify Memory, Read Memory

Notes: Use of an index that is outside the bounds of an array can also trigger out-of-bounds read or write operations, or operations on the wrong objects; i.e., "buffer overflows" are not always the result. This may result in the exposure or modification of sensitive data.

Scope: Integrity, Confidentiality, Availability

Impact: Execute Unauthorized Code or Commands

Notes: If the memory accessible by the attacker can be effectively controlled, it may be possible to execute arbitrary code, as with a standard buffer overflow and possibly without the use of large inputs if a precise index can be controlled.

Scope: Integrity, Availability, Confidentiality

Impact: DoS: Crash, Exit, or Restart, Execute Unauthorized Code or Commands, Read Memory, Modify Memory

Notes: A single fault could allow either an overflow (CWE-788) or underflow (CWE-786) of the array index. What happens next will depend on the type of operation being performed out of bounds, but can expose sensitive information, cause a system crash, or possibly lead to arbitrary code execution.

Related Weaknesses
  • Release Date:
  • 2006-07-19
  • Latest Modification Date:
  • 2023-06-29

Free security scan for your website