The Synopsys Software Integrity Group is now Black Duck®. Learn More

close search bar

Sorry, not available in this language yet

close language selection

At its core, Common Weakness Enumerations (CWEs) are software weaknesses. CWEs provide a taxonomy to categorize and describe software weaknesses, giving developers and security practitioners a common language for software security.

MITRE owns and maintains the project. To learn more about CWE, click here.

Search below to see Coverity's CWE support of languages in your codebase.

Interested in a specific language or platform?



Language/Platform CWE Description
Apex 17 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
Apex 18 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
Apex 19 Weaknesses in this category are typically found in functionality that processes data. Data processing is the manipulation of input to retrieve or save information.
Apex 20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Apex 74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Apex 77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Apex 79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Apex 89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.
Apex 116 The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
Apex 137 Weaknesses in this category are related to the creation or neutralization of data using an incorrect format.
Apex 171 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. Weaknesses in this category were related to improper handling of data within protection mechanisms that attempt to perform neutralization for untrusted data. These weaknesses can be found in other similar categories.
Apex 199 Weaknesses in this category are related to improper handling of sensitive information.
Apex 227 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that involve the software using an API in a manner contrary to its intended use. According to the authors of the Seven Pernicious Kingdoms, "An API is a contract between a caller and a callee. The most common forms of API misuse occurs when the caller does not honor its end of this contract. For example, if a program does not call chdir() after calling chroot(), it violates the contract that specifies how to change the active root directory in a secure fashion. Another good example of library abuse is expecting the callee to return trustworthy DNS information to the caller. In this case, the caller misuses the callee API by making certain assumptions about its behavior (that the return value can be used for authentication purposes). One can also violate the caller-callee contract from the other side. For example, if a coder subclasses SecureRandom and returns a non-random value, the contract is violated."
Apex 242 The product calls a function that can never be guaranteed to work safely.
Apex 254 Software security is not security software. Here we're concerned with topics like authentication, access control, confidentiality, cryptography, and privilege management.
Apex 255 Weaknesses in this category are related to the management of credentials.
Apex 259 The product contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components.
Apex 264 Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control.
Apex 265 Weaknesses in this category occur with improper handling, assignment, or management of privileges. A privilege is a property of an agent, such as a user. It lets the agent do things that are not ordinarily allowed. For example, there are privileges which allow an agent to perform maintenance functions such as restart a computer.
Apex 269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Apex 274 The product does not handle or incorrectly handles when it has insufficient privileges to perform an operation, leading to resultant weaknesses.
Apex 284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Apex 287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Apex 310 Weaknesses in this category are related to the design and implementation of data confidentiality and integrity. Frequently these deal with the use of encoding techniques, encryption libraries, and hashing algorithms. The weaknesses in this category could lead to a degradation of the quality data if they are not addressed.
Apex 311 The product does not encrypt sensitive or critical information before storage or transmission.
Apex 319 The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.
Apex 320 Weaknesses in this category are related to errors in the management of cryptographic keys.
Apex 321 The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.
Apex 330 The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.
Apex 344 The product uses a constant value, name, or reference, but this value can (or should) vary across different environments.
Apex 345 The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
Apex 352 The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.
Apex 361 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses related to the improper management of time and state in an environment that supports simultaneous or near-simultaneous computation by multiple systems, processes, or threads. According to the authors of the Seven Pernicious Kingdoms, "Distributed computation is about time and state. That is, in order for more than one component to communicate, state must be shared, and all that takes time. Most programmers anthropomorphize their work. They think about one thread of control carrying out the entire program in the same way they would if they had to do the job themselves. Modern computers, however, switch between tasks very quickly, and in multi-core, multi-CPU, or distributed systems, two events may take place at exactly the same time. Defects rush to fill the gap between the programmer's model of how a program executes and what happens in reality. These defects are related to unexpected interactions between threads, processes, time, and information. These interactions happen through shared state: semaphores, variables, the file system, and, basically, anything that can store information."
Apex 388 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that occur when an application does not properly handle errors that occur during processing. According to the authors of the Seven Pernicious Kingdoms, "Errors and error handling represent a class of API. Errors related to error handling are so common that they deserve a special kingdom of their own. As with 'API Abuse,' there are two ways to introduce an error-related security vulnerability: the most common one is handling errors poorly (or not at all). The second is producing errors that either give out too much information (to possible attackers) or are difficult to handle."
Apex 389 This category includes weaknesses that occur if a function does not generate the correct return/status code, or if the application does not handle all possible return/status codes that could be generated by a function. This type of problem is most often found in conditions that are rarely encountered during the normal operation of the product. Presumably, most bugs related to common conditions are found and eliminated during development and testing. In some cases, the attacker can directly control or influence the environment to trigger the rare conditions.
Apex 442 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
Apex 601 A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.
Apex 610 The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.
Apex 629 CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2007. This view is considered obsolete as a newer version of the OWASP Top 10 is available.
Apex 632 This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE.
Apex 635 CWE nodes in this view (slice) were used by NIST to categorize vulnerabilities within NVD, from 2008 to 2016. This original version has been used by many other projects.
Apex 657 The product violates well-established principles for secure design.
Apex 664 The product does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release.
Apex 671 The product uses security features in a way that prevents the product's administrator from tailoring security settings to reflect the environment in which the product is being used. This introduces resultant weaknesses or prevents it from operating at a level of security that is desired by the administrator.
Apex 693 The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.
Apex 699 This view organizes weaknesses around concepts that are frequently used or encountered in software development. This includes all aspects of the software development lifecycle including both architecture and implementation. Accordingly, this view can align closely with the perspectives of architects, developers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping.
Apex 700 This view (graph) organizes weaknesses using a hierarchical structure that is similar to that used by Seven Pernicious Kingdoms.
Apex 703 The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product.
Apex 707 The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component.
Apex 710 The product does not follow certain coding rules for development, which can lead to resultant weaknesses or increase the severity of the associated vulnerabilities.
Apex 711 CWE entries in this view (graph) are associated with the OWASP Top 10, as released in 2004, and as required for compliance with PCI DSS version 1.1. This view is considered obsolete as a newer version of the OWASP Top 10 is available.
Apex 712 Weaknesses in this category are related to the A1 category in the OWASP Top 10 2007.
Apex 713 Weaknesses in this category are related to the A2 category in the OWASP Top 10 2007.
Apex 716 Weaknesses in this category are related to the A5 category in the OWASP Top 10 2007.
Apex 718 Weaknesses in this category are related to the A7 category in the OWASP Top 10 2007.
Apex 719 Weaknesses in this category are related to the A8 category in the OWASP Top 10 2007.
Apex 720 Weaknesses in this category are related to the A9 category in the OWASP Top 10 2007.
Apex 722 Weaknesses in this category are related to the A1 category in the OWASP Top 10 2004.
Apex 723 Weaknesses in this category are related to the A2 category in the OWASP Top 10 2004.
Apex 724 Weaknesses in this category are related to the A3 category in the OWASP Top 10 2004.
Apex 725 Weaknesses in this category are related to the A4 category in the OWASP Top 10 2004.
Apex 727 Weaknesses in this category are related to the A6 category in the OWASP Top 10 2004.
Apex 728 Weaknesses in this category are related to the A7 category in the OWASP Top 10 2004.
Apex 729 Weaknesses in this category are related to the A8 category in the OWASP Top 10 2004.
Apex 734 CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT C Secure Coding Standard" published in 2008. This view is considered obsolete, as a newer version of the coding standard is available. This view statically represents the coding rules as they were in 2008.
Apex 738 Weaknesses in this category are related to the rules and recommendations in the Integers (INT) chapter of the CERT C Secure Coding Standard (2008).
Apex 742 Weaknesses in this category are related to the rules and recommendations in the Memory Management (MEM) chapter of the CERT C Secure Coding Standard (2008).
Apex 746 Weaknesses in this category are related to the rules and recommendations in the Error Handling (ERR) chapter of the CERT C Secure Coding Standard (2008).
Apex 747 Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) chapter of the CERT C Secure Coding Standard (2008).
Apex 748 Weaknesses in this category are related to the rules and recommendations in the POSIX (POS) appendix of the CERT C Secure Coding Standard (2008).
Apex 750 CWE entries in this view (graph) are listed in the 2009 CWE/SANS Top 25 Programming Errors. This view is considered obsolete as a newer version of the Top 25 is available.
Apex 751 Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2009 CWE/SANS Top 25 Programming Errors.
Apex 753 Weaknesses in this category are listed in the "Porous Defenses" section of the 2009 CWE/SANS Top 25 Programming Errors.
Apex 798 The product contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.
Apex 800 CWE entries in this view (graph) are listed in the 2010 CWE/SANS Top 25 Programming Errors. This view is considered obsolete as a newer version of the Top 25 is available.
Apex 801 Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2010 CWE/SANS Top 25 Programming Errors.
Apex 803 Weaknesses in this category are listed in the "Porous Defenses" section of the 2010 CWE/SANS Top 25 Programming Errors.
Apex 808 Weaknesses in this category are not part of the general Top 25, but they were part of the original nominee list from which the Top 25 was drawn.
Apex 809 CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2010. This view is considered obsolete as a newer version of the OWASP Top 10 is available.
Apex 810 Weaknesses in this category are related to the A1 category in the OWASP Top 10 2010.
Apex 811 Weaknesses in this category are related to the A2 category in the OWASP Top 10 2010.
Apex 812 Weaknesses in this category are related to the A3 category in the OWASP Top 10 2010.
Apex 814 Weaknesses in this category are related to the A5 category in the OWASP Top 10 2010.
Apex 816 Weaknesses in this category are related to the A7 category in the OWASP Top 10 2010.
Apex 818 Weaknesses in this category are related to the A9 category in the OWASP Top 10 2010.
Apex 819 Weaknesses in this category are related to the A10 category in the OWASP Top 10 2010.
Apex 844 CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT Oracle Secure Coding Standard for Java" published in 2011. This view is considered obsolete as a newer version of the coding standard is available.
Apex 845 Weaknesses in this category are related to rules in the Input Validation and Data Sanitization (IDS) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
Apex 851 Weaknesses in this category are related to rules in the Exceptional Behavior (ERR) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
Apex 858 Weaknesses in this category are related to rules in the Serialization (SER) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
Apex 859 Weaknesses in this category are related to rules in the Platform Security (SEC) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
Apex 861 Weaknesses in this category are related to rules in the Miscellaneous (MSC) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
Apex 864 Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.
Apex 866 Weaknesses in this category are listed in the "Porous Defenses" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.
Apex 867 Weaknesses in this category are not part of the general Top 25, but they were part of the original nominee list from which the Top 25 was drawn.
Apex 868 CWE entries in this view (graph) are fully or partially eliminated by following the SEI CERT C++ Coding Standard, as published in 2016. This view is no longer being actively maintained, since it statically represents the coding rules as they were in 2016.
Apex 872 Weaknesses in this category are related to rules in the Integers (INT) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
Apex 876 Weaknesses in this category are related to rules in the Memory Management (MEM) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
Apex 880 Weaknesses in this category are related to rules in the Exceptions and Error Handling (ERR) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
Apex 883 Weaknesses in this category are related to rules in the Miscellaneous (MSC) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
Apex 884 This view contains a selection of weaknesses that represent the variety of weaknesses that are captured in CWE, at a level of abstraction that is likely to be useful to most audiences. It can be used by researchers to determine how broad their theories, models, or tools are. It will also be used by the CWE content team in 2012 to focus quality improvement efforts for individual CWE entries.
Apex 887 This category identifies Software Fault Patterns (SFPs) within the API cluster (SFP3).
Apex 888 CWE identifiers in this view are associated with clusters of Software Fault Patterns (SFPs).
Apex 889 This category identifies Software Fault Patterns (SFPs) within the Exception Management cluster (SFP4, SFP5, SFP6).
Apex 892 This category identifies Software Fault Patterns (SFPs) within the Resource Management cluster (SFP37).
Apex 893 This category identifies Software Fault Patterns (SFPs) within the Path Resolution cluster (SFP16, SFP17, SFP18).
Apex 895 This category identifies Software Fault Patterns (SFPs) within the Information Leak cluster (SFP23).
Apex 896 This category identifies Software Fault Patterns (SFPs) within the Tainted Input cluster (SFP24, SFP25, SFP26, SFP27).
Apex 898 This category identifies Software Fault Patterns (SFPs) within the Authentication cluster (SFP29, SFP30, SFP31, SFP32, SFP33, SFP34).
Apex 899 This category identifies Software Fault Patterns (SFPs) within the Access Control cluster (SFP35).
Apex 900 CWE entries in this view (graph) are listed in the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.
Apex 901 This category identifies Software Fault Patterns (SFPs) within the Privilege cluster (SFP36).
Apex 905 This category identifies Software Fault Patterns (SFPs) within the Predictability cluster.
Apex 907 This category identifies Software Fault Patterns (SFPs) within the Other cluster.
Apex 917 The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.
Apex 928 CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2013. This view is considered obsolete as a newer version of the OWASP Top 10 is available.
Apex 929 Weaknesses in this category are related to the A1 category in the OWASP Top 10 2013.
Apex 930 Weaknesses in this category are related to the A2 category in the OWASP Top 10 2013.
Apex 931 Weaknesses in this category are related to the A3 category in the OWASP Top 10 2013.
Apex 934 Weaknesses in this category are related to the A6 category in the OWASP Top 10 2013.
Apex 935 Weaknesses in this category are related to the A7 category in the OWASP Top 10 2013.
Apex 936 Weaknesses in this category are related to the A8 category in the OWASP Top 10 2013.
Apex 938 Weaknesses in this category are related to the A10 category in the OWASP Top 10 2013.
Apex 943 The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query.
Apex 944 This category identifies Software Fault Patterns (SFPs) within the Access Management cluster.
Apex 947 This category identifies Software Fault Patterns (SFPs) within the Authentication Bypass cluster.
Apex 949 This category identifies Software Fault Patterns (SFPs) within the Faulty Endpoint Authentication cluster (SFP29).
Apex 950 This category identifies Software Fault Patterns (SFPs) within the Hardcoded Sensitive Data cluster (SFP33).
Apex 961 This category identifies Software Fault Patterns (SFPs) within the Incorrect Exception Behavior cluster (SFP6).
Apex 963 This category identifies Software Fault Patterns (SFPs) within the Exposed Data cluster (SFP23).
Apex 975 This category identifies Software Fault Patterns (SFPs) within the Architecture cluster.
Apex 978 This category identifies Software Fault Patterns (SFPs) within the Implementation cluster.
Apex 980 This category identifies Software Fault Patterns (SFPs) within the Link in Resource Name Resolution cluster (SFP18).
Apex 984 This category identifies Software Fault Patterns (SFPs) within the Life Cycle cluster.
Apex 990 This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Command cluster (SFP24).
Apex 992 This category identifies Software Fault Patterns (SFPs) within the Faulty Input Transformation cluster.
Apex 994 This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Variable cluster (SFP25).
Apex 1000 This view is intended to facilitate research into weaknesses, including their inter-dependencies, and can be leveraged to systematically identify theoretical gaps within CWE. It is mainly organized according to abstractions of behaviors instead of how they can be detected, where they appear in code, or when they are introduced in the development life cycle. By design, this view is expected to include every weakness within CWE.
Apex 1001 This category identifies Software Fault Patterns (SFPs) within the Use of an Improper API cluster (SFP3).
Apex 1003 CWE entries in this view (graph) may be used to categorize potential weaknesses within sources that handle public, third-party vulnerability information, such as the National Vulnerability Database (NVD). By design, this view is incomplete; it is limited to a small number of the most commonly-seen weaknesses, so that it is easier for humans to use. This view uses a shallow hierarchy of two levels in order to simplify the complex, category-oriented navigation of the entire CWE corpus.
