CWE-471(Modification of Assumed-Immutable Data (MAID))は各種脆弱性データベースや評価で用いられる弱点タイプを説明します。定義・背景・対応する CVE は以下の各セクションを参照してください。
The product does not properly protect an assumed-immutable element from being modified by an attacker.
| 種別 | 名称 | クラス | 普遍性 | OS / CPE |
|---|---|---|---|---|
| language | — | Not Language-Specific | Undetermined | — |
| technology | — | Not Technology-Specific | Undetermined | — |
| technology | — | Web Based | Undetermined | — |
これらの CVE は本データベースでこの弱点に対応付けられており、追跡と検索のために保持されています。
| CVE | 公開 | 概要 |
|---|---|---|
| CVE-2026-44798 | 2026-05-28 | Nautobot is a Network Source of Truth and Network Automation Platform. Prior to 2.4.33 and 3.1.2, a user with access to add/change a GitRepository record could use the REST API to directly set the cur… |
| CVE-2026-8492 | 2026-05-19 | Modification of Assumed-Immutable Data (MAID) vulnerability in Drupal Translate Drupal with GTranslate allows Resource Location Spoofing. This issue affects Translate Drupal with GTranslate: from 0.0… |
| CVE-2024-57708 | 2025-06-25 | An issue in OneTrust SDK v.6.33.0 allows a local attacker to cause a denial of service via the Object.setPrototypeOf, __proto__, and Object.assign components. NOTE: this is disputed by the Supplier wh… |
| CVE-2025-33136 | 2025-05-22 | IBM Aspera Faspex 5.0.0 through 5.0.12 could allow an authenticated user to obtain sensitive information or perform unauthorized actions on behalf of another user due to improper protection of assumed… |
| CVE-2024-9876 | 2025-04-30 | : Modification of Assumed-Immutable Data (MAID) vulnerability in ABB ANC, ABB ANC-L, ABB ANC-mini.This issue affects ANC: through 1.1.4; ANC-L: through 1.1.4; ANC-mini: through 1.1.4. |
| CVE-2024-55551 | 2025-03-19 | An issue was discovered in Exasol JDBC driver before 24.2.1 (2024-12-10). Attackers can inject malicious parameters into the JDBC URL, triggering JNDI injection during the process when the JDBC Driver… |
| CVE-2024-45672 | 2025-01-23 | IBM Security Verify Bridge 1.0.0 through 1.0.15 could allow a local privileged user to overwrite files due to excessive privileges granted to the agent. which could also cause a denial of service. |
| CVE-2024-51462 | 2025-01-17 | IBM QRadar WinCollect Agent 10.0.0 through 10.1.12 could allow a remote attacker to inject XML data into parameter values due to improper input validation of assumed immutable data. |
| CVE-2024-34517 | 2024-05-07 | The Cypher component in Neo4j 5.0.0 through 5.18 mishandles IMMUTABLE privileges in some situations where an attacker already has admin access. |
| CVE-2023-46232 | 2023-10-25 | era-compiler-vyper is the EraVM Vyper compiler for zkSync Era, a layer 2 rollup that uses zero-knowledge proofs to scale Ethereum. Prior to era-compiler-vype version 1.3.10, a bug prevented the initia… |
| CVE-2023-43697 | 2023-10-09 | Modification of Assumed-Immutable Data (MAID) in RDT400 in SICK APU allows an unprivileged remote attacker to make the site unable to load necessary strings via changing file paths using HTTP request… |
| CVE-2023-2904 | 2023-06-07 | The External Visitor Manager portal of HID’s SAFE versions 5.8.0 through 5.11.3 are vulnerable to manipulation within web fields in the application programmable interface (API). An attacker could log … |
| CVE-2022-25893 | 2022-12-21 | The package vm2 before 3.9.10 are vulnerable to Arbitrary Code Execution due to the usage of prototype lookup for the WeakMap.prototype.set method. Exploiting this vulnerability leads to access to a h… |
