CWE-129 - Improper Validation of Array Index

CWE-129 High

Abstraction:
Variant

Structure:
Simple

Status:
Draft

Weakness Name: Improper Validation of Array Index

Description: The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array.

Common Consequences: Scope: Integrity, Availability
Impact: DoS: Crash, Exit, or Restart
Notes: Use of an index that is outside the bounds of an array will very likely result in the corruption of relevant memory and perhaps instructions, leading to a crash, if the values are outside of the valid memory area.
Scope: Integrity
Impact: Modify Memory
Notes: If the memory corrupted is data, rather than instructions, the system will continue to function with improper values.
Scope: Confidentiality, Integrity
Impact: Modify Memory, Read Memory
Notes: Use of an index that is outside the bounds of an array can also trigger out-of-bounds read or write operations, or operations on the wrong objects; i.e., "buffer overflows" are not always the result. This may result in the exposure or modification of sensitive data.
Scope: Integrity, Confidentiality, Availability
Impact: Execute Unauthorized Code or Commands
Notes: If the memory accessible by the attacker can be effectively controlled, it may be possible to execute arbitrary code, as with a standard buffer overflow and possibly without the use of large inputs if a precise index can be controlled.
Scope: Integrity, Availability, Confidentiality
Impact: DoS: Crash, Exit, or Restart, Execute Unauthorized Code or Commands, Read Memory, Modify Memory
Notes: A single fault could allow either an overflow (CWE-788) or underflow (CWE-786) of the array index. What happens next will depend on the type of operation being performed out of bounds, but can expose sensitive information, cause a system crash, or possibly lead to arbitrary code execution.