CWE-628: Function Call with Incorrectly Specified Arguments | Glexia
CWE-628 (Function Call with Incorrectly Specified Arguments) weakness overview with consequences, detection methods, mitigations, related CVEs and MITRE ATT&CK…
Glexia's Take · Automated analysis
CWE-628: Function Call with Incorrectly Specified Arguments
Function Call with Incorrectly Specified Arguments represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
Executive Impact
- Other,Access Control: Quality Degradation,Gain Privileges or Assume Identity: This weakness can cause unintended behavior and can lead to additional weaknesses such as allowing an attacker to gain unintended access to system resources.
Developer Pattern
CWE-628 is the kind of defect developers can usually prevent with explicit validation, safer framework defaults, and tests that exercise hostile input or unsafe state transitions.
Automation confidence
high confidence from CWE-628, 4.20.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Official CWE Definition
CWE-628: Function Call with Incorrectly Specified Arguments
The product calls a function, procedure, or routine with arguments that are not correctly specified, leading to always-incorrect behavior and resultant weaknesses.
Developer And Remediation Guidance
How teams prevent and detect this weakness
Causes
- The following PHP method authenticates a user given a username/password combination but is called with the parameters in reverse order.
- This Perl code intends to record whether a user authenticated successfully or not, and to exit if the user fails to authenticate. However, when it calls ReportAuth(), the third argument is specified as 0 instead of 1, so it does not exit.
- In the following Java snippet, the accessGranted() method is accidentally called with the static ADMIN_ROLES array rather than the user roles.
Remediation
- Build and Compilation: Once found, these issues are easy to fix. Use code inspection tools and relevant compiler features to identify potential violations. Pay special attention to code that is not likely to be exercised heavily during QA.
- Architecture and Design: Make sure your API's are stable before you use them in production code.
Detection
- Other: Since these bugs typically introduce incorrect behavior that is obvious to users, they are found quickly, unless they occur in rarely-tested code paths. Managing the correct number of arguments can be made more difficult in cases where format strings are used, or when variable numbers of arguments are supported.
Mappings
Related CVEs, CWEs, and ATT&CK context
Related CWEs
- CWE-573: Improper Following of Specification by Caller
- CWE-683: Function Call With Incorrect Order of Arguments
- CWE-685: Function Call With Incorrect Number of Arguments
- CWE-686: Function Call With Incorrect Argument Type
- CWE-687: Function Call With Incorrectly Specified Argument Value
- CWE-688: Function Call With Incorrect Variable or Reference as Argument
ATT&CK Relevance
ATT&CK relevance is shown only when reviewed or responsibly inferred.
