The product uses multiple validation forms with the same name, which might cause the Struts Validator to validate a form that the programmer does not expect.
View on MITREIf two validation forms have the same name, the Struts Validator arbitrarily chooses one of the forms to use for input validation and discards the other. This decision might not correspond to the programmer's expectations, possibly leading to resultant weaknesses. Moreover, it indicates that the validation logic is not up-to-date, and can indicate that other, more subtle validation errors are present.
The DTD or schema validation will not catch the duplicate occurrence of the same form name. To find the issue in the implementation, manual checks or automated static analysis could be applied to the xml configuration files.
No detection method information available for this CWE.
These two Struts validation forms have the same name.
It is not certain which form will be used by Struts. It is critically important that validation logic be maintained and kept in sync with the rest of the product.
No relationship information available for this CWE.
CWE-102: Struts: Duplicate Validation Forms is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product uses multiple validation forms with the same name, which might cause the Struts Validator to validate a form that the programmer does not expect. If two validation forms have the same name, the Struts Validator arbitrarily chooses one of the forms to use for input validation and discards the other. This decision might not correspond to the programmer's expectations, possibly leading to resultant weaknesses. Moreover, it indicates that the validation logic is not up-to-date, and can indicate that other, more subtle validation errors are present.
If exploited, CWE-102 (Struts: Duplicate Validation Forms) it can compromise Integrity, leading to outcomes such as Unexpected State.
Recommended mitigations for CWE-102 include: The DTD or schema validation will not catch the duplicate occurrence of the same form name. To find the issue in the implementation, manual checks or automated static analysis could be applied to the xml configuration files.
CWE-102 commonly affects Java. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
A CWE (Common Weakness Enumeration) like CWE-102 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.