CWE-20 - Improper Input Validation

CWE ID:

CWE-20

High

Abstraction:Class
Structure:Simple
Status:Stable

Release Date:2006-07-19
Latest Modification Date:2025-04-03

Weakness Name

Improper Input Validation

Description

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Input validation is a frequently-used technique for checking potentially dangerous inputs in order to ensure that the inputs are safe for processing within the code, or when communicating with other components. Input can consist of: Data can be simple or structured. Structured data can be composed of many nested layers, composed of combinations of metadata and raw data, with other simple or structured data. Many properties of raw data or metadata may need to be validated upon entry into the code, such as: Implied or derived properties of data must often be calculated or inferred by the code itself. Errors in deriving properties may be considered a contributing factor to improper input validation.

Common Consequences

Scope: Availability

Impact: DoS: Crash, Exit, or Restart, DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory)

Notes: An attacker could provide unexpected values and cause a program crash or arbitrary control of resource allocation, leading to excessive consumption of resources such as memory and CPU.

Scope: Confidentiality

Impact: Read Memory, Read Files or Directories

Notes: An attacker could read confidential data if they are able to control resource references.

Scope: Integrity, Confidentiality, Availability

Impact: Modify Memory, Execute Unauthorized Code or Commands

Notes: An attacker could use malicious input to modify data or possibly alter control flow in unexpected ways, including arbitrary command execution.