Duplicate keys in associative lists can lead to non-unique keys being mistaken for an error.
View on MITREA duplicate key entry -- if the alist is designed properly -- could be used as a constant time replace function. However, duplicate key entries could be inserted by mistake. Because of this ambiguity, duplicate key entries in an association list are not recommended and should not be allowed.
Use a hash table instead of an alist.
Use an alist which checks the uniqueness of hash keys with each entry before inserting the entry.
No detection method information available for this CWE.
The following code adds data to a list and then attempts to sort the data.
Since basename is not necessarily unique, this may not sort how one would like it to be.
No relationship information available for this CWE.
CWE-462: Duplicate Key in Associative List (Alist) is a Common Weakness Enumeration (CWE) entry maintained by MITRE. Duplicate keys in associative lists can lead to non-unique keys being mistaken for an error. A duplicate key entry -- if the alist is designed properly -- could be used as a constant time replace function. However, duplicate key entries could be inserted by mistake. Because of this ambiguity, duplicate key entries in an association list are not recommended and should not be allowed.
If exploited, CWE-462 (Duplicate Key in Associative List (Alist)) it can compromise Other, leading to outcomes such as Quality Degradation and Varies by Context.
Recommended mitigations for CWE-462 include: Use a hash table instead of an alist. Use an alist which checks the uniqueness of hash keys with each entry before inserting the entry.
CWE-462 commonly affects C, C++, Java and C#. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
A CWE (Common Weakness Enumeration) like CWE-462 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.