CWE-105: Struts: Form Field Without Validator

VariantDraft

The product has a form field that is not validated by a corresponding validation form, which can introduce other weaknesses related to insufficient input validation.

View on MITRE
Back to CWE Lookup

Extended Description

Omitting validation for even a single input field may give attackers the leeway they need to compromise the product. Although J2EE applications are not generally susceptible to memory corruption attacks, if a J2EE application interfaces with native code that does not perform array bounds checking, an attacker may be able to use an input validation mistake in the J2EE application to launch a buffer overflow attack.

Technical Details

Structure
Simple

Applicable To

Languages
Java
Platforms

Frequently Asked Questions

What is CWE-105: Struts: Form Field Without Validator?+

CWE-105: Struts: Form Field Without Validator is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product has a form field that is not validated by a corresponding validation form, which can introduce other weaknesses related to insufficient input validation. Omitting validation for even a single input field may give attackers the leeway they need to compromise the product. Although J2EE applications are not generally susceptible to memory corruption attacks, if a J2EE application interfaces with native code that does not perform array bounds checking, an attacker may be able to use an input validation mistake in the J2EE application to launch a buffer overflow attack.

What are the security consequences of Struts: Form Field Without Validator?+

If exploited, CWE-105 (Struts: Form Field Without Validator) it can compromise Integrity, leading to outcomes such as Unexpected State and Bypass Protection Mechanism.

How do you prevent or mitigate Struts: Form Field Without Validator?+

Recommended mitigations for CWE-105 include: Validate all form fields. If a field is unused, it is still important to constrain it so that it is empty or undefined.

Which programming languages are affected by Struts: Form Field Without Validator?+

CWE-105 commonly affects Java. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-105 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More