CWE-642: External Control of Critical State Data
low-riskThe product stores security-critical state information about its users, or the product itself, in a location that is accessible to unauthorized actors.
Common Consequences
Detection Methods
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Use dynamic tools and techniques that interact with the product using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The product's operation may slow down, but it should not become unstable, crash, or generate incorrect results.
Real-World Examples (10)
| CVE | CVSS | EPSS | KEV |
|---|---|---|---|
| CVE-2019-9496 | 7.5 | 2.4% | — |
| CVE-2020-27872 | 8.8 | 1.1% | — |
| CVE-2018-15382 | 8.6 | 0.7% | — |
| CVE-2018-15382 | 8.6 | 0.7% | — |
| CVE-2023-0575 | 7.2 | 0.5% | — |
| CVE-2022-32859 | 5.3 | 0.2% | — |
| CVE-2017-0928 | 6.1 | 0.2% | — |
| CVE-2017-0928 | 6.1 | 0.2% | — |
| CVE-2020-1976 | 4.7 | 0.1% | — |
| CVE-2024-22387 | 6.8 | 0.1% | — |