Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-841 (行为工作流的不恰当实施) — Vulnerability Class 34

34 vulnerabilities classified as CWE-841 (行为工作流的不恰当实施). AI Chinese analysis included.

CWE-841 represents a logic flaw where an application fails to enforce the correct sequence of operations within a multi-step workflow. This weakness allows attackers to bypass critical security checks or business rules by executing actions out of order or skipping necessary steps entirely. For instance, an attacker might attempt to access a protected resource before completing authentication, or finalize a transaction before verifying payment details. Such manipulation can lead to unauthorized data access, financial fraud, or system instability. To mitigate this risk, developers must implement strict state management and validation mechanisms that verify each step’s completion before allowing progression. Utilizing atomic transactions, enforcing server-side state checks, and clearly defining workflow dependencies ensures that the application maintains integrity regardless of the client’s input order, thereby preventing logic bypasses and preserving the intended behavioral sequence.

MITRE CWE Description
The product supports a session in which more than one behavior must be performed by an actor, but it does not properly ensure that the actor performs the behaviors in the required sequence. By performing actions in an unexpected order, or by omitting steps, an attacker could manipulate the business logic of the product or cause it to enter an invalid state. In some cases, this can also expose resultant weaknesses. For example, a file-sharing protocol might require that an actor perform separate steps to provide a username, then a password, before being able to transfer files. If the file-sharing server accepts a password command followed by a transfer command, without any username being provided, the product might still perform the transfer. Note that this is different than CWE-696, which focuses on when the product performs actions in the wrong sequence; this entry is closely related, but it is focused on ensuring that the actor performs actions in the correct sequence. Workflow-related behaviors include: Steps are performed in the expected order. Required steps are not omitted. Steps are not interrupted. Steps are performed in a timely fashion.
Common Consequences (1)
OtherAlter Execution Logic
An attacker could cause the product to skip critical steps or perform them in the wrong order, bypassing its intended business logic. This can sometimes have security implications.
Examples (1)
This code is part of an FTP server and deals with various commands that could be sent by a user. It is intended that a user must successfully login before performing any other action such as retrieving or listing files.
def dispatchCommand(command, user, args): if command == 'Login': loginUser(args) return # user has requested a file if command == 'Retrieve_file': if authenticated(user) and ownsFile(user,args): sendFile(args) return if command == 'List_files': listFiles(args) return ...
Bad · Python
def dispatchCommand(command, user, args): ... if command == 'List_files': if authenticated(user) and ownsDirectory(user,args): listFiles(args) return ...
Good · Python
CVE IDTitleCVSSSeverityPublished
CVE-2023-1383 Amazon Fire TV Stick 安全漏洞 — Fire TV Stick 3rd gen 5.4 Medium2023-05-03
CVE-2022-2102 Secheron SEPCOS Control and Protection Relay — SEPCOS Control and Protection Relay firmware package 9.4 Critical2022-06-24
CVE-2022-2105 Secheron SEPCOS Control and Protection Relay — SEPCOS Control and Protection Relay firmware package 9.4 Critical2022-06-24
CVE-2022-1667 Secheron SEPCOS Control and Protection Relay — SEPCOS Control and Protection Relay firmware package 7.5 High2022-06-24

Vulnerabilities classified as CWE-841 (行为工作流的不恰当实施) represent 34 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.