Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-684 (特定函数功能的不正确供给) — Vulnerability Class 25

25 vulnerabilities classified as CWE-684 (特定函数功能的不正确供给). AI Chinese analysis included.

CWE-684 represents a design-level weakness where software fails to adhere to its published specifications, resulting in unintended behaviors that external callers may inadvertently exploit. This vulnerability typically arises when developers omit critical nuances in documentation or implementation, causing the system to process inputs or requests in ways that diverge from expected standards. Attackers leverage these discrepancies by crafting specific inputs that trigger the undocumented or incorrect logic paths, potentially leading to data corruption, privilege escalation, or denial of service. To mitigate this risk, developers must prioritize rigorous requirement analysis and comprehensive API documentation. Implementing strict input validation, thorough unit testing against defined specifications, and adopting contract-based design principles ensures that the software’s actual behavior aligns precisely with its intended functionality, thereby eliminating ambiguity and reducing the attack surface for exploitation.

MITRE CWE Description
The code does not function according to its published specifications, potentially leading to incorrect usage. When providing functionality to an external party, it is important that the product behaves in accordance with the details specified. When requirements of nuances are not documented, the functionality may produce unintended behaviors for the caller, possibly leading to an exploitable state.
Common Consequences (1)
OtherQuality Degradation
Mitigations (1)
ImplementationEnsure that your code strictly conforms to specifications.
Examples (2)
In the following snippet from a doPost() servlet method, the server returns "200 OK" (default) even if an error occurs.
try { // Something that may throw an exception. ... } catch (Throwable t) { logger.error("Caught: " + t.toString()); return; }
Bad · Java
In the following example, an HTTP 404 status code is returned in the event of an IOException encountered in a Java servlet. A 404 code is typically meant to indicate a non-existent resource and would be somewhat misleading in this case.
try { // something that might throw IOException ... } catch (IOException ioe) { response.sendError(SC_NOT_FOUND); }
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2026-44597 Tor 安全漏洞 — Tor 3.7 Low2026-05-07
CVE-2026-40685 Exim 缓冲区错误漏洞 — Exim 6.5 Medium2026-04-30
CVE-2026-40684 Exim 安全漏洞 — Exim 5.9 Medium2026-04-30
CVE-2026-42255 Technitium DNS Server 安全漏洞 — DnsServer 7.2 High2026-04-26
CVE-2026-35381 uutils coreutils cut Local Logic Error and Data Integrity Issue in Output Filtering — coreutils 3.3 Low2026-04-22
CVE-2026-35379 uutils coreutils tr Local Logic Error and Data Integrity Issue in Character Class Handling — coreutils 3.3 Low2026-04-22
CVE-2026-34478 Apache Log4j Core: Log injection in Rfc5424Layout due to silent configuration incompatibility — Apache Log4j Core 8.2AIHighAI2026-04-10
CVE-2025-66384 MISP 安全漏洞 — MISP 8.2 High2025-11-28
CVE-2025-55174 KDE Applications 安全漏洞 — Skanpage 3.2 Low2025-11-26
CVE-2025-58325 Fortinet FortiOS 安全漏洞 — FortiOS 7.8 High2025-10-14
CVE-2025-54568 Akamai Rate Control 安全漏洞 — Rate Control 3.7 Low2025-07-25
CVE-2025-54567 QEMU 安全漏洞 — QEMU 4.2 Medium2025-07-25
CVE-2025-47227 Scriptcase 安全漏洞 — ScriptCase 7.5 High2025-07-05
CVE-2024-50357 Century Systems FutureNet NXR 安全漏洞 — FutureNet NXR-G110 series 9.8AICriticalAI2024-11-29
CVE-2024-5005 Incorrect Provision of Specified Functionality in GitLab — GitLab 4.3 Medium2024-10-11
CVE-2024-8974 Incorrect Provision of Specified Functionality in GitLab — GitLab 2.6 Low2024-09-26
CVE-2024-20317 Cisco IOS XR Software Layer 2 Services Denial of Service Vulnerability — Cisco IOS XR Software 7.4 High2024-09-11
CVE-2024-6502 Incorrect Provision of Specified Functionality in GitLab — GitLab 5.7 Medium2024-08-22
CVE-2024-6425 Incorrect Provision of Specified Functionality vulnerability in MESbook — MESbook 9.1 Critical2024-07-01
CVE-2023-5363 Incorrect cipher key & IV length processing — OpenSSL 5.3 -2023-10-24
CVE-2023-4258 bt: mesh: vulnerability in provisioning protocol implementation on provisionee side — Zephyr 8.6 High2023-09-25
CVE-2023-5158 Possible dos from guest to host invringh_kiov_advance in vhost driver at drivers/vhost/vringh.c — kernel 6.5 Medium2023-09-25
CVE-2023-24845 Siemens RUGGEDCOM 安全漏洞 — RUGGEDCOM i800 9.1 Critical2023-08-08
CVE-2022-23728 LG Smartphone 安全漏洞 — LG mobile devices 6.1 -2022-01-21
CVE-2020-11054 Incorrect Provision of Specified Functionality in qutebrowser — qutebrowser 3.5 Low2020-05-07

Vulnerabilities classified as CWE-684 (特定函数功能的不正确供给) represent 25 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.