CWE-462: Duplicate Key in Associative List (Alist)

VariantIncompleteExploit Likelihood: Low

Duplicate keys in associative lists can lead to non-unique keys being mistaken for an error.

View on MITRE
Back to CWE Lookup

Extended Description

A duplicate key entry -- if the alist is designed properly -- could be used as a constant time replace function. However, duplicate key entries could be inserted by mistake. Because of this ambiguity, duplicate key entries in an association list are not recommended and should not be allowed.

Technical Details

Structure
Simple

Applicable To

Languages
CC++JavaC#
Platforms

Frequently Asked Questions

What is CWE-462: Duplicate Key in Associative List (Alist)?+

CWE-462: Duplicate Key in Associative List (Alist) is a Common Weakness Enumeration (CWE) entry maintained by MITRE. Duplicate keys in associative lists can lead to non-unique keys being mistaken for an error. A duplicate key entry -- if the alist is designed properly -- could be used as a constant time replace function. However, duplicate key entries could be inserted by mistake. Because of this ambiguity, duplicate key entries in an association list are not recommended and should not be allowed.

What are the security consequences of Duplicate Key in Associative List (Alist)?+

If exploited, CWE-462 (Duplicate Key in Associative List (Alist)) it can compromise Other, leading to outcomes such as Quality Degradation and Varies by Context.

How do you prevent or mitigate Duplicate Key in Associative List (Alist)?+

Recommended mitigations for CWE-462 include: Use a hash table instead of an alist. Use an alist which checks the uniqueness of hash keys with each entry before inserting the entry.

Which programming languages are affected by Duplicate Key in Associative List (Alist)?+

CWE-462 commonly affects C, C++, Java and C#. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-462 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More