Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-437 (端点特性的不完整模型) — Vulnerability Class 3

3 vulnerabilities classified as CWE-437 (端点特性的不完整模型). AI Chinese analysis included.

CWE-437 represents a design weakness where an intermediary system lacks a comprehensive understanding of an endpoint’s capabilities, behaviors, or current state. This incomplete model often leads to incorrect processing logic, such as misinterpreting data formats or failing to account for specific hardware limitations. Attackers typically exploit this by crafting malicious inputs that trigger unexpected behaviors or bypass security controls, leveraging the system’s assumptions about the endpoint’s uniformity. To mitigate this risk, developers must implement robust validation mechanisms that explicitly verify endpoint characteristics before processing requests. Utilizing standardized protocols and dynamic capability negotiation ensures that the intermediary adapts to diverse endpoint configurations. Additionally, thorough threat modeling and rigorous testing with varied client types help identify gaps in the endpoint model, preventing the system from making unsafe assumptions that could lead to functional errors or security vulnerabilities.

MITRE CWE Description
A product acts as an intermediary or monitor between two or more endpoints, but it does not have a complete model of an endpoint's features, behaviors, or state, potentially causing the product to perform incorrect actions based on this incomplete model.
Common Consequences (1)
Integrity, OtherUnexpected State, Varies by Context
Examples (2)
HTTP request smuggling is an attack against an intermediary such as a proxy. This attack works because the proxy expects the client to parse HTTP headers one way, but the client parses them differently.
Anti-virus products that reside on mail servers can suffer from this issue if they do not know how a mail client will handle a particular attachment. The product might treat an attachment type as safe, not knowing that the client's configuration treats it as executable.
CVE IDTitleCVSSSeverityPublished
CVE-2024-55629 Suricata generic detection bypass using TCP urgent support — suricata 7.5 High2025-01-06
CVE-2023-20084 Cisco Secure Endpoint 安全漏洞 — Cisco Secure Endpoint 5.0 Medium2023-11-22
CVE-2016-8365 OSIsoft PI System 安全漏洞 — PI System software 6.5 -2018-04-03

Vulnerabilities classified as CWE-437 (端点特性的不完整模型) represent 3 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.