| CVE-2022-3288 | 2022-10-17 | A branch/tag name confusion in GitLab CE/EE affecting all versions prior to 15.2.5, 15.3 prior to 15.3.4, and 15.4 prior to 15.4.1 allows an attacker to manipulate pages where the content of the defau… |
| CVE-2022-2390 | 2022-08-12 | Apps developed with Google Play Services SDK incorrectly had the mutability flag set to PendingIntents that were passed to the Notification service. As Google Play services SDK is so widely used, this… |
| CVE-2022-1561 | 2022-08-01 | Lura and KrakenD-CE versions older than v2.0.2 and KrakenD-EE versions older than v2.0.0 do not sanitize URL parameters correctly, allowing a malicious user to alter the backend URL defined for a pipe… |
| CVE-2022-21824 | 2022-02-24 | Due to the formatting logic of the "console.table()" function it was not safe to allow user controlled input to be passed to the "properties" parameter while simultaneously passing a plain object with… |
| CVE-2021-24046 | 2022-01-14 | A logic flaw in Ray-Ban® Stories device software allowed some parameters like video capture duration limit to be modified through the Facebook View application. This issue affected versions of device … |
| CVE-2021-42701 | 2021-11-05 | An attacker could prepare a specially crafted project file that, if opened, would attempt to connect to the cloud and trigger a man in the middle (MiTM) attack. This could allow an attacker to obtain … |
| CVE-2021-37193 | 2021-09-14 | A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.0 SP2). An unauthenticated attacker in the same network of the affected system could manipulate certain parameter… |
| 日付 | 名称 | バージョン | 重要度 | コメント |
|---|---|---|---|---|
| 2008-07-01 | Sean Eidemiller | 1.0 | — | added/updated demonstrative examples |
| 2008-07-01 | Eric Dalci | 1.0 | — | updated Potential_Mitigations, Time_of_Introduction |
| 2008-09-08 | CWE Content Team | 1.0 | — | updated Relationships, Other_Notes, Taxonomy_Mappings |
| 2009-07-27 | CWE Content Team | 1.5 | — | updated Other_Notes |
| 2010-02-16 | CWE Content Team | 1.8 | — | updated Potential_Mitigations |
| 2010-04-05 | CWE Content Team | 1.8.1 | — | updated Related_Attack_Patterns |
| 2010-12-13 | CWE Content Team | 1.11 | — | updated Related_Attack_Patterns |
| 2011-06-01 | CWE Content Team | 1.13 | — | updated Common_Consequences |
| 2012-05-11 | CWE Content Team | 2.2 | — | updated Relationships |
| 2013-02-21 | CWE Content Team | 2.4 | — | updated Relationships |
| 2013-07-17 | CWE Content Team | 2.5 | — | updated Relationships |
| 2014-02-18 | CWE Content Team | 2.6 | — | updated Related_Attack_Patterns |
| 2014-06-23 | CWE Content Team | 2.7 | — | updated Applicable_Platforms, Common_Consequences, Description, Other_Notes, Potential_Mitigations, Relationship_Notes, Theoretical_Notes, Time_of_Introduction |
| 2014-07-30 | CWE Content Team | 2.8 | — | updated Relationships |
| 2017-05-03 | CWE Content Team | 2.11 | — | updated Related_Attack_Patterns |
| 2018-03-27 | CWE Content Team | 3.1 | — | updated Relationships |
| 2020-02-24 | CWE Content Team | 4.0 | — | updated Relationships |
| 2020-06-25 | CWE Content Team | 4.1 | — | updated Relationships |
| 2020-12-10 | CWE Content Team | 4.3 | — | updated Relationships |
| 2021-10-28 | CWE Content Team | 4.6 | — | updated Relationships |
| 2023-01-31 | CWE Content Team | 4.10 | — | updated Description |
| 2023-04-27 | CWE Content Team | 4.11 | — | updated Relationships |
| 2023-06-29 | CWE Content Team | 4.12 | — | updated Mapping_Notes |
| 2025-04-03 | CWE Content Team | 4.17 | — | updated Relationships |
| 2025-12-11 | CWE Content Team | 4.19 | — | updated Applicable_Platforms, Weakness_Ordinalities |