Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CWE-684:Incorrect Provision of Specified Functionality
Weakness ID:684
Version:v4.17
Weakness Name:Incorrect Provision of Specified Functionality
Vulnerability Mapping:Allowed-with-Review
Abstraction:Class
Structure:Simple
Status:Draft
Likelihood of Exploit:
DetailsContent HistoryObserved CVE ExamplesReports
▼Description

The code does not function according to its published specifications, potentially leading to incorrect usage.

▼Extended Description

When providing functionality to an external party, it is important that the product behaves in accordance with the details specified. When requirements of nuances are not documented, the functionality may produce unintended behaviors for the caller, possibly leading to an exploitable state.

▼Alternate Terms
▼Relationships
Relevant to the view"Research Concepts - (1000)"
NatureMappingTypeIDName
ChildOfDiscouragedP710Improper Adherence to Coding Standards
ParentOfAllowedB1245Improper Finite State Machines (FSMs) in Hardware Logic
ParentOfAllowedB392Missing Report of Error Condition
ParentOfAllowedB393Return of Wrong Status Code
ParentOfAllowedB440Expected Behavior Violation
ParentOfAllowed-with-ReviewC446UI Discrepancy for Security Feature
ParentOfAllowed-with-ReviewC451User Interface (UI) Misrepresentation of Critical Information
ParentOfAllowed-with-ReviewC912Hidden Functionality
Nature: ChildOf
Mapping: Discouraged
Type: Pillar
ID: 710
Name: Improper Adherence to Coding Standards
Nature: ParentOf
Mapping: Allowed
Type: Base
ID: 1245
Name: Improper Finite State Machines (FSMs) in Hardware Logic
Nature: ParentOf
Mapping: Allowed
Type: Base
ID: 392
Name: Missing Report of Error Condition
Nature: ParentOf
Mapping: Allowed
Type: Base
ID: 393
Name: Return of Wrong Status Code
Nature: ParentOf
Mapping: Allowed
Type: Base
ID: 440
Name: Expected Behavior Violation
Nature: ParentOf
Mapping: Allowed-with-Review
Type: Class
ID: 446
Name: UI Discrepancy for Security Feature
Nature: ParentOf
Mapping: Allowed-with-Review
Type: Class
ID: 451
Name: User Interface (UI) Misrepresentation of Critical Information
Nature: ParentOf
Mapping: Allowed-with-Review
Type: Class
ID: 912
Name: Hidden Functionality
▼Memberships
NatureMappingTypeIDName
MemberOfProhibitedC735CERT C Secure Coding Standard (2008) Chapter 2 - Preprocessor (PRE)
MemberOfProhibitedC1001SFP Secondary Cluster: Use of an Improper API
MemberOfProhibitedC1412Comprehensive Categorization: Poor Coding Practices
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 735
Name: CERT C Secure Coding Standard (2008) Chapter 2 - Preprocessor (PRE)
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 1001
Name: SFP Secondary Cluster: Use of an Improper API
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 1412
Name: Comprehensive Categorization: Poor Coding Practices
▼Tags
NatureMappingTypeIDName
MemberOfProhibitedBSBOSS-325Quality Degradation (impact)
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-325
Name: Quality Degradation (impact)
▼Relevant To View
Relevant to the view"Software Fault Pattern (SFP) Clusters - (888)"
NatureMappingTypeIDName
MemberOfProhibitedC1001SFP Secondary Cluster: Use of an Improper API
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 1001
Name: SFP Secondary Cluster: Use of an Improper API
▼Background Detail

▼Common Consequences
ScopeLikelihoodImpactNote
OtherN/AQuality Degradation
N/A
Scope: Other
Likelihood: N/A
Impact: Quality Degradation
Note:
N/A
▼Potential Mitigations
Phase:Implementation
Mitigation ID:
Strategy:
Effectiveness:
Description:

Ensure that your code strictly conforms to specifications.

Note:

▼Modes Of Introduction
Phase: Implementation
Note:

N/A

▼Applicable Platforms
▼Demonstrative Examples
Example 1

In the following snippet from a doPost() servlet method, the server returns "200 OK" (default) even if an error occurs.

Language: ( code)
N/A

Language: Java(Bad code)
try { // Something that may throw an exception.* ...} catch (Throwable t) { logger.error("Caught: " + t.toString()); return; }

Example 2

In the following example, an HTTP 404 status code is returned in the event of an IOException encountered in a Java servlet. A 404 code is typically meant to indicate a non-existent resource and would be somewhat misleading in this case.

Language: ( code)
N/A

Language: Java(Bad code)
try { // something that might throw IOException* ...} catch (IOException ioe) { response.sendError(SC_NOT_FOUND); }

▼Observed Examples
ReferenceDescription
CVE-2002-1446
Error checking routine in PKCS#11 library returns "OK" status even when invalid signature is detected, allowing spoofed messages.
CVE-2001-1559
Chain: System call returns wrong value (CWE-393), leading to a resultant NULL dereference (CWE-476).
CVE-2003-0187
Program uses large timeouts on unconfirmed connections resulting from inconsistency in linked lists implementations.
CVE-1999-1446
UI inconsistency; visited URLs list not cleared when "Clear History" option is selected.
Reference: CVE-2002-1446
Description:
Error checking routine in PKCS#11 library returns "OK" status even when invalid signature is detected, allowing spoofed messages.
Reference: CVE-2001-1559
Description:
Chain: System call returns wrong value (CWE-393), leading to a resultant NULL dereference (CWE-476).
Reference: CVE-2003-0187
Description:
Program uses large timeouts on unconfirmed connections resulting from inconsistency in linked lists implementations.
Reference: CVE-1999-1446
Description:
UI inconsistency; visited URLs list not cleared when "Clear History" option is selected.
▼Affected Resources
    ▼Functional Areas
      ▼Weakness Ordinalities
      OrdinalityDescription
      Indirect
      N/A
      Primary
      N/A
      Ordinality: Indirect
      Description:
      N/A
      Ordinality: Primary
      Description:
      N/A
      ▼Detection Methods
      ▼Vulnerability Mapping Notes
      Usage:Allowed-with-Review
      Reason:Abstraction
      Rationale:

      This CWE entry is a Class and might have Base-level children that would be more appropriate

      Comments:

      Examine children of this entry to see if there is a better fit

      Suggestions:
      ▼Notes
      ▼Taxonomy Mappings
      Taxonomy NameEntry IDFitEntry Name
      CERT C Secure CodingPRE09-CN/ADo not replace secure functions with less secure functions
      Taxonomy Name: CERT C Secure Coding
      Entry ID: PRE09-C
      Fit: N/A
      Entry Name: Do not replace secure functions with less secure functions
      ▼Related Attack Patterns
      IDName
      ▼References
      Details not found