CWE-184: Incomplete List of Disallowed Inputs

BaseDraft

The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.

View on MITRE
Back to CWE Lookup

Technical Details

Structure
Simple

Applicable To

Languages
Not Language-Specific
Platforms

Frequently Asked Questions

What is CWE-184: Incomplete List of Disallowed Inputs?+

CWE-184: Incomplete List of Disallowed Inputs is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.

What are the security consequences of Incomplete List of Disallowed Inputs?+

If exploited, CWE-184 (Incomplete List of Disallowed Inputs) it can compromise Access Control, leading to outcomes such as Bypass Protection Mechanism.

How do you prevent or mitigate Incomplete List of Disallowed Inputs?+

Recommended mitigations for CWE-184 include: Do not rely exclusively on detecting disallowed inputs. There are too many variants to encode a character, especially when different environments are used, so there is a high likelihood of missing some variants. Only use detection of disallowed inputs as a mechanism for detecting suspicious activity. Ensure that you are using other protection mechanisms that only identify "good" input - such as lists of allowed inputs - and ensure that you are properly encoding your outputs.

How is Incomplete List of Disallowed Inputs detected?+

CWE-184 can be detected using Black Box. Combining automated tooling with manual review typically yields the best coverage.

Which programming languages are affected by Incomplete List of Disallowed Inputs?+

CWE-184 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What are real-world examples of Incomplete List of Disallowed Inputs?+

MITRE documents real CVEs mapped to CWE-184, including CVE-2024-4315, CVE-2008-2309, CVE-2005-2782, CVE-2004-0542 and CVE-2004-0595. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-184 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More