CWE-345

ClassDraft

View on MITRE

Insufficient Verification of Data Authenticity

The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

217 linked vulnerabilities

1 related weaknesses

Integrity

Other

Varies by Context

Unexpected State

Automated Static Analysis

Effectiveness: High

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

Modes of Introduction

Architecture and Design

Implementation

Related Weaknesses

CWE-693ChildOf

Example CVEs (3)

CVE-2022-30260

Distributed Control System (DCS) does not sign firmware images and only relies on insecure checksums for integrity checks

CVE-2022-30267

Distributed Control System (DCS) does not sign firmware images and only relies on insecure checksums for integrity checks

CVE-2022-30272

Remote Terminal Unit (RTU) does not use signatures for firmware images and relies on insecure checksums

External Links

MITRE CWE Database

CWE-345: Insufficient Verification of Data Authenticity | Mondoo Vulnerability Intelligence