LiveActive security incident?Get immediate response
CWE Reference

CWE-477: Use of Obsolete Function | Glexia

CWE-477 (Use of Obsolete Function) weakness overview with consequences, detection methods, mitigations, related CVEs and MITRE ATT&CK context.

Release 4.20weaknessDraft

Glexia's Take · Automated analysis

CWE-477: Use of Obsolete Function

Use of Obsolete Function represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.

Executive Impact

  • Other: Quality Degradation

Developer Pattern

CWE-477 is the kind of defect developers can usually prevent with explicit validation, safer framework defaults, and tests that exercise hostile input or unsafe state transitions.

Automation confidence

high confidence from CWE-477, 4.20.

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Official CWE Definition

CWE-477: Use of Obsolete Function

The code uses deprecated or obsolete functions, which suggests that the code has not been actively reviewed or maintained.

Type
weakness
Abstraction
Base
Status
Draft
Source
MITRE CWE definition

Developer And Remediation Guidance

How teams prevent and detect this weakness

Causes

  • The following code uses the deprecated function getpw() to verify that a plaintext password matches a user's encrypted password. If the password is valid, the function sets result to 1; otherwise it is set to 0. Although the code often behaves correctly, using the getpw() function can be problematic from a security standpoint, because it can overflow the buffer passed to its second parameter. Because of this vulnerability, getpw() has been supplanted by getpwuid(), which performs the same lookup as getpw() but returns a pointer to a statically-allocated structure to mitigate the risk. Not all functions are deprecated or replaced because they pose a security risk. However, the presence of an obsolete function often indicates that the surrounding code has been neglected and may be in a state of disrepair. Software security has not been a priority, or even a consideration, for very long. If the program uses deprecated or obsolete functions, it raises the probability that there are security problems lurking nearby.
  • In the following code, the programmer assumes that the system always has a property named "cmd" defined. If an attacker can control the program's environment so that "cmd" is not defined, the program throws a null pointer exception when it attempts to call the "Trim()" method.
  • The following code constructs a string object from an array of bytes and a value that specifies the top 8 bits of each 16-bit Unicode character. In this example, the constructor may not correctly convert bytes to characters depending upon which charset is used to encode the string represented by nameBytes. Due to the evolution of the charsets used to encode strings, this constructor was deprecated and replaced by a constructor that accepts as one of its parameters the name of the charset used to encode the bytes for conversion.

Remediation

  • Implementation: Refer to the documentation for the obsolete function in order to determine why it is deprecated or obsolete and to learn about alternative ways to achieve the same functionality.
  • Requirements: Consider seriously the security implications of using an obsolete function. Consider using alternate functions.

Detection

  • Automated Static Analysis - Binary or Bytecode:
  • Manual Static Analysis - Binary or Bytecode:
  • Dynamic Analysis with Manual Results Interpretation:
  • Manual Static Analysis - Source Code:
  • Automated Static Analysis - Source Code:
  • Automated Static Analysis:
  • Architecture or Design Review:

Mappings

Related CVEs, CWEs, and ATT&CK context

Related CWEs

Related CVEs

Related CVE mappings appear after CVE records are cross-indexed.

Open CWE CVE mapping

ATT&CK Relevance

ATT&CK relevance is shown only when reviewed or responsibly inferred.