Apex 1005 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that exist when an application does not properly validate or represent input. According to the authors of the Seven Pernicious Kingdoms, "Input validation and representation problems are caused by metacharacters, alternate encodings and numeric representations. Security problems result from trusting input."
Apex 1006 Weaknesses in this category are related to coding practices that are deemed unsafe and increase the chances that an exploitable vulnerability will be present in the application. These weaknesses do not directly introduce a vulnerability, but indicate that the product has not been carefully developed or maintained. If a program is complex, difficult to maintain, not portable, or shows evidence of neglect, then there is a higher likelihood that weaknesses are buried in the code.
Apex 1008 This view organizes weaknesses according to common architectural security tactics. It is intended to assist architects in identifying potential mistakes that can be made when designing software.
Apex 1010 Weaknesses in this category are related to the design and architecture of authentication components of the system. Frequently these deal with verifying the entity is indeed who it claims to be. The weaknesses in this category could lead to a degradation of the quality of authentication if they are not addressed when designing or implementing a secure architecture.
Apex 1011 Weaknesses in this category are related to the design and architecture of a system's authorization components. Frequently these deal with enforcing that agents have the required permissions before performing certain operations, such as modifying data. The weaknesses in this category could lead to a degradation of quality of the authorization capability if they are not addressed when designing or implementing a secure architecture.
Apex 1012 Weaknesses in this category are related to the design and architecture of multiple security tactics and how they affect a system. For example, information exposure can impact the Limit Access and Limit Exposure security tactics. The weaknesses in this category could lead to a degradation of the quality of many capabilities if they are not addressed when designing or implementing a secure architecture.
Apex 1013 Weaknesses in this category are related to the design and architecture of data confidentiality in a system. Frequently these deal with the use of encryption libraries. The weaknesses in this category could lead to a degradation of the quality data encryption if they are not addressed when designing or implementing a secure architecture.
Apex 1014 Weaknesses in this category are related to the design and architecture of a system's identification management components. Frequently these deal with verifying that external agents provide inputs into the system. The weaknesses in this category could lead to a degradation of the quality of identification management if they are not addressed when designing or implementing a secure architecture.
Apex 1015 Weaknesses in this category are related to the design and architecture of system resources. Frequently these deal with restricting the amount of resources that are accessed by actors, such as memory, network connections, CPU or access points. The weaknesses in this category could lead to a degradation of the quality of authentication if they are not addressed when designing or implementing a secure architecture.
Apex 1019 Weaknesses in this category are related to the design and architecture of a system's input validation components. Frequently these deal with sanitizing, neutralizing and validating any externally provided inputs to minimize malformed data from entering the system and preventing code injection in the input data. The weaknesses in this category could lead to a degradation of the quality of data flow in a system if they are not addressed when designing or implementing a secure architecture.
Apex 1020 Weaknesses in this category are related to the design and architecture of a system's data integrity components. Frequently these deal with ensuring integrity of data, such as messages, resource files, deployment files, and configuration files. The weaknesses in this category could lead to a degradation of data integrity quality if they are not addressed when designing or implementing a secure architecture.
Apex 1026 CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2017.
Apex 1027 Weaknesses in this category are related to the A1 category in the OWASP Top 10 2017.
Apex 1028 Weaknesses in this category are related to the A2 category in the OWASP Top 10 2017.
Apex 1029 Weaknesses in this category are related to the A3 category in the OWASP Top 10 2017.
Apex 1031 Weaknesses in this category are related to the A5 category in the OWASP Top 10 2017.
Apex 1033 Weaknesses in this category are related to the A7 category in the OWASP Top 10 2017.
Apex 1128 This view outlines the most important software quality issues as identified by the Consortium for Information & Software Quality (CISQ) Automated Quality Characteristic Measures, released in 2016. These measures are derived from Object Management Group (OMG) standards.
Apex 1131 Weaknesses in this category are related to the CISQ Quality Measures for Security, as documented in 2016 with the Automated Source Code Security Measure (ASCSM) Specification 1.0. Presence of these weaknesses could reduce the security of the software.
Apex 1133 CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT Oracle Coding Standard for Java.
Apex 1134 Weaknesses in this category are related to the rules and recommendations in the Input Validation and Data Sanitization (IDS) section of the SEI CERT Oracle Secure Coding Standard for Java.
Apex 1141 Weaknesses in this category are related to the rules and recommendations in the Exceptional Behavior (ERR) section of the SEI CERT Oracle Secure Coding Standard for Java.
Apex 1147 Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) section of the SEI CERT Oracle Secure Coding Standard for Java.
Apex 1148 Weaknesses in this category are related to the rules and recommendations in the Serialization (SER) section of the SEI CERT Oracle Secure Coding Standard for Java.
Apex 1152 Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT Oracle Secure Coding Standard for Java.
Apex 1154 CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT C Coding Standard.
Apex 1163 Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) section of the SEI CERT C Coding Standard.
Apex 1169 Weaknesses in this category are related to the rules and recommendations in the Concurrency (CON) section of the SEI CERT C Coding Standard.
Apex 1170 Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT C Coding Standard.
Apex 1171 Weaknesses in this category are related to the rules and recommendations in the POSIX (POS) section of the SEI CERT C Coding Standard.
Apex 1172 Weaknesses in this category are related to the rules and recommendations in the Microsoft Windows (WIN) section of the SEI CERT C Coding Standard.
Apex 1178 CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT Perl Coding Standard.
Apex 1179 Weaknesses in this category are related to the rules and recommendations in the Input Validation and Data Sanitization (IDS) section of the SEI CERT Perl Coding Standard.
Apex 1194 This view organizes weaknesses around concepts that are frequently used or encountered in hardware design. Accordingly, this view can align closely with the perspectives of designers, manufacturers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping.
Apex 1200 CWE entries in this view are listed in the 2019 CWE Top 25 Most Dangerous Software Errors.
Apex 1207 Weaknesses in this category are related to hardware debug and test interfaces such as JTAG and scan chain.
Apex 1213 Weaknesses in this category are related to a software system's random number generation.
Apex 1228 Weaknesses in this category are related to the use of built-in functions or external APIs.
Apex 1305 This view outlines the most important software quality issues as identified by the Consortium for Information & Software Quality (CISQ) Automated Quality Characteristic Measures, released in 2020. These measures are derived from Object Management Group (OMG) standards.
Apex 1306 Weaknesses in this category are related to the CISQ Quality Measures for Reliability. Presence of these weaknesses could reduce the reliability of the software.
Apex 1308 Weaknesses in this category are related to the CISQ Quality Measures for Security. Presence of these weaknesses could reduce the security of the software.
Apex 1337 CWE entries in this view are listed in the 2021 CWE Top 25 Most Dangerous Software Weaknesses.
Apex 1340 This view outlines the SMM representation of the Automated Source Code Data Protection Measurement specifications, as identified by the Consortium for Information & Software Quality (CISQ) Working Group.
Apex 1344 CWE entries in this view (graph) are associated with the OWASP Top 10, as released in 2021.
Apex 1345 Weaknesses in this category are related to the A01 category "Broken Access Control" in the OWASP Top 10 2021.
Apex 1346 Weaknesses in this category are related to the A02 category "Cryptographic Failures" in the OWASP Top 10 2021.
Apex 1347 Weaknesses in this category are related to the A03 category "Injection" in the OWASP Top 10 2021.
Apex 1348 Weaknesses in this category are related to the A04 "Insecure Design" category in the OWASP Top 10 2021.
Apex 1350 CWE entries in this view are listed in the 2020 CWE Top 25 Most Dangerous Software Weaknesses.
Apex 1353 Weaknesses in this category are related to the A07 category "Identification and Authentication Failures" in the OWASP Top 10 2021.
Apex 1354 Weaknesses in this category are related to the A08 category "Software and Data Integrity Failures" in the OWASP Top 10 2021.
Apex 1358 CWE entries in this view (graph) are associated with the Categories of Security Vulnerabilities in ICS, as published by the Securing Energy Infrastructure Executive Task Force (SEI ETF) in March 2022. Weaknesses and categories in this view are focused on issues that affect ICS (Industrial Control Systems) but have not been traditionally covered by CWE in the past due to its earlier emphasis on enterprise IT software. Note: weaknesses in this view are based on "Nearest IT Neighbor" recommendations and other suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Apex 1360 Weaknesses in this category are related to the "ICS Dependencies (& Architecture)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.
Apex 1361 Weaknesses in this category are related to the "ICS Supply Chain" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.
Apex 1362 Weaknesses in this category are related to the "ICS Engineering (Constructions/Deployment)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.
Apex 1363 Weaknesses in this category are related to the "ICS Operations (& Maintenance)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.
Apex 1368 Weaknesses in this category are related to the "External Digital Systems" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Due to the highly interconnected technologies in use, an external dependency on another digital system could cause a confidentiality, integrity, or availability incident for the protected system." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Apex 1369 Weaknesses in this category are related to the "IT/OT Convergence/Expansion" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "The increased penetration of DER devices and smart loads make emerging ICS networks more like IT networks and thus susceptible to vulnerabilities similar to those of IT networks." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Apex 1370 Weaknesses in this category are related to the "Common Mode Frailties" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "At the component level, most ICS systems are assembled from common parts made by other companies. One or more of these common parts might contain a vulnerability that could result in a wide-spread incident." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Apex 1372 Weaknesses in this category are related to the "OT Counterfeit and Malicious Corruption" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "In ICS, when this procurement process results in a vulnerability or component damage, it can have grid impacts or cause physical harm." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Apex 1373 Weaknesses in this category are related to the "Trust Model Problems" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Assumptions made about the user during the design or construction phase may result in vulnerabilities after the system is installed if the user operates it using a different security approach or process than what was designed or built." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Apex 1375 Weaknesses in this category are related to the "Gaps in Details/Data" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Highly complex systems are often operated by personnel who have years of experience in managing that particular facility or plant. Much of their knowledge is passed along through verbal or hands-on training but may not be fully documented in written practices and procedures." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Apex 1382 Weaknesses in this category are related to the "Emerging Energy Technologies" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "With the rapid evolution of the energy system accelerated by the emergence of new technologies such as DERs, electric vehicles, advanced communications (5G+), novel and diverse challenges arise for secure and resilient operation of the system." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Apex 1383 Weaknesses in this category are related to the "Compliance/Conformance with Regulatory Requirements" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "The ICS environment faces overlapping regulatory regimes and authorities with multiple focus areas (e.g., operational resiliency, physical safety, interoperability, and security) which can result in cyber security vulnerabilities when implemented as written due to gaps in considerations, outdatedness, or conflicting requirements." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Apex 1387 CWE entries in this view are listed in the 2022 CWE Top 25 Most Dangerous Software Weaknesses.
Apex 1396 Weaknesses in this category are related to access control.
Apex 1400 This view organizes weaknesses around categories that are of interest to large-scale software assurance research to support the elimination of weaknesses using tactics such as secure language development. It is also intended to help tracking weakness trends in publicly disclosed vulnerability data. This view is comprehensive in that every weakness must be contained in it, unlike most other views that only use a subset of weaknesses. This view is structured with categories at the top level, with a second level of only weaknesses. Relationships among the weaknesses presented under the research view (CWE-1000) are not shown. Each weakness is added to only one category. All categories are mutually exclusive; that is, no weakness can be a member of more than one category. While weaknesses defy strict categorization along only one characteristic, the forced bucketing into a single category can simplify certain kinds of analysis. Note that the size of each category can vary widely because (1) CWE is not as well fleshed-out in some areas compared to others; (2) abstraction of the CWEs in the grouping might go down to Variant level for some buckets, versus others.
Apex 1402 Weaknesses in this category are related to encryption.
Apex 1405 Weaknesses in this category are related to improper check or handling of exceptional conditions.
Apex 1406 Weaknesses in this category are related to improper input validation.
Apex 1407 Weaknesses in this category are related to improper neutralization.
Apex 1409 Weaknesses in this category are related to injection.
Apex 1411 Weaknesses in this category are related to insufficient verification of data authenticity.
Apex 1412 Weaknesses in this category are related to poor coding practices.
Apex 1413 Weaknesses in this category are related to protection mechanism failure.
Apex 1414 Weaknesses in this category are related to randomness.
Apex 1416 Weaknesses in this category are related to resource lifecycle management.
Apex 1418 Weaknesses in this category are related to violation of secure design principles.
C# 2 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that are typically introduced during unexpected environmental conditions. According to the authors of the Seven Pernicious Kingdoms, "This section includes everything that is outside of the source code but is still critical to the security of the product that is being created. Because the issues covered by this kingdom are not directly related to source code, we separated it from the rest of the kingdoms."
C# 4 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
C# 5 Information sent over a network can be compromised while in transit. An attacker may be able to read or modify the contents if the data are sent in plaintext or are weakly encrypted.
C# 10 This category has been deprecated. It added unnecessary depth and complexity to its associated views.
C# 11 Debugging messages help attackers learn about the system and plan a form of attack.
C# 16 Weaknesses in this category are typically introduced during the configuration of the software.
C# 17 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
C# 18 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
C# 19 Weaknesses in this category are typically found in functionality that processes data. Data processing is the manipulation of input to retrieve or save information.
C# 20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
C# 21 This category has been deprecated. It was originally used for organizing weaknesses involving file names, which enabled access to files outside of a restricted directory (path traversal) or to perform operations on files that would otherwise be restricted (path equivalence). Consider using either the File Handling Issues category (CWE-1219) or the class Use of Incorrectly-Resolved Name or Reference (CWE-706).
C# 22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
C# 23 The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.
C# 36 The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as "/abs/path" that can resolve to a location that is outside of that directory.
C# 73 The product allows user input to control or influence paths or file names that are used in filesystem operations.
C# 74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
C# 77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
C# 78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
C# 79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
C# 80 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.
C# 82 The web application does not neutralize or incorrectly neutralizes scripting elements within attributes of HTML IMG tags, such as the src attribute.
C# 83 The product does not neutralize or incorrectly neutralizes "javascript:" or other URIs from dangerous attributes within tags, such as onmouseover, onload, onerror, or style.
C# 85 The web application does not filter user-controlled input for executable script disguised using doubling of the involved characters.
C# 86 The product does not neutralize or incorrectly neutralizes invalid characters or byte sequences in the middle of tag names, URI schemes, and other identifiers.
C# 87 The product does not neutralize or incorrectly neutralizes user-controlled input for alternate script syntax.
C# 88 The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.
C# 89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.
C# 90 The product constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component.
C# 91 The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.
C# 94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
C# 95 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").
C# 116 The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
C# 117 The product does not neutralize or incorrectly neutralizes output that is written to logs.
C# 133 Weaknesses in this category are related to the creation and modification of strings.
C# 137 Weaknesses in this category are related to the creation or neutralization of data using an incorrect format.
C# 138 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as control elements or syntactic markers when they are sent to a downstream component.
C# 140 The product does not neutralize or incorrectly neutralizes delimiters.
C# 141 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as parameter or argument delimiters when they are sent to a downstream component.
C# 142 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as value delimiters when they are sent to a downstream component.
C# 143 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as record delimiters when they are sent to a downstream component.
C# 146 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as expression or command delimiters when they are sent to a downstream component.
C# 149 Quotes injected into a product can be used to compromise a system. As data are parsed, an injected/absent/duplicate/malformed use of quotes may cause the process to take unexpected actions.
C# 150 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component.
C# 157 The product does not properly handle the characters that are used to mark the beginning and ending of a group of entities, such as parentheses, brackets, and braces.
