Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1325 CNY

100%
Buy Us a Coffee

CWE-346 (源验证错误) — Vulnerability Class 196

196 vulnerabilities classified as CWE-346 (源验证错误). AI Chinese analysis included.

CWE-346, Origin Validation Error, represents a critical weakness where software fails to adequately verify the authenticity or legitimacy of data sources and communication endpoints. Attackers typically exploit this vulnerability by spoofing trusted origins, such as forging HTTP headers or manipulating network packets to appear as if they originate from a legitimate internal system. This deception allows adversaries to bypass security controls, execute unauthorized actions, or inject malicious payloads that the application blindly trusts. To mitigate this risk, developers must implement robust validation mechanisms that strictly verify the source of incoming requests. This includes checking cryptographic signatures, validating domain names against a whitelist, and ensuring that sensitive operations are only performed when the origin is explicitly confirmed. By enforcing strict origin verification, organizations can prevent unauthorized access and maintain the integrity of their application logic against sophisticated spoofing attacks.

MITRE CWE Description
The product does not properly verify that the source of data or communication is valid.
Common Consequences (1)
Access Control, OtherGain Privileges or Assume Identity, Varies by Context
An attacker can access any functionality that is inadvertently accessible to the source.
Examples (2)
This Android application will remove a user account when it receives an intent to do so:
IntentFilter filter = new IntentFilter("com.example.RemoveUser"); MyReceiver receiver = new MyReceiver(); registerReceiver(receiver, filter); public class DeleteReceiver extends BroadcastReceiver { @Override public void onReceive(Context context, Intent intent) { int userID = intent.getIntExtra("userID"); destroyUserData(userID); } }
Bad · Java
These Android and iOS applications intercept URL loading within a WebView and perform special actions if a particular URL scheme is used, thus allowing the Javascript within the WebView to communicate with the application:
// Android @Override public boolean shouldOverrideUrlLoading(WebView view, String url){ if (url.substring(0,14).equalsIgnoreCase("examplescheme:")){ if(url.substring(14,25).equalsIgnoreCase("getUserInfo")){ writeDataToView(view, UserData); return false; } else{ return true; } } }
Bad · Java
// iOS -(BOOL) webView:(UIWebView *)exWebView shouldStartLoadWithRequest:(NSURLRequest *)exRequest navigationType:(UIWebViewNavigationType)exNavigationType { NSURL *URL = [exRequest URL]; if ([[URL scheme] isEqualToString:@"exampleScheme"]) { NSString *functionString = [URL resourceSpecifier]; if ([functionString hasPrefix:@"specialFunction"]) { // Make data available back in webview. UIWebView *webView = [self writeDataToView:[URL query]]; } return NO; } return YES; }
Bad · Objective-C
CVE IDTitleCVSSSeverityPublished
CVE-2020-15734 Same-origin policy vulnerability in Bitdefender Safepay — Safepay 5.5 Medium2021-04-12
CVE-2021-20199 Podman onwards 访问控制错误漏洞 — podman 5.9 -2021-02-02
CVE-2020-26251 CORS configuration is possibly vulnerable — open-zaak 4.7 Medium2020-12-18
CVE-2020-15733 URL Spoofing Vulnerability in Bitdefender SafePay (VA-8958) — Antivirus Plus 6.5 Medium2020-12-14
CVE-2020-26234 Disabled Hostname Verification in OpenCast — opencast 4.8 Medium2020-12-08
CVE-2020-26253 .dev domains treated as local in Kirby — kirby 6.8 Medium2020-12-08
CVE-2020-14519 Wibu CodeMeter WebSockets API 访问控制错误漏洞 — CodeMeter 7.5 -2020-09-16
CVE-2020-15104 TLS Validation Vulnerability in Envoy — envoy 4.6 Medium2020-07-14
CVE-2019-11777 Eclipse Paho Java client library 输入验证错误漏洞 — Eclipse Paho 7.5 -2019-09-11
CVE-2019-9498 The implementations of EAP-PWD in hostapd EAP Server do not validate the scalar and element values in EAP-pwd-Commit — hostapd with EAP-pwd support 8.1 -2019-04-17
CVE-2019-9499 The implementations of EAP-PWD in wpa_supplicant EAP Peer do not validate the scalar and element values in EAP-pwd-Commit — hostapd with EAP-pwd support 8.1 -2019-04-17
CVE-2018-15723 Logitech Harmony Hub 命令注入漏洞 — Logitech Harmony Hub 9.8 -2018-12-20
CVE-2018-5400 The Auto-Maskin DCU 210E, RP-210E, and Marine Pro Observer Android App utilize an undocumented custom protocol to set up Modbus communications with other devices without validating those devices, resulting in an origin validation error — DCU-210E 9.8 -2018-10-08
CVE-2018-10591 多款Advantech产品安全漏洞 — WebAccess 7.4 -2018-05-15
CVE-2017-7561 Red Hat JBoss Enterprise Application Platform 安全漏洞 — resteasy 7.5 -2017-09-13
CVE-2009-4139 Spacewalk-java: spacewalk: red hat network satellite: spacewalk java: privilege escalation via cross-site request forgery — Red Hat Enterprise Linux 6 6.8 Medium2011-07-27

Vulnerabilities classified as CWE-346 (源验证错误) represent 196 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.