Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CWE-474:Use of Function with Inconsistent Implementations
Weakness ID:474
Version:v4.17
Weakness Name:Use of Function with Inconsistent Implementations
Vulnerability Mapping:Allowed
Abstraction:Base
Structure:Simple
Status:Draft
Likelihood of Exploit:
DetailsContent HistoryObserved CVE ExamplesReports
▼Description

The code uses a function that has inconsistent implementations across operating systems and versions.

▼Extended Description

The use of inconsistent implementations can cause changes in behavior when the code is ported or built under a different environment than the programmer expects, which can lead to security problems in some cases.

The implementation of many functions varies by platform, and at times, even by different versions of the same platform. Implementation differences can include:

  • Slight differences in the way parameters are interpreted leading to inconsistent results.
  • Some implementations of the function carry significant security risks.
  • The function might not be defined on all platforms.
  • The function might change which return codes it can provide, or change the meaning of its return codes.
▼Alternate Terms
▼Relationships
Relevant to the view"Research Concepts - (1000)"
NatureMappingTypeIDName
ChildOfAllowed-with-ReviewC758Reliance on Undefined, Unspecified, or Implementation-Defined Behavior
ParentOfAllowedV589Call to Non-ubiquitous API
Nature: ChildOf
Mapping: Allowed-with-Review
Type: Class
ID: 758
Name: Reliance on Undefined, Unspecified, or Implementation-Defined Behavior
Nature: ParentOf
Mapping: Allowed
Type: Variant
ID: 589
Name: Call to Non-ubiquitous API
▼Memberships
NatureMappingTypeIDName
MemberOfProhibitedC3987PK - Code Quality
MemberOfProhibitedC1001SFP Secondary Cluster: Use of an Improper API
MemberOfProhibitedC1228API / Function Errors
MemberOfProhibitedC1412Comprehensive Categorization: Poor Coding Practices
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 398
Name: 7PK - Code Quality
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 1001
Name: SFP Secondary Cluster: Use of an Improper API
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 1228
Name: API / Function Errors
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 1412
Name: Comprehensive Categorization: Poor Coding Practices
▼Tags
NatureMappingTypeIDName
MemberOfProhibitedBSBOSS-294Not Language-Specific Weaknesses
MemberOfProhibitedBSBOSS-325Quality Degradation (impact)
MemberOfProhibitedBSBOSS-326Varies by Context (impact)
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-294
Name: Not Language-Specific Weaknesses
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-325
Name: Quality Degradation (impact)
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-326
Name: Varies by Context (impact)
▼Relevant To View
Relevant to the view"Software Fault Pattern (SFP) Clusters - (888)"
NatureMappingTypeIDName
MemberOfProhibitedC1001SFP Secondary Cluster: Use of an Improper API
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 1001
Name: SFP Secondary Cluster: Use of an Improper API
Relevant to the view"Software Development - (699)"
NatureMappingTypeIDName
MemberOfProhibitedC1228API / Function Errors
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 1228
Name: API / Function Errors
Relevant to the view"Seven Pernicious Kingdoms - (700)"
NatureMappingTypeIDName
MemberOfProhibitedC3987PK - Code Quality
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 398
Name: 7PK - Code Quality
▼Background Detail

▼Common Consequences
ScopeLikelihoodImpactNote
OtherN/AQuality DegradationVaries by Context
N/A
Scope: Other
Likelihood: N/A
Impact: Quality Degradation, Varies by Context
Note:
N/A
▼Potential Mitigations
Phase:Architecture and Design, Requirements
Mitigation ID:
Strategy:
Effectiveness:
Description:

Do not accept inconsistent behavior from the API specifications when the deviant behavior increase the risk level.

Note:

▼Modes Of Introduction
Phase: Implementation
Note:

N/A

▼Applicable Platforms
Languages
Class: C(Often Prevalence)
Class: PHP(Often Prevalence)
Class: Not Language-Specific(Undetermined Prevalence)
▼Demonstrative Examples
▼Observed Examples
ReferenceDescription
▼Affected Resources
    ▼Functional Areas
      ▼Weakness Ordinalities
      OrdinalityDescription
      Primary
      N/A
      Indirect
      N/A
      Ordinality: Primary
      Description:
      N/A
      Ordinality: Indirect
      Description:
      N/A
      ▼Detection Methods
      Automated Static Analysis
      Detection Method ID:DM-14
      Description:

      Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

      Effectiveness:High
      Note:

      N/A

      ▼Vulnerability Mapping Notes
      Usage:Allowed
      Reason:Acceptable-Use
      Rationale:

      This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.

      Comments:

      Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

      Suggestions:
      ▼Notes
      ▼Taxonomy Mappings
      Taxonomy NameEntry IDFitEntry Name
      7 Pernicious KingdomsN/AN/AInconsistent Implementations
      Software Fault PatternsSFP3N/AUse of an improper API
      Taxonomy Name: 7 Pernicious Kingdoms
      Entry ID: N/A
      Fit: N/A
      Entry Name: Inconsistent Implementations
      Taxonomy Name: Software Fault Patterns
      Entry ID: SFP3
      Fit: N/A
      Entry Name: Use of an improper API
      ▼Related Attack Patterns
      IDName
      ▼References
      Reference ID: REF-6
      Title: Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors
      Author: Katrina Tsipenyuk, Brian Chess, Gary McGraw
      Section:
      Publication:
      NIST Workshop on Software Security Assurance Tools Techniques and Metrics
      Publisher:NIST
      Edition:
      URL:https://samate.nist.gov/SSATTM_Content/papers/Seven%20Pernicious%20Kingdoms%20-%20Taxonomy%20of%20Sw%20Security%20Errors%20-%20Tsipenyuk%20-%20Chess%20-%20McGraw.pdf
      URL Date:
      Day:07
      Month:11
      Year:2005
      Details not found