C# 171 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. Weaknesses in this category were related to improper handling of data within protection mechanisms that attempt to perform neutralization for untrusted data. These weaknesses can be found in other similar categories.
C# 183 The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is too permissive - that is, it allows an input that is unsafe, leading to resultant weaknesses.
C# 189 Weaknesses in this category are related to improper calculation or conversion of numbers.
C# 190 The product performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control.
C# 199 Weaknesses in this category are related to improper handling of sensitive information.
C# 200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
C# 201 The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.
C# 209 The product generates an error message that includes sensitive information about its environment, users, or associated data.
C# 210 The product identifies an error condition and creates its own diagnostic or error messages that contain sensitive information.
C# 211 The product performs an operation that triggers an external diagnostic or error message that is not directly generated or controlled by the product, such as an error generated by the programming language interpreter that a software application uses. The error can contain sensitive system information.
C# 215 The product inserts sensitive information into debugging code, which could expose this information if the debugging code is not disabled in production.
C# 221 The product does not record, or improperly records, security-relevant information that leads to an incorrect decision or hampers later analysis.
C# 223 The product does not record or display information that would be important for identifying the source or nature of an attack, or determining if an action is safe.
C# 226 The product releases a resource such as memory or a file so that it can be made available for reuse, but it does not clear or "zeroize" the information contained in the resource before the product performs a critical state transition or makes the resource available for reuse by other entities.
C# 227 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that involve the software using an API in a manner contrary to its intended use. According to the authors of the Seven Pernicious Kingdoms, "An API is a contract between a caller and a callee. The most common forms of API misuse occurs when the caller does not honor its end of this contract. For example, if a program does not call chdir() after calling chroot(), it violates the contract that specifies how to change the active root directory in a secure fashion. Another good example of library abuse is expecting the callee to return trustworthy DNS information to the caller. In this case, the caller misuses the callee API by making certain assumptions about its behavior (that the return value can be used for authentication purposes). One can also violate the caller-callee contract from the other side. For example, if a coder subclasses SecureRandom and returns a non-random value, the contract is violated."
C# 248 An exception is thrown from a function, but it is not caught.
C# 249 This entry has been deprecated because of name confusion and an accidental combination of multiple weaknesses. Most of its content has been transferred to CWE-785.
C# 252 The product does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions.
C# 254 Software security is not security software. Here we're concerned with topics like authentication, access control, confidentiality, cryptography, and privilege management.
C# 255 Weaknesses in this category are related to the management of credentials.
C# 256 Storing a password in plaintext may result in a system compromise.
C# 257 The storage of passwords in a recoverable format makes them subject to password reuse attacks by malicious users. In fact, it should be noted that recoverable encrypted passwords provide no significant benefit over plaintext passwords since they are subject not only to reuse by malicious attackers but also by malicious insiders. If a system administrator can recover a password directly, or use a brute force search on the available information, the administrator can use the password on other accounts.
C# 258 Using an empty string as a password is insecure.
C# 259 The product contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components.
C# 260 The product stores a password in a configuration file that might be accessible to actors who do not know the password.
C# 264 Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control.
C# 265 Weaknesses in this category occur with improper handling, assignment, or management of privileges. A privilege is a property of an agent, such as a user. It lets the agent do things that are not ordinarily allowed. For example, there are privileges which allow an agent to perform maintenance functions such as restart a computer.
C# 275 Weaknesses in this category are related to improper assignment or handling of permissions.
C# 284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
C# 285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
C# 287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
C# 295 The product does not validate, or incorrectly validates, a certificate.
C# 296 The product does not follow, or incorrectly follows, the chain of trust for a certificate back to a trusted root certificate, resulting in incorrect trust of any resource that is associated with that certificate.
C# 299 The product does not check or incorrectly checks the revocation status of a certificate, which may cause it to use a certificate that has been compromised.
C# 300 The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint.
C# 304 The product implements an authentication technique, but it skips a step that weakens the technique.
C# 306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
C# 310 Weaknesses in this category are related to the design and implementation of data confidentiality and integrity. Frequently these deal with the use of encoding techniques, encryption libraries, and hashing algorithms. The weaknesses in this category could lead to a degradation of the quality data if they are not addressed.
C# 311 The product does not encrypt sensitive or critical information before storage or transmission.
C# 312 The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
C# 313 The product stores sensitive information in cleartext in a file, or on disk.
C# 314 The product stores sensitive information in cleartext in the registry.
C# 315 The product stores sensitive information in cleartext in a cookie.
C# 317 The product stores sensitive information in cleartext within the GUI.
C# 318 The product stores sensitive information in cleartext in an executable.
C# 319 The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.
C# 320 Weaknesses in this category are related to errors in the management of cryptographic keys.
C# 321 The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.
C# 326 The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
C# 327 The product uses a broken or risky cryptographic algorithm or protocol.
C# 328 The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (2nd preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack).
C# 330 The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.
C# 338 The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.
C# 344 The product uses a constant value, name, or reference, but this value can (or should) vary across different environments.
C# 345 The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
C# 346 The product does not properly verify that the source of data or communication is valid.
C# 352 The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.
C# 353 The product uses a transmission protocol that does not include a mechanism for verifying the integrity of the data during transmission, such as a checksum.
C# 355 Weaknesses in this category are related to or introduced in the User Interface (UI).
C# 359 The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.
C# 361 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses related to the improper management of time and state in an environment that supports simultaneous or near-simultaneous computation by multiple systems, processes, or threads. According to the authors of the Seven Pernicious Kingdoms, "Distributed computation is about time and state. That is, in order for more than one component to communicate, state must be shared, and all that takes time. Most programmers anthropomorphize their work. They think about one thread of control carrying out the entire program in the same way they would if they had to do the job themselves. Modern computers, however, switch between tasks very quickly, and in multi-core, multi-CPU, or distributed systems, two events may take place at exactly the same time. Defects rush to fill the gap between the programmer's model of how a program executes and what happens in reality. These defects are related to unexpected interactions between threads, processes, time, and information. These interactions happen through shared state: semaphores, variables, the file system, and, basically, anything that can store information."
C# 362 The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.
C# 366 If two threads of execution use a resource simultaneously, there exists the possibility that resources may be used while invalid, in turn making the state of execution undefined.
C# 369 The product divides a value by zero.
C# 371 Weaknesses in this category are related to improper management of system state.
C# 376 This category has been deprecated. It was originally used for organizing the Development View (CWE-699), but it introduced unnecessary complexity and depth to the resulting tree. Consider using the File Handling Issues category (CWE-1219).
C# 377 Creating and using insecure temporary files can leave application and system data vulnerable to attack.
C# 379 The product creates a temporary file in a directory whose permissions allow unintended actors to determine the file's existence or otherwise access that file.
C# 380 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
C# 381 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
C# 384 Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.
C# 388 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that occur when an application does not properly handle errors that occur during processing. According to the authors of the Seven Pernicious Kingdoms, "Errors and error handling represent a class of API. Errors related to error handling are so common that they deserve a special kingdom of their own. As with 'API Abuse,' there are two ways to introduce an error-related security vulnerability: the most common one is handling errors poorly (or not at all). The second is producing errors that either give out too much information (to possible attackers) or are difficult to handle."
C# 389 This category includes weaknesses that occur if a function does not generate the correct return/status code, or if the application does not handle all possible return/status codes that could be generated by a function. This type of problem is most often found in conditions that are rarely encountered during the normal operation of the product. Presumably, most bugs related to common conditions are found and eliminated during development and testing. In some cases, the attacker can directly control or influence the environment to trigger the rare conditions.
C# 390 The product detects a specific error, but takes no actions to handle the error.
C# 398 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that do not directly introduce a weakness or vulnerability, but indicate that the product has not been carefully developed or maintained. According to the authors of the Seven Pernicious Kingdoms, "Poor code quality leads to unpredictable behavior. From a user's perspective that often manifests itself as poor usability. For an adversary it provides an opportunity to stress the system in unexpected ways."
C# 399 Weaknesses in this category are related to improper management of system resources.
C# 400 The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.
C# 402 The product makes resources available to untrusted parties when those resources are only intended to be accessed by the product.
C# 403 A process does not close sensitive file descriptors before invoking a child process, which allows the child to perform unauthorized I/O operations using those descriptors.
C# 404 The product does not release or incorrectly releases a resource before it is made available for re-use.
C# 405 The product does not properly control situations in which an adversary can cause the product to consume or produce excessive resources without requiring the adversary to invest equivalent work or otherwise prove authorization, i.e., the adversary's influence is "asymmetric."
C# 409 The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.
C# 411 Weaknesses in this category are related to improper handling of locks that are used to control access to resources.
C# 417 Weaknesses in this category are related to improper handling of communication channels and access paths. These weaknesses include problems in creating, managing, or removing alternate channels and alternate paths. Some of these can overlap virtual file problems and are commonly used in "bypass" attacks, such as those that exploit authentication errors.
C# 427 The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.
C# 435 An interaction error occurs when two entities have correct behavior when running independently of each other, but when they are integrated as components in a larger system or process, they introduce incorrect behaviors that may cause resultant weaknesses.
C# 436 Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.
C# 438 Weaknesses in this category are related to unexpected behaviors from code that an application uses.
C# 442 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
C# 452 Weaknesses in this category occur in behaviors that are used for initialization and breakdown.
C# 459 The product does not properly "clean up" and remove temporary or supporting resources after they have been used.
C# 461 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
C# 463 The accidental deletion of a data-structure sentinel can cause serious programming logic problems.
C# 465 Weaknesses in this category are related to improper handling of pointers.
C# 470 The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code.
C# 476 A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.
C# 480 The product accidentally uses the wrong operator, which changes the logic in security-relevant ways.
C# 483 The code does not explicitly delimit a block that is intended to contain 2 or more statements, creating a logic error.
C# 485 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that occur when the product does not sufficiently encapsulate critical data or functionality. According to the authors of the Seven Pernicious Kingdoms, "Encapsulation is about drawing strong boundaries. In a web browser that might mean ensuring that your mobile code cannot be abused by other mobile code. On the server it might mean differentiation between validated data and unvalidated data, between one user's data and another's, or between data users are allowed to see and data that they are not."
C# 489 The product is deployed to unauthorized actors with debugging code still enabled or active, which can create unintended entry points or expose sensitive information.
C# 497 The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does.
C# 502 The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
C# 505 This category has been deprecated as it was originally used for organizing the Development View (CWE-699), but it introduced unnecessary complexity and depth to the resulting tree.
C# 519 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
C# 521 The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts.
C# 522 The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
C# 523 Login pages do not use adequate measures to protect the user name and password while they are in transit from the client to the server.
C# 526 The product uses an environment variable to store unencrypted sensitive information.
C# 532 Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.
C# 536 A servlet error message indicates that there exists an unhandled exception in your web application code and may provide useful information to an attacker.
C# 538 The product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the sensitive information.
C# 539 The web application uses persistent cookies, but the cookies contain sensitive information.
C# 540 Source code on a web server or repository often contains sensitive information and should generally not be accessible to users.
C# 543 The product uses the singleton pattern when creating a resource within a multithreaded environment.
C# 550 Certain conditions, such as network failure, will cause a server error message to be displayed.
C# 552 The product makes files or directories accessible to unauthorized actors, even though they should not be.
C# 557 Weaknesses in this category are related to concurrent use of shared resources.
C# 558 The product uses the getlogin() function in a multithreaded context, potentially causing it to return incorrect values.
C# 559 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
C# 561 The product contains dead code, which can never be executed.
C# 563 The variable's value is assigned but never used, making it a dead store.
C# 566 The product uses a database table that includes records that should not be accessible to an actor, but it executes a SQL statement with a primary key that can be controlled by that actor.
C# 567 The product does not properly synchronize shared data, such as static variables across threads, which can lead to undefined behavior and unpredictable data changes.
C# 569 Weaknesses in this category are related to incorrectly written expressions within code.
C# 570 The product contains an expression that will always evaluate to false.
C# 573 The product does not follow or incorrectly follows the specifications as required by the implementation language, environment, framework, protocol, or platform.
C# 595 The product compares object references instead of the contents of the objects themselves, preventing it from detecting equivalent objects.
C# 601 A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.
C# 610 The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.
C# 611 The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
C# 614 The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session.
C# 615 While adding general comments is very useful, some programmers tend to leave important data, such as: filenames related to the web application, old links or links which were not meant to be browsed by users, old code fragments, etc.
C# 624 The product uses a regular expression that either (1) contains an executable component with user-controlled inputs, or (2) allows a user to enable execution by inserting pattern modifiers.
C# 628 The product calls a function, procedure, or routine with arguments that are not correctly specified, leading to always-incorrect behavior and resultant weaknesses.
C# 629 CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2007. This view is considered obsolete as a newer version of the OWASP Top 10 is available.
C# 632 This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE.
C# 633 This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE.
C# 634 This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE.
C# 635 CWE nodes in this view (slice) were used by NIST to categorize vulnerabilities within NVD, from 2008 to 2016. This original version has been used by many other projects.
C# 639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
C# 642 The product stores security-critical state information about its users, or the product itself, in a location that is accessible to unauthorized actors.
C# 643 The product uses external input to dynamically construct an XPath expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query.
C# 644 The product does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers, such as Flash.
C# 657 The product violates well-established principles for secure design.
C# 662 The product utilizes multiple threads or processes to allow temporary access to a shared resource that can only be exclusive to one process at a time, but it does not properly synchronize these actions, which might cause simultaneous accesses of this resource by multiple threads or processes.
C# 663 The product calls a non-reentrant function in a concurrent context in which a competing code sequence (e.g. thread or signal handler) may have an opportunity to call the same function or otherwise influence its state.
C# 664 The product does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release.
C# 667 The product does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors.
C# 668 The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
C# 669 The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource.
C# 670 The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated.
C# 671 The product uses security features in a way that prevents the product's administrator from tailoring security settings to reflect the environment in which the product is being used. This introduces resultant weaknesses or prevents it from operating at a level of security that is desired by the administrator.
C# 674 The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.
C# 682 The product performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management.
C# 683 The product calls a function, procedure, or routine, but the caller specifies the arguments in an incorrect order, leading to resultant weaknesses.
C# 691 The code does not sufficiently manage its control flow during execution, creating conditions in which the control flow can be modified in unexpected ways.
C# 692 The product uses a denylist-based protection mechanism to defend against XSS attacks, but the denylist is incomplete, allowing XSS variants to succeed.
C# 693 The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.
C# 697 The product compares two entities in a security-relevant context, but the comparison is incorrect, which may lead to resultant weaknesses.
C# 699 This view organizes weaknesses around concepts that are frequently used or encountered in software development. This includes all aspects of the software development lifecycle including both architecture and implementation. Accordingly, this view can align closely with the perspectives of architects, developers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping.
C# 700 This view (graph) organizes weaknesses using a hierarchical structure that is similar to that used by Seven Pernicious Kingdoms.
C# 703 The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product.
C# 705 The product does not properly return control flow to the proper location after it has completed a task or detected an unusual condition.
C# 706 The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.
C# 707 The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component.
C# 710 The product does not follow certain coding rules for development, which can lead to resultant weaknesses or increase the severity of the associated vulnerabilities.
C# 711 CWE entries in this view (graph) are associated with the OWASP Top 10, as released in 2004, and as required for compliance with PCI DSS version 1.1. This view is considered obsolete as a newer version of the OWASP Top 10 is available.
C# 712 Weaknesses in this category are related to the A1 category in the OWASP Top 10 2007.
C# 713 Weaknesses in this category are related to the A2 category in the OWASP Top 10 2007.
C# 714 Weaknesses in this category are related to the A3 category in the OWASP Top 10 2007.
C# 715 Weaknesses in this category are related to the A4 category in the OWASP Top 10 2007.
