CWE-654: Reliance on a Single Factor in a Security Decision
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
A protection mechanism relies exclusively, or to a large extent, on the evaluation of a single condition or the integrity of a single object or entity in order to make a decision about granting access to restricted resources or functionality.
常见后果
影响范围: Access Control
技术影响: Gain Privileges or Assume Identity
说明: If the single factor is compromised (e.g. by theft or spoofing), then the integrity of the entire security mechanism can be violated with respect to the user that is identified by that factor.
影响范围: Non-Repudiation
技术影响: Hide Activities
说明: It can become difficult or impossible for the product to be able to distinguish between legitimate activities by the entity who provided the factor, versus illegitimate activities by an attacker.
潜在缓解措施
阶段: Architecture and Design
描述: Use multiple simultaneous checks before granting access to critical operations or granting critical privileges. A weaker but helpful mitigation is to use several successive checks (multiple layers of security).
阶段: Architecture and Design
描述: Use redundant access rules on different choke points (e.g., firewalls).
观察示例
参考: CVE-2022-35248
Chat application skips validation when Central Authentication Service (CAS) is enabled, effectively removing the second factor from two-factor authentication
引入模式
| 阶段 | 说明 |
|---|---|
| Architecture and Design | - |
| Implementation | - |
| Operation | - |
适用平台
编程语言
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| ISA/IEC 62443 | Part 4-1 | Req SD-3 | - |
| ISA/IEC 62443 | Part 4-1 | Req SD-4 | - |
| ISA/IEC 62443 | Part 4-1 | Req SI-1 | - |
关键信息
CWE ID: CWE-654
抽象级别: Base
结构: Simple
状态: Draft