The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is too permissive - that is, it allows an input that is unsafe, leading to resultant weaknesses.
This is used by CWE and CAPEC instead of other commonly-used terms. Its counterpart is denylist.
This is often used by security tools such as firewalls, email or web gateways, proxies, etc.
This term is frequently used, but usage has been declining as organizations have started to adopt other terms.
| Nature | Mapping | Type | ID | Name |
|---|---|---|---|---|
| CanPrecede | Allowed | B | 434 | Unrestricted Upload of File with Dangerous Type |
| ChildOf | Discouraged | P | 697 | Incorrect Comparison |
| ParentOf | Allowed | B | 186 | Overly Restrictive Regular Expression |
| ParentOf | Allowed | B | 625 | Permissive Regular Expression |
| ParentOf | Allowed | V | 627 | Dynamic Variable Evaluation |
| ParentOf | Allowed | V | 942 | Permissive Cross-domain Policy with Untrusted Domains |
| Nature | Mapping | Type | ID | Name |
|---|---|---|---|---|
| MemberOf | Prohibited | C | 722 | OWASP Top Ten 2004 Category A1 - Unvalidated Input |
| MemberOf | Prohibited | C | 990 | SFP Secondary Cluster: Tainted Input to Command |
| MemberOf | Prohibited | C | 1215 | Data Validation Issues |
| MemberOf | Prohibited | C | 1348 | OWASP Top Ten 2021 Category A04:2021 - Insecure Design |
| MemberOf | Prohibited | C | 1397 | Comprehensive Categorization: Comparison |
| Nature | Mapping | Type | ID | Name |
|---|---|---|---|---|
| MemberOf | Prohibited | BS | BOSS-294 | Not Language-Specific Weaknesses |
| MemberOf | Prohibited | BS | BOSS-316 | Bypass Protection Mechanism (impact) |
| Nature | Mapping | Type | ID | Name |
|---|---|---|---|---|
| MemberOf | Prohibited | C | 1215 | Data Validation Issues |
| Nature | Mapping | Type | ID | Name |
|---|---|---|---|---|
| MemberOf | Prohibited | C | 1348 | OWASP Top Ten 2021 Category A04:2021 - Insecure Design |
| Nature | Mapping | Type | ID | Name |
|---|---|---|---|---|
| MemberOf | Prohibited | C | 990 | SFP Secondary Cluster: Tainted Input to Command |
| Scope | Likelihood | Impact | Note |
|---|---|---|---|
| Access Control | N/A | Bypass Protection Mechanism | N/A |
N/A
| Reference | Description |
|---|---|
| CVE-2019-12799 | chain: bypass of untrusted deserialization issue (CWE-502) by using an assumed-trusted class (CWE-183) |
| CVE-2019-10458 | sandbox bypass using a method that is on an allowlist |
| CVE-2017-1000095 | sandbox bypass using unsafe methods that are on an allowlist |
| CVE-2019-10458 | CI/CD pipeline feature has unsafe elements in allowlist, allowing bypass of script restrictions |
| CVE-2017-1000095 | Default allowlist includes unsafe methods, allowing bypass of sandbox |
| Ordinality | Description |
|---|---|
| Primary | N/A |
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
N/A
This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.
| Taxonomy Name | Entry ID | Fit | Entry Name |
|---|---|---|---|
| PLOVER | N/A | N/A | Permissive Whitelist |