C# 716 Weaknesses in this category are related to the A5 category in the OWASP Top 10 2007.
C# 717 Weaknesses in this category are related to the A6 category in the OWASP Top 10 2007.
C# 718 Weaknesses in this category are related to the A7 category in the OWASP Top 10 2007.
C# 719 Weaknesses in this category are related to the A8 category in the OWASP Top 10 2007.
C# 720 Weaknesses in this category are related to the A9 category in the OWASP Top 10 2007.
C# 721 Weaknesses in this category are related to the A10 category in the OWASP Top 10 2007.
C# 722 Weaknesses in this category are related to the A1 category in the OWASP Top 10 2004.
C# 723 Weaknesses in this category are related to the A2 category in the OWASP Top 10 2004.
C# 724 Weaknesses in this category are related to the A3 category in the OWASP Top 10 2004.
C# 725 Weaknesses in this category are related to the A4 category in the OWASP Top 10 2004.
C# 727 Weaknesses in this category are related to the A6 category in the OWASP Top 10 2004.
C# 728 Weaknesses in this category are related to the A7 category in the OWASP Top 10 2004.
C# 729 Weaknesses in this category are related to the A8 category in the OWASP Top 10 2004.
C# 730 Weaknesses in this category are related to the A9 category in the OWASP Top 10 2004.
C# 731 Weaknesses in this category are related to the A10 category in the OWASP Top 10 2004.
C# 732 The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.
C# 734 CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT C Secure Coding Standard" published in 2008. This view is considered obsolete, as a newer version of the coding standard is available. This view statically represents the coding rules as they were in 2008.
C# 736 Weaknesses in this category are related to the rules and recommendations in the Declarations and Initialization (DCL) chapter of the CERT C Secure Coding Standard (2008).
C# 737 Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) chapter of the CERT C Secure Coding Standard (2008).
C# 738 Weaknesses in this category are related to the rules and recommendations in the Integers (INT) chapter of the CERT C Secure Coding Standard (2008).
C# 739 Weaknesses in this category are related to the rules and recommendations in the Floating Point (FLP) chapter of the CERT C Secure Coding Standard (2008).
C# 741 Weaknesses in this category are related to the rules and recommendations in the Characters and Strings (STR) chapter of the CERT C Secure Coding Standard (2008).
C# 742 Weaknesses in this category are related to the rules and recommendations in the Memory Management (MEM) chapter of the CERT C Secure Coding Standard (2008).
C# 743 Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) chapter of the CERT C Secure Coding Standard (2008).
C# 744 Weaknesses in this category are related to the rules and recommendations in the Environment (ENV) chapter of the CERT C Secure Coding Standard (2008).
C# 745 Weaknesses in this category are related to the rules and recommendations in the Signals (SIG) chapter of the CERT C Secure Coding Standard (2008).
C# 746 Weaknesses in this category are related to the rules and recommendations in the Error Handling (ERR) chapter of the CERT C Secure Coding Standard (2008).
C# 747 Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) chapter of the CERT C Secure Coding Standard (2008).
C# 748 Weaknesses in this category are related to the rules and recommendations in the POSIX (POS) appendix of the CERT C Secure Coding Standard (2008).
C# 749 The product provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted.
C# 750 CWE entries in this view (graph) are listed in the 2009 CWE/SANS Top 25 Programming Errors. This view is considered obsolete as a newer version of the Top 25 is available.
C# 751 Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2009 CWE/SANS Top 25 Programming Errors.
C# 752 Weaknesses in this category are listed in the "Risky Resource Management" section of the 2009 CWE/SANS Top 25 Programming Errors.
C# 753 Weaknesses in this category are listed in the "Porous Defenses" section of the 2009 CWE/SANS Top 25 Programming Errors.
C# 754 The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.
C# 755 The product does not handle or incorrectly handles an exceptional condition.
C# 759 The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product does not also use a salt as part of the input.
C# 760 The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product uses a predictable salt as part of the input.
C# 776 The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.
C# 778 When a security-critical event occurs, the product either does not record the event or omits important details about the event when logging it.
C# 780 The product uses the RSA algorithm but does not incorporate Optimal Asymmetric Encryption Padding (OAEP), which might weaken the encryption.
C# 783 The product uses an expression in which operator precedence causes incorrect logic to be used.
C# 798 The product contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.
C# 800 CWE entries in this view (graph) are listed in the 2010 CWE/SANS Top 25 Programming Errors. This view is considered obsolete as a newer version of the Top 25 is available.
C# 801 Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2010 CWE/SANS Top 25 Programming Errors.
C# 802 Weaknesses in this category are listed in the "Risky Resource Management" section of the 2010 CWE/SANS Top 25 Programming Errors.
C# 803 Weaknesses in this category are listed in the "Porous Defenses" section of the 2010 CWE/SANS Top 25 Programming Errors.
C# 808 Weaknesses in this category are not part of the general Top 25, but they were part of the original nominee list from which the Top 25 was drawn.
C# 809 CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2010. This view is considered obsolete as a newer version of the OWASP Top 10 is available.
C# 810 Weaknesses in this category are related to the A1 category in the OWASP Top 10 2010.
C# 811 Weaknesses in this category are related to the A2 category in the OWASP Top 10 2010.
C# 812 Weaknesses in this category are related to the A3 category in the OWASP Top 10 2010.
C# 813 Weaknesses in this category are related to the A4 category in the OWASP Top 10 2010.
C# 814 Weaknesses in this category are related to the A5 category in the OWASP Top 10 2010.
C# 815 Weaknesses in this category are related to the A6 category in the OWASP Top 10 2010.
C# 816 Weaknesses in this category are related to the A7 category in the OWASP Top 10 2010.
C# 817 Weaknesses in this category are related to the A8 category in the OWASP Top 10 2010.
C# 818 Weaknesses in this category are related to the A9 category in the OWASP Top 10 2010.
C# 819 Weaknesses in this category are related to the A10 category in the OWASP Top 10 2010.
C# 820 The product utilizes a shared resource in a concurrent manner but does not attempt to synchronize access to the resource.
C# 827 The product does not restrict a reference to a Document Type Definition (DTD) to the intended control sphere. This might allow attackers to reference arbitrary DTDs, possibly causing the product to expose files, consume excessive system resources, or execute arbitrary http requests on behalf of the attacker.
C# 829 The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.
C# 833 The product contains multiple threads or executable segments that are waiting for each other to release a necessary lock, resulting in deadlock.
C# 834 The product performs an iteration or loop without sufficiently limiting the number of times that the loop is executed.
C# 835 The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.
C# 840 Weaknesses in this category identify some of the underlying problems that commonly allow attackers to manipulate the business logic of an application. Errors in business logic can be devastating to an entire application. They can be difficult to find automatically, since they typically involve legitimate use of the application's functionality. However, many business logic errors can exhibit patterns that are similar to well-understood implementation and design weaknesses.
C# 844 CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT Oracle Secure Coding Standard for Java" published in 2011. This view is considered obsolete as a newer version of the coding standard is available.
C# 845 Weaknesses in this category are related to rules in the Input Validation and Data Sanitization (IDS) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
C# 847 Weaknesses in this category are related to rules in the Expressions (EXP) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
C# 848 Weaknesses in this category are related to rules in the Numeric Types and Operations (NUM) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
C# 850 Weaknesses in this category are related to rules in the Methods (MET) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
C# 851 Weaknesses in this category are related to rules in the Exceptional Behavior (ERR) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
C# 852 Weaknesses in this category are related to rules in the Visibility and Atomicity (VNA) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
C# 853 Weaknesses in this category are related to rules in the Locking (LCK) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
C# 854 Weaknesses in this category are related to rules in the Thread APIs (THI) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
C# 855 Weaknesses in this category are related to rules in the Thread Pools (TPS) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
C# 857 Weaknesses in this category are related to rules in the Input Output (FIO) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
C# 858 Weaknesses in this category are related to rules in the Serialization (SER) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
C# 859 Weaknesses in this category are related to rules in the Platform Security (SEC) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
C# 860 Weaknesses in this category are related to rules in the Runtime Environment (ENV) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
C# 861 Weaknesses in this category are related to rules in the Miscellaneous (MSC) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
C# 862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
C# 863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.
C# 864 Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.
C# 865 Weaknesses in this category are listed in the "Risky Resource Management" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.
C# 866 Weaknesses in this category are listed in the "Porous Defenses" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.
C# 867 Weaknesses in this category are not part of the general Top 25, but they were part of the original nominee list from which the Top 25 was drawn.
C# 868 CWE entries in this view (graph) are fully or partially eliminated by following the SEI CERT C++ Coding Standard, as published in 2016. This view is no longer being actively maintained, since it statically represents the coding rules as they were in 2016.
C# 871 Weaknesses in this category are related to rules in the Expressions (EXP) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
C# 872 Weaknesses in this category are related to rules in the Integers (INT) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
C# 873 Weaknesses in this category are related to rules in the Floating Point Arithmetic (FLP) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
C# 875 Weaknesses in this category are related to rules in the Characters and Strings (STR) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
C# 876 Weaknesses in this category are related to rules in the Memory Management (MEM) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
C# 877 Weaknesses in this category are related to rules in the Input Output (FIO) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
C# 878 Weaknesses in this category are related to rules in the Environment (ENV) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
C# 879 Weaknesses in this category are related to rules in the Signals (SIG) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
C# 880 Weaknesses in this category are related to rules in the Exceptions and Error Handling (ERR) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
C# 881 Weaknesses in this category are related to rules in the Object Oriented Programming (OOP) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
C# 882 Weaknesses in this category are related to rules in the Concurrency (CON) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
C# 883 Weaknesses in this category are related to rules in the Miscellaneous (MSC) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
C# 884 This view contains a selection of weaknesses that represent the variety of weaknesses that are captured in CWE, at a level of abstraction that is likely to be useful to most audiences. It can be used by researchers to determine how broad their theories, models, or tools are. It will also be used by the CWE content team in 2012 to focus quality improvement efforts for individual CWE entries.
C# 885 This category identifies Software Fault Patterns (SFPs) within the Risky Values cluster (SFP1).
C# 886 This category identifies Software Fault Patterns (SFPs) within the Unused entities cluster (SFP2).
C# 887 This category identifies Software Fault Patterns (SFPs) within the API cluster (SFP3).
C# 888 CWE identifiers in this view are associated with clusters of Software Fault Patterns (SFPs).
C# 889 This category identifies Software Fault Patterns (SFPs) within the Exception Management cluster (SFP4, SFP5, SFP6).
C# 890 This category identifies Software Fault Patterns (SFPs) within the Memory Access cluster (SFP7, SFP8).
C# 892 This category identifies Software Fault Patterns (SFPs) within the Resource Management cluster (SFP37).
C# 893 This category identifies Software Fault Patterns (SFPs) within the Path Resolution cluster (SFP16, SFP17, SFP18).
C# 894 This category identifies Software Fault Patterns (SFPs) within the Synchronization cluster (SFP19, SFP20, SFP21, SFP22).
C# 895 This category identifies Software Fault Patterns (SFPs) within the Information Leak cluster (SFP23).
C# 896 This category identifies Software Fault Patterns (SFPs) within the Tainted Input cluster (SFP24, SFP25, SFP26, SFP27).
C# 897 This category identifies Software Fault Patterns (SFPs) within the Entry Points cluster (SFP28).
C# 898 This category identifies Software Fault Patterns (SFPs) within the Authentication cluster (SFP29, SFP30, SFP31, SFP32, SFP33, SFP34).
C# 899 This category identifies Software Fault Patterns (SFPs) within the Access Control cluster (SFP35).
C# 900 CWE entries in this view (graph) are listed in the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.
C# 902 This category identifies Software Fault Patterns (SFPs) within the Channel cluster.
C# 903 This category identifies Software Fault Patterns (SFPs) within the Cryptography cluster.
C# 905 This category identifies Software Fault Patterns (SFPs) within the Predictability cluster.
C# 906 This category identifies Software Fault Patterns (SFPs) within the UI cluster.
C# 907 This category identifies Software Fault Patterns (SFPs) within the Other cluster.
C# 913 The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements.
C# 915 The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.
C# 916 The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive.
C# 922 The product stores sensitive information without properly limiting read or write access by unauthorized actors.
C# 923 The product establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that it is communicating with the correct endpoint.
C# 928 CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2013. This view is considered obsolete as a newer version of the OWASP Top 10 is available.
C# 929 Weaknesses in this category are related to the A1 category in the OWASP Top 10 2013.
C# 930 Weaknesses in this category are related to the A2 category in the OWASP Top 10 2013.
C# 931 Weaknesses in this category are related to the A3 category in the OWASP Top 10 2013.
C# 932 Weaknesses in this category are related to the A4 category in the OWASP Top 10 2013.
C# 933 Weaknesses in this category are related to the A5 category in the OWASP Top 10 2013.
C# 934 Weaknesses in this category are related to the A6 category in the OWASP Top 10 2013.
C# 935 Weaknesses in this category are related to the A7 category in the OWASP Top 10 2013.
C# 936 Weaknesses in this category are related to the A8 category in the OWASP Top 10 2013.
C# 938 Weaknesses in this category are related to the A10 category in the OWASP Top 10 2013.
C# 942 The product uses a cross-domain policy file that includes domains that should not be trusted.
C# 943 The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query.
C# 944 This category identifies Software Fault Patterns (SFPs) within the Access Management cluster.
C# 945 This category identifies Software Fault Patterns (SFPs) within the Insecure Resource Access cluster (SFP35).
C# 946 This category identifies Software Fault Patterns (SFPs) within the Insecure Resource Permissions cluster.
C# 947 This category identifies Software Fault Patterns (SFPs) within the Authentication Bypass cluster.
C# 948 This category identifies Software Fault Patterns (SFPs) within the Digital Certificate cluster.
C# 949 This category identifies Software Fault Patterns (SFPs) within the Faulty Endpoint Authentication cluster (SFP29).
C# 950 This category identifies Software Fault Patterns (SFPs) within the Hardcoded Sensitive Data cluster (SFP33).
C# 951 This category identifies Software Fault Patterns (SFPs) within the Insecure Authentication Policy cluster.
C# 952 This category identifies Software Fault Patterns (SFPs) within the Missing Authentication cluster.
C# 956 This category identifies Software Fault Patterns (SFPs) within the Channel Attack cluster.
C# 957 This category identifies Software Fault Patterns (SFPs) within the Protocol Error cluster.
C# 958 This category identifies Software Fault Patterns (SFPs) within the Broken Cryptography cluster.
C# 959 This category identifies Software Fault Patterns (SFPs) within the Weak Cryptography cluster.
C# 961 This category identifies Software Fault Patterns (SFPs) within the Incorrect Exception Behavior cluster (SFP6).
C# 962 This category identifies Software Fault Patterns (SFPs) within the Unchecked Status Condition cluster (SFP4).
C# 963 This category identifies Software Fault Patterns (SFPs) within the Exposed Data cluster (SFP23).
C# 964 This category identifies Software Fault Patterns (SFPs) within the Exposure Temporary File cluster.
C# 966 This category identifies Software Fault Patterns (SFPs) within the Other Exposures cluster.
C# 971 This category identifies Software Fault Patterns (SFPs) within the Faulty Pointer Use cluster (SFP7).
C# 975 This category identifies Software Fault Patterns (SFPs) within the Architecture cluster.
C# 977 This category identifies Software Fault Patterns (SFPs) within the Design cluster.
C# 978 This category identifies Software Fault Patterns (SFPs) within the Implementation cluster.
C# 980 This category identifies Software Fault Patterns (SFPs) within the Link in Resource Name Resolution cluster (SFP18).
