The product calls a function, procedure, or routine with arguments that are not correctly specified, leading to always-incorrect behavior and resultant weaknesses.

What CVEs are caused by CWE-628?

2 recorded CVEs are attributed to CWE-628, including CVE-2019-14844, CVE-2019-7303.

How do you prevent CWE-628?

Once found, these issues are easy to fix. Use code inspection tools and relevant compiler features to identify potential violations. Pay special attention to code that is not likely to be exercised heavily during QA.

How is CWE-628 detected?

Other: Since these bugs typically introduce incorrect behavior that is obvious to users, they are found quickly, unless they occur in rarely-tested code paths. Managing the correct number of arguments can be made more difficult in cases where format strings are used, or when variable numbers of arguments are supported.

What are the consequences of CWE-628?

Exploiting CWE-628 can lead to: Quality Degradation, Gain Privileges or Assume Identity.

Is CWE-628 actively exploited?

2 recorded CVEs are caused by CWE-628; none are currently in CISA's KEV catalog of actively exploited flaws.

CWE-628: Function Call with Incorrectly Specified Arguments

When it is introduced

Typically introduced during these phases of the software lifecycle.

Implementation

CWE-628: Function Call with Incorrectly Specified Arguments

Code examples

Illustrative examples from MITRE showing how the weakness appears in code.

The following PHP method authenticates a user given a username/password combination but is called with the parameters in reverse order.

Vulnerable example

php

function authenticate($username, $password) {

This Perl code intends to record whether a user authenticated successfully or not, and to exit if the user fails to authenticate. However, when it calls ReportAuth(), the third argument is specified as 0 instead of 1, so it does not exit.

Vulnerable example

perl

sub ReportAuth {

In the following Java snippet, the accessGranted() method is accidentally called with the static ADMIN_ROLES array rather than the user roles.

Vulnerable example

java

private static final String[] ADMIN_ROLES = ...;

When it is introduced

CWE-628: Function Call with Incorrectly Specified Arguments

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to prevent it

How to detect it

Other

Code examples

Illustrative examples

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-628?

What CVEs are caused by CWE-628?

How do you prevent CWE-628?

How is CWE-628 detected?

What are the consequences of CWE-628?

Is CWE-628 actively exploited?

References

Stay ahead of CWE-628

When it is introduced

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to prevent it

How to detect it

Other

Code examples

Illustrative examples

Related weaknesses

Parent

Child

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-628?

What CVEs are caused by CWE-628?

How do you prevent CWE-628?

How is CWE-628 detected?

What are the consequences of CWE-628?

Is CWE-628 actively exploited?

References

Stay ahead of CWE-628