LiveActive security incident?Get immediate response
CWE Reference

CWE-628: Function Call with Incorrectly Specified Arguments | Glexia

CWE-628 (Function Call with Incorrectly Specified Arguments) weakness overview with consequences, detection methods, mitigations, related CVEs and MITRE ATT&CK…

Release 4.20weaknessDraft

Glexia's Take · Automated analysis

CWE-628: Function Call with Incorrectly Specified Arguments

Function Call with Incorrectly Specified Arguments represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.

Executive Impact

  • Other,Access Control: Quality Degradation,Gain Privileges or Assume Identity: This weakness can cause unintended behavior and can lead to additional weaknesses such as allowing an attacker to gain unintended access to system resources.

Developer Pattern

CWE-628 is the kind of defect developers can usually prevent with explicit validation, safer framework defaults, and tests that exercise hostile input or unsafe state transitions.

Automation confidence

high confidence from CWE-628, 4.20.

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Official CWE Definition

CWE-628: Function Call with Incorrectly Specified Arguments

The product calls a function, procedure, or routine with arguments that are not correctly specified, leading to always-incorrect behavior and resultant weaknesses.

Type
weakness
Abstraction
Base
Status
Draft
Source
MITRE CWE definition

Developer And Remediation Guidance

How teams prevent and detect this weakness

Causes

  • The following PHP method authenticates a user given a username/password combination but is called with the parameters in reverse order.
  • This Perl code intends to record whether a user authenticated successfully or not, and to exit if the user fails to authenticate. However, when it calls ReportAuth(), the third argument is specified as 0 instead of 1, so it does not exit.
  • In the following Java snippet, the accessGranted() method is accidentally called with the static ADMIN_ROLES array rather than the user roles.

Remediation

  • Build and Compilation: Once found, these issues are easy to fix. Use code inspection tools and relevant compiler features to identify potential violations. Pay special attention to code that is not likely to be exercised heavily during QA.
  • Architecture and Design: Make sure your API's are stable before you use them in production code.

Detection

  • Other: Since these bugs typically introduce incorrect behavior that is obvious to users, they are found quickly, unless they occur in rarely-tested code paths. Managing the correct number of arguments can be made more difficult in cases where format strings are used, or when variable numbers of arguments are supported.

Mappings

Related CVEs, CWEs, and ATT&CK context