cvekit
LIVE
All CWEs

CWE-103

Struts: Incomplete validate() Method Definition

VariantDraftSimple
The product has a validator form that either does not define a validate() method, or defines a validate() method but does not call super.validate().

Common consequences2

  • OtherUnexpected StateVaries by Context

    If the code does not call super.validate(), the Validation Framework cannot check the contents of the form against a validation form. In other words, the validation framework will be disabled for the given form. Disabling the validation framework for a form exposes the product to numerous types of attacks.

  • ConfidentialityIntegrityAvailabilityOtherOther

    Although J2EE applications are not generally susceptible to memory corruption attacks, if a J2EE application interfaces with native code that does not perform array bounds checking, an attacker may be able to use an input validation mistake in the J2EE application to launch a buffer overflow attack.

Potential mitigations1

  1. Implementation

    Implement the validate() method and call super.validate() within that method.

Relationships2

CVEs referencing this CWE

No CVEs reference this CWE yet

CWE assignments come from NVD/CNA assigners and OSS advisories. Some CWEs (Pillars, Composites) are abstract and rarely cited directly.