Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-1284 — Vulnerability Class 134

134 vulnerabilities classified as CWE-1284. AI Chinese analysis included.

CWE-1284 represents a critical input validation weakness where software fails to properly verify numerical constraints such as size, length, or frequency provided by users. Attackers typically exploit this flaw by submitting maliciously crafted inputs that exceed expected limits, triggering resource exhaustion, buffer overflows, or logic errors during allocation and iteration processes. By bypassing these checks, adversaries can cause denial of service, data corruption, or arbitrary code execution. To mitigate this risk, developers must implement rigorous validation routines that enforce strict upper and lower bounds on all quantitative inputs. This includes verifying that values fall within acceptable ranges before processing, using safe parsing functions, and applying defensive programming techniques to handle unexpected or extreme values gracefully, thereby ensuring system stability and preventing exploitation of unchecked numerical parameters.

MITRE CWE Description
The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties. Specified quantities include size, length, frequency, price, rate, number of operations, time, and others. Code may rely on specified quantities to allocate resources, perform calculations, control iteration, etc.
Common Consequences (1)
Other, Integrity, AvailabilityVaries by Context, DoS: Resource Consumption (CPU), Modify Memory, Read Memory
When the quantity is not properly validated, then attackers can specify malicious quantities to cause excessive resource allocation, trigger unexpected failures, enable buffer overflows, etc.
Mitigations (1)
ImplementationAssume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range…
Effectiveness: High
Examples (2)
This example demonstrates a shopping interaction in which the user is free to specify the quantity of items to be purchased and a total is calculated.
... public static final double price = 20.00; int quantity = currentUser.getAttribute("quantity"); double total = price * quantity; chargeUser(total); ...
Bad · Java
This example asks the user for a height and width of an m X n game board with a maximum dimension of 100 squares.
... #define MAX_DIM 100 ... /* board dimensions */ int m,n, error; board_square_t *board; printf("Please specify the board height: \n"); error = scanf("%d", &m); if ( EOF == error ){ die("No integer passed: Die evil hacker!\n"); } printf("Please specify the board width: \n"); error = scanf("%d", &n); if ( EOF == error ){ die("No integer passed: Die evil hacker!\n"); } if ( m > MAX_DIM || n > MAX_DIM ) { die("Value too large: Die evil hacker!\n"); } board = (board_square_t*) malloc( m * n * sizeof(board_square_t)); ...
Bad · C
CVE IDTitleCVSSSeverityPublished
CVE-2022-39313 Parse Server crashes when receiving file download request with invalid byte range — parse-server 7.5 High2022-10-24
CVE-2022-39272 Flux2 vulnerable to Denial of Service due to Improper use of metav1.Duration — flux2 5.0 Medium2022-10-21
CVE-2022-2277 A vulnerability exists in the ICCP stack of the affected SYS600 versions due to validation flaw in the process that establishes the ICCP communication. The validation flaw will cause a denial-of-service when ICCP of SYS600 is request to forward any da ... — MicroSCADA X SYS600 7.5 High2022-09-14
CVE-2022-28199 DPDK 输入验证错误漏洞 — NVIDIA FLARE 6.5 Medium2022-09-01
CVE-2022-2845 Improper Validation of Specified Quantity in Input in vim/vim — vim/vim 7.8 High2022-08-17
CVE-2022-28613 Specially Crafted Modbus TCP Packet Vulnerability in RTU500 series — RTU500 series CMU Firmware 7.5 High2022-05-02
CVE-2022-0596 Improper Validation of Specified Quantity in Input in microweber/microweber — microweber/microweber 2.7 -2022-02-15
CVE-2022-0414 Improper Validation of Specified Quantity in Input in dolibarr/dolibarr — dolibarr/dolibarr 4.3 -2022-01-31
CVE-2022-22166 Junos OS: An rpd core will occur if BGP update tracing is configured and an update containing a malformed BGP SR-TE policy tunnel attribute is received — Junos OS 6.5 Medium2022-01-19
CVE-2022-0174 Improper Validation of Specified Quantity in Input in dolibarr/dolibarr — dolibarr/dolibarr 4.3 Medium2022-01-10
CVE-2021-31346 Siemens Nucleus 安全漏洞 — Capital Embedded AR Classic 431-422 8.2 High2021-11-09
CVE-2021-31345 Siemens Nucleus 安全漏洞 — Capital Embedded AR Classic 431-422 7.5 High2021-11-09
CVE-2020-27217 Eclipse Hono 安全漏洞 — Eclipse Hono 6.5 -2020-11-13
CVE-2013-0270 Keystone: openstack keystone: denial of service via large http request with long tenant name — Red Hat OpenStack Platform 13 (Queens) 6.5 Medium2013-04-12

Vulnerabilities classified as CWE-1284 represent 134 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.