C# 981 This category identifies Software Fault Patterns (SFPs) within the Path Traversal cluster (SFP16).
C# 982 This category identifies Software Fault Patterns (SFPs) within the Failure to Release Resource cluster (SFP14).
C# 984 This category identifies Software Fault Patterns (SFPs) within the Life Cycle cluster.
C# 985 This category identifies Software Fault Patterns (SFPs) within the Unrestricted Consumption cluster (SFP13).
C# 986 This category identifies Software Fault Patterns (SFPs) within the Missing Lock cluster (SFP19).
C# 988 This category identifies Software Fault Patterns (SFPs) within the Race Condition Window cluster (SFP20).
C# 990 This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Command cluster (SFP24).
C# 991 This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Environment cluster (SFP27).
C# 992 This category identifies Software Fault Patterns (SFPs) within the Faulty Input Transformation cluster.
C# 994 This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Variable cluster (SFP25).
C# 997 This category identifies Software Fault Patterns (SFPs) within the Information Loss cluster.
C# 998 This category identifies Software Fault Patterns (SFPs) within the Glitch in Computation cluster (SFP1).
C# 1000 This view is intended to facilitate research into weaknesses, including their inter-dependencies, and can be leveraged to systematically identify theoretical gaps within CWE. It is mainly organized according to abstractions of behaviors instead of how they can be detected, where they appear in code, or when they are introduced in the development life cycle. By design, this view is expected to include every weakness within CWE.
C# 1001 This category identifies Software Fault Patterns (SFPs) within the Use of an Improper API cluster (SFP3).
C# 1002 This category identifies Software Fault Patterns (SFPs) within the Unexpected Entry Points cluster.
C# 1003 CWE entries in this view (graph) may be used to categorize potential weaknesses within sources that handle public, third-party vulnerability information, such as the National Vulnerability Database (NVD). By design, this view is incomplete; it is limited to a small number of the most commonly-seen weaknesses, so that it is easier for humans to use. This view uses a shallow hierarchy of two levels in order to simplify the complex, category-oriented navigation of the entire CWE corpus.
C# 1004 The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag.
C# 1005 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that exist when an application does not properly validate or represent input. According to the authors of the Seven Pernicious Kingdoms, "Input validation and representation problems are caused by metacharacters, alternate encodings and numeric representations. Security problems result from trusting input."
C# 1006 Weaknesses in this category are related to coding practices that are deemed unsafe and increase the chances that an exploitable vulnerability will be present in the application. These weaknesses do not directly introduce a vulnerability, but indicate that the product has not been carefully developed or maintained. If a program is complex, difficult to maintain, not portable, or shows evidence of neglect, then there is a higher likelihood that weaknesses are buried in the code.
C# 1008 This view organizes weaknesses according to common architectural security tactics. It is intended to assist architects in identifying potential mistakes that can be made when designing software.
C# 1009 Weaknesses in this category are related to the design and architecture of audit-based components of the system. Frequently these deal with logging user activities in order to identify attackers and modifications to the system. The weaknesses in this category could lead to a degradation of the quality of the audit capability if they are not addressed when designing or implementing a secure architecture.
C# 1010 Weaknesses in this category are related to the design and architecture of authentication components of the system. Frequently these deal with verifying the entity is indeed who it claims to be. The weaknesses in this category could lead to a degradation of the quality of authentication if they are not addressed when designing or implementing a secure architecture.
C# 1011 Weaknesses in this category are related to the design and architecture of a system's authorization components. Frequently these deal with enforcing that agents have the required permissions before performing certain operations, such as modifying data. The weaknesses in this category could lead to a degradation of quality of the authorization capability if they are not addressed when designing or implementing a secure architecture.
C# 1012 Weaknesses in this category are related to the design and architecture of multiple security tactics and how they affect a system. For example, information exposure can impact the Limit Access and Limit Exposure security tactics. The weaknesses in this category could lead to a degradation of the quality of many capabilities if they are not addressed when designing or implementing a secure architecture.
C# 1013 Weaknesses in this category are related to the design and architecture of data confidentiality in a system. Frequently these deal with the use of encryption libraries. The weaknesses in this category could lead to a degradation of the quality data encryption if they are not addressed when designing or implementing a secure architecture.
C# 1014 Weaknesses in this category are related to the design and architecture of a system's identification management components. Frequently these deal with verifying that external agents provide inputs into the system. The weaknesses in this category could lead to a degradation of the quality of identification management if they are not addressed when designing or implementing a secure architecture.
C# 1015 Weaknesses in this category are related to the design and architecture of system resources. Frequently these deal with restricting the amount of resources that are accessed by actors, such as memory, network connections, CPU or access points. The weaknesses in this category could lead to a degradation of the quality of authentication if they are not addressed when designing or implementing a secure architecture.
C# 1016 Weaknesses in this category are related to the design and architecture of the entry points to a system. Frequently these deal with minimizing the attack surface through designing the system with the least needed amount of entry points. The weaknesses in this category could lead to a degradation of a system's defenses if they are not addressed when designing or implementing a secure architecture.
C# 1018 Weaknesses in this category are related to the design and architecture of session management. Frequently these deal with the information or status about each user and their access rights for the duration of multiple requests. The weaknesses in this category could lead to a degradation of the quality of session management if they are not addressed when designing or implementing a secure architecture.
C# 1019 Weaknesses in this category are related to the design and architecture of a system's input validation components. Frequently these deal with sanitizing, neutralizing and validating any externally provided inputs to minimize malformed data from entering the system and preventing code injection in the input data. The weaknesses in this category could lead to a degradation of the quality of data flow in a system if they are not addressed when designing or implementing a secure architecture.
C# 1020 Weaknesses in this category are related to the design and architecture of a system's data integrity components. Frequently these deal with ensuring integrity of data, such as messages, resource files, deployment files, and configuration files. The weaknesses in this category could lead to a degradation of data integrity quality if they are not addressed when designing or implementing a secure architecture.
C# 1025 The code performs a comparison between two entities, but the comparison examines the wrong factors or characteristics of the entities, which can lead to incorrect results and resultant weaknesses.
C# 1026 CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2017.
C# 1027 Weaknesses in this category are related to the A1 category in the OWASP Top 10 2017.
C# 1028 Weaknesses in this category are related to the A2 category in the OWASP Top 10 2017.
C# 1029 Weaknesses in this category are related to the A3 category in the OWASP Top 10 2017.
C# 1030 Weaknesses in this category are related to the A4 category in the OWASP Top 10 2017.
C# 1031 Weaknesses in this category are related to the A5 category in the OWASP Top 10 2017.
C# 1032 Weaknesses in this category are related to the A6 category in the OWASP Top 10 2017.
C# 1033 Weaknesses in this category are related to the A7 category in the OWASP Top 10 2017.
C# 1034 Weaknesses in this category are related to the A8 category in the OWASP Top 10 2017.
C# 1036 Weaknesses in this category are related to the A10 category in the OWASP Top 10 2017.
C# 1041 The product has multiple functions, methods, procedures, macros, etc. that contain the same code.
C# 1078 The source code does not follow desired style or formatting for indentation, white space, comments, etc.
C# 1114 The source code contains whitespace that is inconsistent across the code or does not follow expected standards for the product.
C# 1128 This view outlines the most important software quality issues as identified by the Consortium for Information & Software Quality (CISQ) Automated Quality Characteristic Measures, released in 2016. These measures are derived from Object Management Group (OMG) standards.
C# 1129 Weaknesses in this category are related to the CISQ Quality Measures for Reliability, as documented in 2016 with the Automated Source Code CISQ Reliability Measure (ASCRM) Specification 1.0. Presence of these weaknesses could reduce the reliability of the software.
C# 1130 Weaknesses in this category are related to the CISQ Quality Measures for Maintainability, as documented in 2016 with the Automated Source Code Maintainability Measure (ASCMM) Specification 1.0. Presence of these weaknesses could reduce the maintainability of the software.
C# 1131 Weaknesses in this category are related to the CISQ Quality Measures for Security, as documented in 2016 with the Automated Source Code Security Measure (ASCSM) Specification 1.0. Presence of these weaknesses could reduce the security of the software.
C# 1133 CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT Oracle Coding Standard for Java.
C# 1134 Weaknesses in this category are related to the rules and recommendations in the Input Validation and Data Sanitization (IDS) section of the SEI CERT Oracle Secure Coding Standard for Java.
C# 1136 Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) section of the SEI CERT Oracle Secure Coding Standard for Java.
C# 1137 Weaknesses in this category are related to the rules and recommendations in the Numeric Types and Operations (NUM) section of the SEI CERT Oracle Secure Coding Standard for Java.
C# 1140 Weaknesses in this category are related to the rules and recommendations in the Methods (MET) section of the SEI CERT Oracle Secure Coding Standard for Java.
C# 1141 Weaknesses in this category are related to the rules and recommendations in the Exceptional Behavior (ERR) section of the SEI CERT Oracle Secure Coding Standard for Java.
C# 1142 Weaknesses in this category are related to the rules and recommendations in the Visibility and Atomicity (VNA) section of the SEI CERT Oracle Secure Coding Standard for Java.
C# 1143 Weaknesses in this category are related to the rules and recommendations in the Locking (LCK) section of the SEI CERT Oracle Secure Coding Standard for Java.
C# 1145 Weaknesses in this category are related to the rules and recommendations in the Thread Pools (TPS) section of the SEI CERT Oracle Secure Coding Standard for Java.
C# 1147 Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) section of the SEI CERT Oracle Secure Coding Standard for Java.
C# 1148 Weaknesses in this category are related to the rules and recommendations in the Serialization (SER) section of the SEI CERT Oracle Secure Coding Standard for Java.
C# 1149 Weaknesses in this category are related to the rules and recommendations in the Platform Security (SEC) section of the SEI CERT Oracle Secure Coding Standard for Java.
C# 1150 Weaknesses in this category are related to the rules and recommendations in the Runtime Environment (ENV) section of the SEI CERT Oracle Secure Coding Standard for Java.
C# 1152 Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT Oracle Secure Coding Standard for Java.
C# 1154 CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT C Coding Standard.
C# 1157 Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) section of the SEI CERT C Coding Standard.
C# 1158 Weaknesses in this category are related to the rules and recommendations in the Integers (INT) section of the SEI CERT C Coding Standard.
C# 1159 Weaknesses in this category are related to the rules and recommendations in the Floating Point (FLP) section of the SEI CERT C Coding Standard.
C# 1162 Weaknesses in this category are related to the rules and recommendations in the Memory Management (MEM) section of the SEI CERT C Coding Standard.
C# 1163 Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) section of the SEI CERT C Coding Standard.
C# 1164 The product contains code that is not essential for execution, i.e. makes no state changes and has no side effects that alter data or control flow, such that removal of the code would have no impact to functionality or correctness.
C# 1165 Weaknesses in this category are related to the rules and recommendations in the Environment (ENV) section of the SEI CERT C Coding Standard.
C# 1166 Weaknesses in this category are related to the rules and recommendations in the Signals (SIG) section of the SEI CERT C Coding Standard.
C# 1167 Weaknesses in this category are related to the rules and recommendations in the Error Handling (ERR) section of the SEI CERT C Coding Standard.
C# 1169 Weaknesses in this category are related to the rules and recommendations in the Concurrency (CON) section of the SEI CERT C Coding Standard.
C# 1170 Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT C Coding Standard.
C# 1171 Weaknesses in this category are related to the rules and recommendations in the POSIX (POS) section of the SEI CERT C Coding Standard.
C# 1172 Weaknesses in this category are related to the rules and recommendations in the Microsoft Windows (WIN) section of the SEI CERT C Coding Standard.
C# 1178 CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT Perl Coding Standard.
C# 1179 Weaknesses in this category are related to the rules and recommendations in the Input Validation and Data Sanitization (IDS) section of the SEI CERT Perl Coding Standard.
C# 1180 Weaknesses in this category are related to the rules and recommendations in the Declarations and Initialization (DCL) section of the SEI CERT Perl Coding Standard.
C# 1181 Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) section of the SEI CERT Perl Coding Standard.
C# 1182 Weaknesses in this category are related to the rules and recommendations in the Integers (INT) section of the SEI CERT Perl Coding Standard.
C# 1186 Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT Perl Coding Standard.
C# 1194 This view organizes weaknesses around concepts that are frequently used or encountered in hardware design. Accordingly, this view can align closely with the perspectives of designers, manufacturers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping.
C# 1200 CWE entries in this view are listed in the 2019 CWE Top 25 Most Dangerous Software Errors.
C# 1202 Weaknesses in this category are typically associated with memory (e.g., DRAM, SRAM) and storage technologies (e.g., NAND Flash, OTP, EEPROM, and eMMC).
C# 1204 The product uses a cryptographic primitive that uses an Initialization Vector (IV), but the product does not generate IVs that are sufficiently unpredictable or unique according to the expected cryptographic requirements for that primitive.
C# 1207 Weaknesses in this category are related to hardware debug and test interfaces such as JTAG and scan chain.
C# 1210 Weaknesses in this category are related to audit-based components of a software system. Frequently these deal with logging user activities in order to identify undesired access and modifications to the system. The weaknesses in this category could lead to a degradation of the quality of the audit capability if they are not addressed.
C# 1211 Weaknesses in this category are related to authentication components of a system. Frequently these deal with the ability to verify that an entity is indeed who it claims to be. If not addressed when designing or implementing a software system, these weaknesses could lead to a degradation of the quality of the authentication capability.
C# 1212 Weaknesses in this category are related to authorization components of a system. Frequently these deal with the ability to enforce that agents have the required permissions before performing certain operations, such as modifying data. If not addressed when designing or implementing a software system, these weaknesses could lead to a degradation of the quality of the authorization capability.
C# 1213 Weaknesses in this category are related to a software system's random number generation.
C# 1214 Weaknesses in this category are related to a software system's data integrity components. Frequently these deal with the ability to ensure the integrity of data, such as messages, resource files, deployment files, and configuration files. The weaknesses in this category could lead to a degradation of data integrity quality if they are not addressed.
C# 1215 Weaknesses in this category are related to a software system's components for input validation, output validation, or other kinds of validation. Validation is a frequently-used technique for ensuring that data conforms to expectations before it is further processed as input or output. There are many varieties of validation (see CWE-20, which is just for input validation). Validation is distinct from other techniques that attempt to modify data before processing it, although developers may consider all attempts to product "safe" inputs or outputs as some kind of validation. Regardless, validation is a powerful tool that is often used to minimize malformed data from entering the system, or indirectly avoid code injection or other potentially-malicious patterns when generating output. The weaknesses in this category could lead to a degradation of the quality of data flow in a system if they are not addressed.
C# 1219 Weaknesses in this category are related to the handling of files within a software system. Files, directories, and folders are so central to information technology that many different weaknesses and variants have been discovered.
C# 1228 Weaknesses in this category are related to the use of built-in functions or external APIs.
C# 1305 This view outlines the most important software quality issues as identified by the Consortium for Information & Software Quality (CISQ) Automated Quality Characteristic Measures, released in 2020. These measures are derived from Object Management Group (OMG) standards.
C# 1306 Weaknesses in this category are related to the CISQ Quality Measures for Reliability. Presence of these weaknesses could reduce the reliability of the software.
C# 1307 Weaknesses in this category are related to the CISQ Quality Measures for Maintainability. Presence of these weaknesses could reduce the maintainability of the software.
C# 1308 Weaknesses in this category are related to the CISQ Quality Measures for Security. Presence of these weaknesses could reduce the security of the software.
C# 1309 Weaknesses in this category are related to the CISQ Quality Measures for Efficiency. Presence of these weaknesses could reduce the efficiency of the software.
