CWE-1389 - Incorrect Parsing of Numbers with Different Radices
CWE-1389
- Abstraction:
- Base
- Structure:
- Simple
- Status:
- Incomplete
- Weakness Name
Incorrect Parsing of Numbers with Different Radices
- Description
The product parses numeric input assuming base 10 (decimal) values, but it does not account for inputs that use a different base number (radix).
Frequently, a numeric input that begins with "0" is treated as octal, or "0x" causes it to be treated as hexadecimal, e.g. by the inet_addr() function. For example, "023" (octal) is 35 decimal, or "0x31" is 49 decimal. Other bases may be used as well. If the developer assumes decimal-only inputs, the code could produce incorrect numbers when the inputs are parsed using a different base. This can result in unexpected and/or dangerous behavior. For example, a "0127.0.0.1" IP address is parsed as octal due to the leading "0", whose numeric value would be the same as 87.0.0.1 (decimal), where the developer likely expected to use 127.0.0.1. The consequences vary depending on the surrounding code in which this weakness occurs, but they can include bypassing network-based access control using unexpected IP addresses or netmasks, or causing apparently-symbolic identifiers to be processed as if they are numbers. In web applications, this can enable bypassing of SSRF restrictions.
- Common Consequences
Scope: Confidentiality
Impact: Read Application Data
Notes: An attacker may use an unexpected numerical base to access private application resources.
Scope: Integrity
Impact: Bypass Protection Mechanism, Alter Execution Logic
Notes: An attacker may use an unexpected numerical base to bypass or manipulate access control mechanisms.
- Related Weaknesses
- Release Date:
- 2022-10-13
- Latest Modification Date:
- 2023-06-29
Free security scan for your website