CWE-348: Use of Less Trusted Source
The product has two different sources of the same data or information, but it uses the source that has less support for verification, is less trusted, or is less resistant to attack.
View on MITRETechnical Details
- Structure
- Simple
Applicable To
Security Consequences
Scope
Impact
An attacker could utilize the untrusted data source to bypass protection mechanisms and gain access to sensitive data.
Mitigation Strategies
No mitigation information available for this CWE.
Detection Methods
No detection method information available for this CWE.
Code Examples & CVEs
Demonstrative Examples
This code attempts to limit the access of a page to certain IP Addresses. It checks the 'HTTP_X_FORWARDED_FOR' header in case an authorized user is sending the request through a proxy.
The 'HTTP_X_FORWARDED_FOR' header can be user controlled and so should never be trusted. An attacker can falsify the header to gain access to the page.
This code attempts to limit the access of a page to certain IP Addresses. It checks the 'HTTP_X_FORWARDED_FOR' header in case an authorized user is sending the request through a proxy.
The 'HTTP_X_FORWARDED_FOR' header can be user controlled and so should never be trusted. An attacker can falsify the header to gain access to the page.
Observed CVE Examples (4)
Product uses IP address provided by a client, instead of obtaining it from the packet headers, allowing easier spoofing.
View DetailsWeb product uses the IP address in the X-Forwarded-For HTTP header instead of a server variable that uses the connecting IP address, allowing filter bypass.
View DetailsProduct logs IP address specified by the client instead of obtaining it from the packet headers, allowing information hiding.
View DetailsPHP application uses IP address from X-Forwarded-For HTTP header, instead of REMOTE_ADDR.
View DetailsCWE Relationships
Frequently Asked Questions
What is CWE-348: Use of Less Trusted Source?+
CWE-348: Use of Less Trusted Source is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product has two different sources of the same data or information, but it uses the source that has less support for verification, is less trusted, or is less resistant to attack.
What are the security consequences of Use of Less Trusted Source?+
If exploited, CWE-348 (Use of Less Trusted Source) it can compromise Access Control, leading to outcomes such as Bypass Protection Mechanism and Gain Privileges or Assume Identity.
Which programming languages are affected by Use of Less Trusted Source?+
CWE-348 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
What are real-world examples of Use of Less Trusted Source?+
MITRE documents real CVEs mapped to CWE-348, including CVE-2001-0860, CVE-2004-1950, CVE-2001-0908 and CVE-2006-1126. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.
What is the difference between a CWE and a CVE?+
A CWE (Common Weakness Enumeration) like CWE-348 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.