C# 1337 CWE entries in this view are listed in the 2021 CWE Top 25 Most Dangerous Software Weaknesses.
C# 1340 This view outlines the SMM representation of the Automated Source Code Data Protection Measurement specifications, as identified by the Consortium for Information & Software Quality (CISQ) Working Group.
C# 1344 CWE entries in this view (graph) are associated with the OWASP Top 10, as released in 2021.
C# 1345 Weaknesses in this category are related to the A01 category "Broken Access Control" in the OWASP Top 10 2021.
C# 1346 Weaknesses in this category are related to the A02 category "Cryptographic Failures" in the OWASP Top 10 2021.
C# 1347 Weaknesses in this category are related to the A03 category "Injection" in the OWASP Top 10 2021.
C# 1348 Weaknesses in this category are related to the A04 "Insecure Design" category in the OWASP Top 10 2021.
C# 1349 Weaknesses in this category are related to the A05 category "Security Misconfiguration" in the OWASP Top 10 2021.
C# 1350 CWE entries in this view are listed in the 2020 CWE Top 25 Most Dangerous Software Weaknesses.
C# 1353 Weaknesses in this category are related to the A07 category "Identification and Authentication Failures" in the OWASP Top 10 2021.
C# 1354 Weaknesses in this category are related to the A08 category "Software and Data Integrity Failures" in the OWASP Top 10 2021.
C# 1355 Weaknesses in this category are related to the A09 category "Security Logging and Monitoring Failures" in the OWASP Top 10 2021.
C# 1358 CWE entries in this view (graph) are associated with the Categories of Security Vulnerabilities in ICS, as published by the Securing Energy Infrastructure Executive Task Force (SEI ETF) in March 2022. Weaknesses and categories in this view are focused on issues that affect ICS (Industrial Control Systems) but have not been traditionally covered by CWE in the past due to its earlier emphasis on enterprise IT software. Note: weaknesses in this view are based on "Nearest IT Neighbor" recommendations and other suggestions by the CWE team. These relationships are likely to change in future CWE versions.
C# 1359 Weaknesses in this category are related to the "ICS Communications" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.
C# 1360 Weaknesses in this category are related to the "ICS Dependencies (& Architecture)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.
C# 1361 Weaknesses in this category are related to the "ICS Supply Chain" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.
C# 1362 Weaknesses in this category are related to the "ICS Engineering (Constructions/Deployment)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.
C# 1363 Weaknesses in this category are related to the "ICS Operations (& Maintenance)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.
C# 1364 Weaknesses in this category are related to the "Zone Boundary Failures" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Within an ICS system, for traffic that crosses through network zone boundaries, vulnerabilities arise when those boundaries were designed for safety or other purposes but are being repurposed for security." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
C# 1366 Weaknesses in this category are related to the "Frail Security in Protocols" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Vulnerabilities arise as a result of mis-implementation or incomplete implementation of security in ICS implementations of communication protocols." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
C# 1368 Weaknesses in this category are related to the "External Digital Systems" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Due to the highly interconnected technologies in use, an external dependency on another digital system could cause a confidentiality, integrity, or availability incident for the protected system." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
C# 1369 Weaknesses in this category are related to the "IT/OT Convergence/Expansion" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "The increased penetration of DER devices and smart loads make emerging ICS networks more like IT networks and thus susceptible to vulnerabilities similar to those of IT networks." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
C# 1370 Weaknesses in this category are related to the "Common Mode Frailties" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "At the component level, most ICS systems are assembled from common parts made by other companies. One or more of these common parts might contain a vulnerability that could result in a wide-spread incident." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
C# 1371 Weaknesses in this category are related to the "Poorly Documented or Undocumented Features" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Undocumented capabilities and configurations pose a risk by not having a clear understanding of what the device is specifically supposed to do and only do. Therefore possibly opening up the attack surface and vulnerabilities." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
C# 1372 Weaknesses in this category are related to the "OT Counterfeit and Malicious Corruption" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "In ICS, when this procurement process results in a vulnerability or component damage, it can have grid impacts or cause physical harm." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
C# 1375 Weaknesses in this category are related to the "Gaps in Details/Data" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Highly complex systems are often operated by personnel who have years of experience in managing that particular facility or plant. Much of their knowledge is passed along through verbal or hands-on training but may not be fully documented in written practices and procedures." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
C# 1376 Weaknesses in this category are related to the "Security Gaps in Commissioning" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "As a large system is brought online components of the system may remain vulnerable until the entire system is operating and functional and security controls are put in place. This creates a window of opportunity for an adversary during the commissioning process." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
C# 1382 Weaknesses in this category are related to the "Emerging Energy Technologies" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "With the rapid evolution of the energy system accelerated by the emergence of new technologies such as DERs, electric vehicles, advanced communications (5G+), novel and diverse challenges arise for secure and resilient operation of the system." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
C# 1383 Weaknesses in this category are related to the "Compliance/Conformance with Regulatory Requirements" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "The ICS environment faces overlapping regulatory regimes and authorities with multiple focus areas (e.g., operational resiliency, physical safety, interoperability, and security) which can result in cyber security vulnerabilities when implemented as written due to gaps in considerations, outdatedness, or conflicting requirements." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
C# 1387 CWE entries in this view are listed in the 2022 CWE Top 25 Most Dangerous Software Weaknesses.
C# 1396 Weaknesses in this category are related to access control.
C# 1397 Weaknesses in this category are related to comparison.
C# 1398 Weaknesses in this category are related to component interaction.
C# 1400 This view organizes weaknesses around categories that are of interest to large-scale software assurance research to support the elimination of weaknesses using tactics such as secure language development. It is also intended to help tracking weakness trends in publicly disclosed vulnerability data. This view is comprehensive in that every weakness must be contained in it, unlike most other views that only use a subset of weaknesses. This view is structured with categories at the top level, with a second level of only weaknesses. Relationships among the weaknesses presented under the research view (CWE-1000) are not shown. Each weakness is added to only one category. All categories are mutually exclusive; that is, no weakness can be a member of more than one category. While weaknesses defy strict categorization along only one characteristic, the forced bucketing into a single category can simplify certain kinds of analysis. Note that the size of each category can vary widely because (1) CWE is not as well fleshed-out in some areas compared to others; (2) abstraction of the CWEs in the grouping might go down to Variant level for some buckets, versus others.
C# 1401 Weaknesses in this category are related to concurrency.
C# 1402 Weaknesses in this category are related to encryption.
C# 1403 Weaknesses in this category are related to exposed resource.
C# 1404 Weaknesses in this category are related to file handling.
C# 1405 Weaknesses in this category are related to improper check or handling of exceptional conditions.
C# 1406 Weaknesses in this category are related to improper input validation.
C# 1407 Weaknesses in this category are related to improper neutralization.
C# 1408 Weaknesses in this category are related to incorrect calculation.
C# 1409 Weaknesses in this category are related to injection.
C# 1410 Weaknesses in this category are related to insufficient control flow management.
C# 1411 Weaknesses in this category are related to insufficient verification of data authenticity.
C# 1412 Weaknesses in this category are related to poor coding practices.
C# 1413 Weaknesses in this category are related to protection mechanism failure.
C# 1414 Weaknesses in this category are related to randomness.
C# 1415 Weaknesses in this category are related to resource control.
C# 1416 Weaknesses in this category are related to resource lifecycle management.
C# 1417 Weaknesses in this category are related to sensitive information exposure.
C# 1418 Weaknesses in this category are related to violation of secure design principles.
C/C++ 2 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that are typically introduced during unexpected environmental conditions. According to the authors of the Seven Pernicious Kingdoms, "This section includes everything that is outside of the source code but is still critical to the security of the product that is being created. Because the issues covered by this kingdom are not directly related to source code, we separated it from the rest of the kingdoms."
C/C++ 4 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
C/C++ 5 Information sent over a network can be compromised while in transit. An attacker may be able to read or modify the contents if the data are sent in plaintext or are weakly encrypted.
C/C++ 14 Sensitive memory is cleared according to the source code, but compiler optimizations leave the memory untouched when it is not read from again, aka "dead store removal."
C/C++ 16 Weaknesses in this category are typically introduced during the configuration of the software.
C/C++ 17 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
C/C++ 18 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
C/C++ 19 Weaknesses in this category are typically found in functionality that processes data. Data processing is the manipulation of input to retrieve or save information.
C/C++ 20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
C/C++ 21 This category has been deprecated. It was originally used for organizing weaknesses involving file names, which enabled access to files outside of a restricted directory (path traversal) or to perform operations on files that would otherwise be restricted (path equivalence). Consider using either the File Handling Issues category (CWE-1219) or the class Use of Incorrectly-Resolved Name or Reference (CWE-706).
C/C++ 22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
C/C++ 23 The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.
C/C++ 36 The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as "/abs/path" that can resolve to a location that is outside of that directory.
C/C++ 59 The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
C/C++ 66 The product does not handle or incorrectly handles a file name that identifies a "virtual" resource that is not directly specified within the directory that is associated with the file name, causing the product to perform file-based operations on a resource that is not a file.
C/C++ 67 The product constructs pathnames from user input, but it does not handle or incorrectly handles a pathname containing a Windows device name such as AUX or CON. This typically leads to denial of service or an information exposure when the application attempts to process the pathname as a regular file.
C/C++ 68 This category has been deprecated as it was found to be an unnecessary abstraction of platform specific details. Please refer to the category CWE-632 and weakness CWE-66 for relevant relationships.
C/C++ 74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
C/C++ 77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
C/C++ 78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
C/C++ 88 The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.
C/C++ 89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.
C/C++ 91 The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.
C/C++ 93 The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
C/C++ 94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
C/C++ 99 The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control.
C/C++ 113 The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.
C/C++ 116 The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
C/C++ 117 The product does not neutralize or incorrectly neutralizes output that is written to logs.
C/C++ 118 The product does not restrict or incorrectly restricts operations within the boundaries of a resource that is accessed using an index or pointer, such as memory or files.
C/C++ 119 The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.
C/C++ 120 The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow.
C/C++ 121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
C/C++ 122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
C/C++ 123 Any condition where the attacker has the ability to write an arbitrary value to an arbitrary location, often as the result of a buffer overflow.
C/C++ 124 The product writes to a buffer using an index or pointer that references a memory location prior to the beginning of the buffer.
C/C++ 125 The product reads data past the end, or before the beginning, of the intended buffer.
C/C++ 126 The product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations after the targeted buffer.
C/C++ 127 The product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations prior to the targeted buffer.
C/C++ 128 Wrap around errors occur whenever a value is incremented past the maximum value for its type and therefore "wraps around" to a very small, negative, or undefined value.
C/C++ 129 The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array.
C/C++ 130 The product parses a formatted message or structure, but it does not handle or incorrectly handles a length field that is inconsistent with the actual length of the associated data.
C/C++ 131 The product does not correctly calculate the size to be used when allocating a buffer, which could lead to a buffer overflow.
C/C++ 133 Weaknesses in this category are related to the creation and modification of strings.
C/C++ 134 The product uses a function that accepts a format string as an argument, but the format string originates from an external source.
C/C++ 135 The product does not correctly calculate the length of strings that can contain wide or multi-byte characters.
C/C++ 136 Weaknesses in this category are caused by improper data type transformation or improper handling of multiple data types.
C/C++ 137 Weaknesses in this category are related to the creation or neutralization of data using an incorrect format.
C/C++ 138 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as control elements or syntactic markers when they are sent to a downstream component.
C/C++ 140 The product does not neutralize or incorrectly neutralizes delimiters.
C/C++ 141 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as parameter or argument delimiters when they are sent to a downstream component.
C/C++ 142 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as value delimiters when they are sent to a downstream component.
C/C++ 143 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as record delimiters when they are sent to a downstream component.
C/C++ 146 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as expression or command delimiters when they are sent to a downstream component.
C/C++ 149 Quotes injected into a product can be used to compromise a system. As data are parsed, an injected/absent/duplicate/malformed use of quotes may cause the process to take unexpected actions.
C/C++ 150 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component.
C/C++ 157 The product does not properly handle the characters that are used to mark the beginning and ending of a group of entities, such as parentheses, brackets, and braces.
C/C++ 169 This category has been deprecated. It was originally intended as a "catch-all" for input validation problems in technologies that did not have their own CWE, but introduces unnecessary depth to the hierarchy.
C/C++ 170 The product does not terminate or incorrectly terminates a string or array with a null character or equivalent terminator.
C/C++ 171 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. Weaknesses in this category were related to improper handling of data within protection mechanisms that attempt to perform neutralization for untrusted data. These weaknesses can be found in other similar categories.
C/C++ 187 The product performs a comparison that only examines a portion of a factor before determining whether there is a match, such as a substring, leading to resultant weaknesses.
C/C++ 188 The product makes invalid assumptions about how protocol data or memory is organized at a lower level, resulting in unintended program behavior.
C/C++ 189 Weaknesses in this category are related to improper calculation or conversion of numbers.
C/C++ 190 The product performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control.
C/C++ 191 The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.
C/C++ 192 Integer coercion refers to a set of flaws pertaining to the type casting, extension, or truncation of primitive data types.
C/C++ 193 A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value.
C/C++ 194 The product performs an operation on a number that causes it to be sign extended when it is transformed into a larger data type. When the original number is negative, this can produce unexpected values that lead to resultant weaknesses.
C/C++ 195 The product uses a signed primitive and performs a cast to an unsigned primitive, which can produce an unexpected value if the value of the signed primitive can not be represented using an unsigned primitive.
C/C++ 197 Truncation errors occur when a primitive is cast to a primitive of a smaller size and data is lost in the conversion.
C/C++ 198 The product receives input from an upstream component, but it does not account for byte ordering (e.g. big-endian and little-endian) when processing the input, causing an incorrect number or value to be used.
C/C++ 199 Weaknesses in this category are related to improper handling of sensitive information.
C/C++ 200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
C/C++ 201 The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.
C/C++ 209 The product generates an error message that includes sensitive information about its environment, users, or associated data.
C/C++ 210 The product identifies an error condition and creates its own diagnostic or error messages that contain sensitive information.
C/C++ 211 The product performs an operation that triggers an external diagnostic or error message that is not directly generated or controlled by the product, such as an error generated by the programming language interpreter that a software application uses. The error can contain sensitive system information.
C/C++ 216 This entry has been deprecated, as it was not effective as a weakness and was structured more like a category. In addition, the name is inappropriate, since the "container" term is widely understood by developers in different ways than originally intended by PLOVER, the original source for this entry.
C/C++ 221 The product does not record, or improperly records, security-relevant information that leads to an incorrect decision or hampers later analysis.
C/C++ 226 The product releases a resource such as memory or a file so that it can be made available for reuse, but it does not clear or "zeroize" the information contained in the resource before the product performs a critical state transition or makes the resource available for reuse by other entities.
C/C++ 227 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that involve the software using an API in a manner contrary to its intended use. According to the authors of the Seven Pernicious Kingdoms, "An API is a contract between a caller and a callee. The most common forms of API misuse occurs when the caller does not honor its end of this contract. For example, if a program does not call chdir() after calling chroot(), it violates the contract that specifies how to change the active root directory in a secure fashion. Another good example of library abuse is expecting the callee to return trustworthy DNS information to the caller. In this case, the caller misuses the callee API by making certain assumptions about its behavior (that the return value can be used for authentication purposes). One can also violate the caller-callee contract from the other side. For example, if a coder subclasses SecureRandom and returns a non-random value, the contract is violated."
C/C++ 228 The product does not handle or incorrectly handles input that is not syntactically well-formed with respect to the associated specification.
C/C++ 237 The product does not handle or incorrectly handles inputs that are related to complex structures.
C/C++ 240 The product does not handle or incorrectly handles when two or more structural elements should be consistent, but are not.
C/C++ 241 The product does not handle or incorrectly handles when a particular element is not the expected type, e.g. it expects a digit (0-9) but is provided with a letter (A-Z).
C/C++ 242 The product calls a function that can never be guaranteed to work safely.
C/C++ 243 The product uses the chroot() system call to create a jail, but does not change the working directory afterward. This does not prevent access to files outside of the jail.
C/C++ 244 Using realloc() to resize buffers that store sensitive information can leave the sensitive information exposed to attack, because it is not removed from memory.
C/C++ 247 This entry has been deprecated because it was a duplicate of CWE-350. All content has been transferred to CWE-350.
C/C++ 248 An exception is thrown from a function, but it is not caught.
C/C++ 249 This entry has been deprecated because of name confusion and an accidental combination of multiple weaknesses. Most of its content has been transferred to CWE-785.
C/C++ 252 The product does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions.
C/C++ 253 The product incorrectly checks a return value from a function, which prevents it from detecting errors or exceptional conditions.
C/C++ 254 Software security is not security software. Here we're concerned with topics like authentication, access control, confidentiality, cryptography, and privilege management.
C/C++ 255 Weaknesses in this category are related to the management of credentials.
C/C++ 256 Storing a password in plaintext may result in a system compromise.
C/C++ 257 The storage of passwords in a recoverable format makes them subject to password reuse attacks by malicious users. In fact, it should be noted that recoverable encrypted passwords provide no significant benefit over plaintext passwords since they are subject not only to reuse by malicious attackers but also by malicious insiders. If a system administrator can recover a password directly, or use a brute force search on the available information, the administrator can use the password on other accounts.
C/C++ 259 The product contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components.
C/C++ 264 Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control.
C/C++ 265 Weaknesses in this category occur with improper handling, assignment, or management of privileges. A privilege is a property of an agent, such as a user. It lets the agent do things that are not ordinarily allowed. For example, there are privileges which allow an agent to perform maintenance functions such as restart a computer.
C/C++ 269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
C/C++ 271 The product does not drop privileges before passing control of a resource to an actor that does not have those privileges.
C/C++ 272 The elevated privilege level required to perform operations such as chroot() should be dropped immediately after the operation is performed.
C/C++ 273 The product attempts to drop privileges but does not check or incorrectly checks to see if the drop succeeded.
C/C++ 275 Weaknesses in this category are related to improper assignment or handling of permissions.
C/C++ 276 During installation, installed file permissions are set to allow anyone to modify those files.
C/C++ 282 The product assigns the wrong ownership, or does not properly verify the ownership, of an object or resource.
C/C++ 284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
C/C++ 285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
C/C++ 287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
C/C++ 290 This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.
C/C++ 291 The product uses an IP address for authentication.
C/C++ 293 The referer field in HTTP requests can be easily modified and, as such, is not a valid means of message integrity checking.
C/C++ 300 The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint.
C/C++ 310 Weaknesses in this category are related to the design and implementation of data confidentiality and integrity. Frequently these deal with the use of encoding techniques, encryption libraries, and hashing algorithms. The weaknesses in this category could lead to a degradation of the quality data if they are not addressed.
C/C++ 311 The product does not encrypt sensitive or critical information before storage or transmission.
C/C++ 312 The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
C/C++ 313 The product stores sensitive information in cleartext in a file, or on disk.
C/C++ 314 The product stores sensitive information in cleartext in the registry.
C/C++ 315 The product stores sensitive information in cleartext in a cookie.
C/C++ 317 The product stores sensitive information in cleartext within the GUI.
C/C++ 318 The product stores sensitive information in cleartext in an executable.
C/C++ 319 The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.
C/C++ 320 Weaknesses in this category are related to errors in the management of cryptographic keys.
C/C++ 321 The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.
C/C++ 326 The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
C/C++ 327 The product uses a broken or risky cryptographic algorithm or protocol.
C/C++ 328 The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (2nd preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack).
C/C++ 330 The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.
C/C++ 335 The product uses a Pseudo-Random Number Generator (PRNG) but does not correctly manage seeds.
C/C++ 336 A Pseudo-Random Number Generator (PRNG) uses the same seed each time the product is initialized.
C/C++ 337 A Pseudo-Random Number Generator (PRNG) is initialized from a predictable seed, such as the process ID or system time.
C/C++ 338 The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.
C/C++ 344 The product uses a constant value, name, or reference, but this value can (or should) vary across different environments.
C/C++ 345 The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
C/C++ 350 The product performs reverse DNS resolution on an IP address to obtain the hostname and make a security decision, but it does not properly ensure that the IP address is truly associated with the hostname.
C/C++ 353 The product uses a transmission protocol that does not include a mechanism for verifying the integrity of the data during transmission, such as a checksum.
C/C++ 355 Weaknesses in this category are related to or introduced in the User Interface (UI).
C/C++ 359 The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.
C/C++ 361 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses related to the improper management of time and state in an environment that supports simultaneous or near-simultaneous computation by multiple systems, processes, or threads. According to the authors of the Seven Pernicious Kingdoms, "Distributed computation is about time and state. That is, in order for more than one component to communicate, state must be shared, and all that takes time. Most programmers anthropomorphize their work. They think about one thread of control carrying out the entire program in the same way they would if they had to do the job themselves. Modern computers, however, switch between tasks very quickly, and in multi-core, multi-CPU, or distributed systems, two events may take place at exactly the same time. Defects rush to fill the gap between the programmer's model of how a program executes and what happens in reality. These defects are related to unexpected interactions between threads, processes, time, and information. These interactions happen through shared state: semaphores, variables, the file system, and, basically, anything that can store information."
C/C++ 362 The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.
C/C++ 363 The product checks the status of a file or directory before accessing it, which produces a race condition in which the file can be replaced with a link before the access is performed, causing the product to access the wrong file.
C/C++ 364 The product uses a signal handler that introduces a race condition.
C/C++ 366 If two threads of execution use a resource simultaneously, there exists the possibility that resources may be used while invalid, in turn making the state of execution undefined.
C/C++ 367 The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. This can cause the product to perform invalid actions when the resource is in an unexpected state.
C/C++ 369 The product divides a value by zero.
C/C++ 376 This category has been deprecated. It was originally used for organizing the Development View (CWE-699), but it introduced unnecessary complexity and depth to the resulting tree. Consider using the File Handling Issues category (CWE-1219).
C/C++ 377 Creating and using insecure temporary files can leave application and system data vulnerable to attack.
C/C++ 379 The product creates a temporary file in a directory whose permissions allow unintended actors to determine the file's existence or otherwise access that file.
C/C++ 380 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
C/C++ 381 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
C/C++ 387 Weaknesses in this category are related to the improper handling of signals.
C/C++ 388 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that occur when an application does not properly handle errors that occur during processing. According to the authors of the Seven Pernicious Kingdoms, "Errors and error handling represent a class of API. Errors related to error handling are so common that they deserve a special kingdom of their own. As with 'API Abuse,' there are two ways to introduce an error-related security vulnerability: the most common one is handling errors poorly (or not at all). The second is producing errors that either give out too much information (to possible attackers) or are difficult to handle."
C/C++ 389 This category includes weaknesses that occur if a function does not generate the correct return/status code, or if the application does not handle all possible return/status codes that could be generated by a function. This type of problem is most often found in conditions that are rarely encountered during the normal operation of the product. Presumably, most bugs related to common conditions are found and eliminated during development and testing. In some cases, the attacker can directly control or influence the environment to trigger the rare conditions.
C/C++ 391 [PLANNED FOR DEPRECATION. SEE MAINTENANCE NOTES AND CONSIDER CWE-252, CWE-248, OR CWE-1069.] Ignoring exceptions and other error conditions may allow an attacker to induce unexpected behavior unnoticed.
C/C++ 393 A function or operation returns an incorrect return value or status code that does not indicate an error, but causes the product to modify its behavior based on the incorrect result.
C/C++ 394 The product does not properly check when a function or operation returns a value that is legitimate for the function, but is not expected by the product.
C/C++ 396 Catching overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities.
C/C++ 397 Throwing overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities.
C/C++ 398 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that do not directly introduce a weakness or vulnerability, but indicate that the product has not been carefully developed or maintained. According to the authors of the Seven Pernicious Kingdoms, "Poor code quality leads to unpredictable behavior. From a user's perspective that often manifests itself as poor usability. For an adversary it provides an opportunity to stress the system in unexpected ways."
C/C++ 399 Weaknesses in this category are related to improper management of system resources.
C/C++ 400 The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.
C/C++ 401 The product does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory.
C/C++ 404 The product does not release or incorrectly releases a resource before it is made available for re-use.
C/C++ 411 Weaknesses in this category are related to improper handling of locks that are used to control access to resources.
C/C++ 415 The product calls free() twice on the same memory address, potentially leading to modification of unexpected memory locations.
C/C++ 416 Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.
C/C++ 417 Weaknesses in this category are related to improper handling of communication channels and access paths. These weaknesses include problems in creating, managing, or removing alternate channels and alternate paths. Some of these can overlap virtual file problems and are commonly used in "bypass" attacks, such as those that exploit authentication errors.
C/C++ 427 The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.
C/C++ 429 Weaknesses in this category are related to improper management of handlers.
C/C++ 435 An interaction error occurs when two entities have correct behavior when running independently of each other, but when they are integrated as components in a larger system or process, they introduce incorrect behaviors that may cause resultant weaknesses.
C/C++ 438 Weaknesses in this category are related to unexpected behaviors from code that an application uses.
C/C++ 441 The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor.
C/C++ 442 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
C/C++ 452 Weaknesses in this category occur in behaviors that are used for initialization and breakdown.
C/C++ 456 The product does not initialize critical variables, which causes the execution environment to use unexpected values.
C/C++ 457 The code uses a variable that has not been initialized, leading to unpredictable or unintended results.
C/C++ 459 The product does not properly "clean up" and remove temporary or supporting resources after they have been used.
C/C++ 460 The product does not clean up its state or incorrectly cleans up its state when an exception is thrown, leading to unexpected state or control flow.
C/C++ 461 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
C/C++ 464 The accidental addition of a data-structure sentinel can cause serious programming logic problems.
C/C++ 465 Weaknesses in this category are related to improper handling of pointers.
C/C++ 467 The code calls sizeof() on a malloced pointer type, which always returns the wordsize/8. This can produce an unexpected result if the programmer intended to determine how much memory has been allocated.
C/C++ 468 In C and C++, one may often accidentally refer to the wrong memory due to the semantics of when math operations are implicitly scaled.
C/C++ 469 The product subtracts one pointer from another in order to determine size, but this calculation can be incorrect if the pointers do not exist in the same memory chunk.
C/C++ 471 The product does not properly protect an assumed-immutable element from being modified by an attacker.
C/C++ 475 The behavior of this function is undefined unless its control parameter is set to a specific value.
C/C++ 476 A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.
C/C++ 477 The code uses deprecated or obsolete functions, which suggests that the code has not been actively reviewed or maintained.
C/C++ 478 The code does not have a default case in an expression with multiple conditions, such as a switch statement.
C/C++ 479 The product defines a signal handler that calls a non-reentrant function.
C/C++ 480 The product accidentally uses the wrong operator, which changes the logic in security-relevant ways.
C/C++ 481 The code uses an operator for assignment when the intention was to perform a comparison.
C/C++ 482 The code uses an operator for comparison when the intention was to perform an assignment.
C/C++ 483 The code does not explicitly delimit a block that is intended to contain 2 or more statements, creating a logic error.
C/C++ 484 The product omits a break statement within a switch or similar construct, causing code associated with multiple conditions to execute. This can cause problems when the programmer only intended to execute code associated with one condition.
C/C++ 485 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that occur when the product does not sufficiently encapsulate critical data or functionality. According to the authors of the Seven Pernicious Kingdoms, "Encapsulation is about drawing strong boundaries. In a web browser that might mean ensuring that your mobile code cannot be abused by other mobile code. On the server it might mean differentiation between validated data and unvalidated data, between one user's data and another's, or between data users are allowed to see and data that they are not."
C/C++ 489 The product is deployed to unauthorized actors with debugging code still enabled or active, which can create unintended entry points or expose sensitive information.
C/C++ 490 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
C/C++ 493 The product has a critical public variable that is not final, which allows the variable to be modified to contain unexpected values.
C/C++ 497 The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does.
C/C++ 500 An object contains a public static field that is not marked final, which might allow it to be modified in unexpected ways.
C/C++ 505 This category has been deprecated as it was originally used for organizing the Development View (CWE-699), but it introduced unnecessary complexity and depth to the resulting tree.
C/C++ 522 The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
C/C++ 523 Login pages do not use adequate measures to protect the user name and password while they are in transit from the client to the server.
C/C++ 526 The product uses an environment variable to store unencrypted sensitive information.
C/C++ 528 The product generates a core dump file in a directory, archive, or other resource that is stored, transferred, or otherwise made accessible to unauthorized actors.
C/C++ 532 Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.
C/C++ 535 A command shell error message indicates that there exists an unhandled exception in the web application code. In many cases, an attacker can leverage the conditions that cause these errors in order to gain unauthorized access to the system.
C/C++ 536 A servlet error message indicates that there exists an unhandled exception in your web application code and may provide useful information to an attacker.
C/C++ 538 The product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the sensitive information.
C/C++ 539 The web application uses persistent cookies, but the cookies contain sensitive information.
C/C++ 543 The product uses the singleton pattern when creating a resource within a multithreaded environment.
C/C++ 547 The product uses hard-coded constants instead of symbolic names for security-critical values, which increases the likelihood of mistakes during code maintenance or security policy change.
C/C++ 550 Certain conditions, such as network failure, will cause a server error message to be displayed.
C/C++ 552 The product makes files or directories accessible to unauthorized actors, even though they should not be.
C/C++ 557 Weaknesses in this category are related to concurrent use of shared resources.
C/C++ 558 The product uses the getlogin() function in a multithreaded context, potentially causing it to return incorrect values.
C/C++ 559 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
C/C++ 561 The product contains dead code, which can never be executed.
C/C++ 562 A function returns the address of a stack variable, which will cause unintended program behavior, typically in the form of a crash.
C/C++ 563 The variable's value is assigned but never used, making it a dead store.
C/C++ 566 The product uses a database table that includes records that should not be accessible to an actor, but it executes a SQL statement with a primary key that can be controlled by that actor.
C/C++ 567 The product does not properly synchronize shared data, such as static variables across threads, which can lead to undefined behavior and unpredictable data changes.
C/C++ 569 Weaknesses in this category are related to incorrectly written expressions within code.
C/C++ 570 The product contains an expression that will always evaluate to false.
C/C++ 571 The product contains an expression that will always evaluate to true.
C/C++ 573 The product does not follow or incorrectly follows the specifications as required by the implementation language, environment, framework, protocol, or platform.
C/C++ 590 The product calls free() on a pointer to memory that was not allocated using associated heap allocation functions such as malloc(), calloc(), or realloc().
C/C++ 592 This weakness has been deprecated because it covered redundant concepts already described in CWE-287.
C/C++ 595 The product compares object references instead of the contents of the objects themselves, preventing it from detecting equivalent objects.
C/C++ 597 The product uses the wrong operator when comparing a string, such as using "==" when the .equals() method should be used instead.
C/C++ 606 The product does not properly check inputs that are used for loop conditions, potentially leading to a denial of service or other consequences because of excessive looping.
C/C++ 610 The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.
C/C++ 617 The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.
C/C++ 628 The product calls a function, procedure, or routine with arguments that are not correctly specified, leading to always-incorrect behavior and resultant weaknesses.
C/C++ 629 CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2007. This view is considered obsolete as a newer version of the OWASP Top 10 is available.
C/C++ 632 This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE.
C/C++ 633 This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE.
C/C++ 634 This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE.
C/C++ 635 CWE nodes in this view (slice) were used by NIST to categorize vulnerabilities within NVD, from 2008 to 2016. This original version has been used by many other projects.
C/C++ 637 The product uses a more complex mechanism than necessary, which could lead to resultant weaknesses when the mechanism is not correctly understood, modeled, configured, implemented, or used.
C/C++ 639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
C/C++ 643 The product uses external input to dynamically construct an XPath expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query.
C/C++ 644 The product does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers, such as Flash.
C/C++ 655 The product has a protection mechanism that is too difficult or inconvenient to use, encouraging non-malicious users to disable or bypass the mechanism, whether by accident or on purpose.
C/C++ 657 The product violates well-established principles for secure design.
C/C++ 662 The product utilizes multiple threads or processes to allow temporary access to a shared resource that can only be exclusive to one process at a time, but it does not properly synchronize these actions, which might cause simultaneous accesses of this resource by multiple threads or processes.
C/C++ 663 The product calls a non-reentrant function in a concurrent context in which a competing code sequence (e.g. thread or signal handler) may have an opportunity to call the same function or otherwise influence its state.
C/C++ 664 The product does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release.
C/C++ 665 The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.
C/C++ 666 The product performs an operation on a resource at the wrong phase of the resource's lifecycle, which can lead to unexpected behaviors.
C/C++ 667 The product does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors.
C/C++ 668 The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
C/C++ 669 The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource.
C/C++ 670 The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated.
C/C++ 671 The product uses security features in a way that prevents the product's administrator from tailoring security settings to reflect the environment in which the product is being used. This introduces resultant weaknesses or prevents it from operating at a level of security that is desired by the administrator.
C/C++ 672 The product uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked.
C/C++ 674 The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.
C/C++ 675 The product performs the same operation on a resource two or more times, when the operation should only be applied once.
C/C++ 676 The product invokes a potentially dangerous function that could introduce a vulnerability if it is used incorrectly, but the function can also be used safely.
C/C++ 680 The product performs a calculation to determine how much memory to allocate, but an integer overflow can occur that causes less memory to be allocated than expected, leading to a buffer overflow.
C/C++ 681 When converting from one data type to another, such as long to integer, data can be omitted or translated in a way that produces unexpected values. If the resulting values are used in a sensitive context, then dangerous behaviors may occur.
C/C++ 682 The product performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management.
C/C++ 683 The product calls a function, procedure, or routine, but the caller specifies the arguments in an incorrect order, leading to resultant weaknesses.
C/C++ 684 The code does not function according to its published specifications, potentially leading to incorrect usage.
C/C++ 685 The product calls a function, procedure, or routine, but the caller specifies too many arguments, or too few arguments, which may lead to undefined behavior and resultant weaknesses.
C/C++ 686 The product calls a function, procedure, or routine, but the caller specifies an argument that is the wrong data type, which may lead to resultant weaknesses.
C/C++ 687 The product calls a function, procedure, or routine, but the caller specifies an argument that contains the wrong value, which may lead to resultant weaknesses.
C/C++ 691 The code does not sufficiently manage its control flow during execution, creating conditions in which the control flow can be modified in unexpected ways.
C/C++ 693 The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.
C/C++ 694 The product uses multiple resources that can have the same identifier, in a context in which unique identifiers are required.
C/C++ 696 The product performs multiple related behaviors, but the behaviors are performed in the wrong order in ways which may produce resultant weaknesses.
C/C++ 697 The product compares two entities in a security-relevant context, but the comparison is incorrect, which may lead to resultant weaknesses.
C/C++ 699 This view organizes weaknesses around concepts that are frequently used or encountered in software development. This includes all aspects of the software development lifecycle including both architecture and implementation. Accordingly, this view can align closely with the perspectives of architects, developers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping.
C/C++ 700 This view (graph) organizes weaknesses using a hierarchical structure that is similar to that used by Seven Pernicious Kingdoms.
C/C++ 703 The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product.
C/C++ 704 The product does not correctly convert an object, resource, or structure from one type to a different type.
C/C++ 705 The product does not properly return control flow to the proper location after it has completed a task or detected an unusual condition.
C/C++ 706 The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.
C/C++ 707 The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component.
C/C++ 710 The product does not follow certain coding rules for development, which can lead to resultant weaknesses or increase the severity of the associated vulnerabilities.
C/C++ 711 CWE entries in this view (graph) are associated with the OWASP Top 10, as released in 2004, and as required for compliance with PCI DSS version 1.1. This view is considered obsolete as a newer version of the OWASP Top 10 is available.
C/C++ 713 Weaknesses in this category are related to the A2 category in the OWASP Top 10 2007.
C/C++ 714 Weaknesses in this category are related to the A3 category in the OWASP Top 10 2007.
C/C++ 715 Weaknesses in this category are related to the A4 category in the OWASP Top 10 2007.
C/C++ 717 Weaknesses in this category are related to the A6 category in the OWASP Top 10 2007.
C/C++ 718 Weaknesses in this category are related to the A7 category in the OWASP Top 10 2007.
C/C++ 719 Weaknesses in this category are related to the A8 category in the OWASP Top 10 2007.
C/C++ 720 Weaknesses in this category are related to the A9 category in the OWASP Top 10 2007.
C/C++ 721 Weaknesses in this category are related to the A10 category in the OWASP Top 10 2007.
C/C++ 722 Weaknesses in this category are related to the A1 category in the OWASP Top 10 2004.
C/C++ 723 Weaknesses in this category are related to the A2 category in the OWASP Top 10 2004.
C/C++ 724 Weaknesses in this category are related to the A3 category in the OWASP Top 10 2004.
C/C++ 725 Weaknesses in this category are related to the A4 category in the OWASP Top 10 2004.
C/C++ 726 Weaknesses in this category are related to the A5 category in the OWASP Top 10 2004.
C/C++ 727 Weaknesses in this category are related to the A6 category in the OWASP Top 10 2004.
C/C++ 728 Weaknesses in this category are related to the A7 category in the OWASP Top 10 2004.
C/C++ 729 Weaknesses in this category are related to the A8 category in the OWASP Top 10 2004.
C/C++ 730 Weaknesses in this category are related to the A9 category in the OWASP Top 10 2004.
C/C++ 731 Weaknesses in this category are related to the A10 category in the OWASP Top 10 2004.
C/C++ 732 The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.
C/C++ 733 The developer builds a security-critical protection mechanism into the software, but the compiler optimizes the program such that the mechanism is removed or modified.
C/C++ 734 CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT C Secure Coding Standard" published in 2008. This view is considered obsolete, as a newer version of the coding standard is available. This view statically represents the coding rules as they were in 2008.
C/C++ 735 Weaknesses in this category are related to the rules and recommendations in the Preprocessor (PRE) chapter of the CERT C Secure Coding Standard (2008).
C/C++ 736 Weaknesses in this category are related to the rules and recommendations in the Declarations and Initialization (DCL) chapter of the CERT C Secure Coding Standard (2008).
C/C++ 737 Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) chapter of the CERT C Secure Coding Standard (2008).
C/C++ 738 Weaknesses in this category are related to the rules and recommendations in the Integers (INT) chapter of the CERT C Secure Coding Standard (2008).
C/C++ 739 Weaknesses in this category are related to the rules and recommendations in the Floating Point (FLP) chapter of the CERT C Secure Coding Standard (2008).
C/C++ 740 Weaknesses in this category are related to the rules and recommendations in the Arrays (ARR) chapter of the CERT C Secure Coding Standard (2008).
C/C++ 741 Weaknesses in this category are related to the rules and recommendations in the Characters and Strings (STR) chapter of the CERT C Secure Coding Standard (2008).
C/C++ 742 Weaknesses in this category are related to the rules and recommendations in the Memory Management (MEM) chapter of the CERT C Secure Coding Standard (2008).
C/C++ 743 Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) chapter of the CERT C Secure Coding Standard (2008).
C/C++ 744 Weaknesses in this category are related to the rules and recommendations in the Environment (ENV) chapter of the CERT C Secure Coding Standard (2008).
C/C++ 745 Weaknesses in this category are related to the rules and recommendations in the Signals (SIG) chapter of the CERT C Secure Coding Standard (2008).
C/C++ 746 Weaknesses in this category are related to the rules and recommendations in the Error Handling (ERR) chapter of the CERT C Secure Coding Standard (2008).
C/C++ 747 Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) chapter of the CERT C Secure Coding Standard (2008).
C/C++ 748 Weaknesses in this category are related to the rules and recommendations in the POSIX (POS) appendix of the CERT C Secure Coding Standard (2008).
C/C++ 750 CWE entries in this view (graph) are listed in the 2009 CWE/SANS Top 25 Programming Errors. This view is considered obsolete as a newer version of the Top 25 is available.
C/C++ 751 Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2009 CWE/SANS Top 25 Programming Errors.
C/C++ 752 Weaknesses in this category are listed in the "Risky Resource Management" section of the 2009 CWE/SANS Top 25 Programming Errors.
C/C++ 753 Weaknesses in this category are listed in the "Porous Defenses" section of the 2009 CWE/SANS Top 25 Programming Errors.
C/C++ 754 The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.
C/C++ 755 The product does not handle or incorrectly handles an exceptional condition.
C/C++ 758 The product uses an API function, data structure, or other entity in a way that relies on properties that are not always guaranteed to hold for that entity.
C/C++ 759 The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product does not also use a salt as part of the input.
C/C++ 760 The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product uses a predictable salt as part of the input.
C/C++ 762 The product attempts to return a memory resource to the system, but it calls a release function that is not compatible with the function that was originally used to allocate that resource.
C/C++ 763 The product attempts to return a memory resource to the system, but it calls the wrong release function or calls the appropriate release function incorrectly.
C/C++ 764 The product locks a critical resource more times than intended, leading to an unexpected state in the system.
C/C++ 765 The product unlocks a critical resource more times than intended, leading to an unexpected state in the system.
C/C++ 769 This entry has been deprecated because it was a duplicate of CWE-774. All content has been transferred to CWE-774.
C/C++ 770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.
C/C++ 771 The product does not properly maintain a reference to a resource that has been allocated, which prevents the resource from being reclaimed.
C/C++ 772 The product does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.
C/C++ 775 The product does not release a file descriptor or handle after its effective lifetime has ended, i.e., after the file descriptor/handle is no longer needed.
C/C++ 783 The product uses an expression in which operator precedence causes incorrect logic to be used.
C/C++ 786 The product reads or writes to a buffer using an index or pointer that references a memory location prior to the beginning of the buffer.
C/C++ 787 The product writes data past the end, or before the beginning, of the intended buffer.
C/C++ 788 The product reads or writes to a buffer using an index or pointer that references a memory location after the end of the buffer.
C/C++ 789 The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated.
C/C++ 798 The product contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.
C/C++ 800 CWE entries in this view (graph) are listed in the 2010 CWE/SANS Top 25 Programming Errors. This view is considered obsolete as a newer version of the Top 25 is available.
C/C++ 801 Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2010 CWE/SANS Top 25 Programming Errors.
C/C++ 802 Weaknesses in this category are listed in the "Risky Resource Management" section of the 2010 CWE/SANS Top 25 Programming Errors.
C/C++ 803 Weaknesses in this category are listed in the "Porous Defenses" section of the 2010 CWE/SANS Top 25 Programming Errors.
C/C++ 805 The product uses a sequential operation to read or write a buffer, but it uses an incorrect length value that causes it to access memory that is outside of the bounds of the buffer.
C/C++ 806 The product uses the size of a source buffer when reading from or writing to a destination buffer, which may cause it to access memory that is outside of the bounds of the buffer.
C/C++ 807 The product uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism.
C/C++ 808 Weaknesses in this category are not part of the general Top 25, but they were part of the original nominee list from which the Top 25 was drawn.
C/C++ 809 CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2010. This view is considered obsolete as a newer version of the OWASP Top 10 is available.
C/C++ 810 Weaknesses in this category are related to the A1 category in the OWASP Top 10 2010.
C/C++ 812 Weaknesses in this category are related to the A3 category in the OWASP Top 10 2010.
C/C++ 813 Weaknesses in this category are related to the A4 category in the OWASP Top 10 2010.
C/C++ 815 Weaknesses in this category are related to the A6 category in the OWASP Top 10 2010.
C/C++ 816 Weaknesses in this category are related to the A7 category in the OWASP Top 10 2010.
C/C++ 817 Weaknesses in this category are related to the A8 category in the OWASP Top 10 2010.
C/C++ 818 Weaknesses in this category are related to the A9 category in the OWASP Top 10 2010.
C/C++ 820 The product utilizes a shared resource in a concurrent manner but does not attempt to synchronize access to the resource.
C/C++ 823 The product performs pointer arithmetic on a valid pointer, but it uses an offset that can point outside of the intended range of valid memory locations for the resulting pointer.
C/C++ 824 The product accesses or uses a pointer that has not been initialized.
C/C++ 825 The product dereferences a pointer that contains a location for memory that was previously valid, but is no longer valid.
C/C++ 828 The product defines a signal handler that contains code sequences that are not asynchronous-safe, i.e., the functionality is not reentrant, or it can be interrupted.
C/C++ 833 The product contains multiple threads or executable segments that are waiting for each other to release a necessary lock, resulting in deadlock.
C/C++ 834 The product performs an iteration or loop without sufficiently limiting the number of times that the loop is executed.
C/C++ 835 The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.
C/C++ 839 The product checks a value to ensure that it is less than or equal to a maximum, but it does not also verify that the value is greater than or equal to the minimum.
C/C++ 840 Weaknesses in this category identify some of the underlying problems that commonly allow attackers to manipulate the business logic of an application. Errors in business logic can be devastating to an entire application. They can be difficult to find automatically, since they typically involve legitimate use of the application's functionality. However, many business logic errors can exhibit patterns that are similar to well-understood implementation and design weaknesses.
C/C++ 843 The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.
C/C++ 844 CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT Oracle Secure Coding Standard for Java" published in 2011. This view is considered obsolete as a newer version of the coding standard is available.
C/C++ 845 Weaknesses in this category are related to rules in the Input Validation and Data Sanitization (IDS) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
C/C++ 846 Weaknesses in this category are related to rules in the Declarations and Initialization (DCL) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
C/C++ 847 Weaknesses in this category are related to rules in the Expressions (EXP) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
C/C++ 848 Weaknesses in this category are related to rules in the Numeric Types and Operations (NUM) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
C/C++ 849 Weaknesses in this category are related to rules in the Object Orientation (OBJ) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
C/C++ 850 Weaknesses in this category are related to rules in the Methods (MET) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
C/C++ 851 Weaknesses in this category are related to rules in the Exceptional Behavior (ERR) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
C/C++ 852 Weaknesses in this category are related to rules in the Visibility and Atomicity (VNA) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
C/C++ 853 Weaknesses in this category are related to rules in the Locking (LCK) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
C/C++ 854 Weaknesses in this category are related to rules in the Thread APIs (THI) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
C/C++ 857 Weaknesses in this category are related to rules in the Input Output (FIO) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
C/C++ 858 Weaknesses in this category are related to rules in the Serialization (SER) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
C/C++ 859 Weaknesses in this category are related to rules in the Platform Security (SEC) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
C/C++ 860 Weaknesses in this category are related to rules in the Runtime Environment (ENV) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
C/C++ 861 Weaknesses in this category are related to rules in the Miscellaneous (MSC) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
C/C++ 862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
C/C++ 864 Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.
C/C++ 865 Weaknesses in this category are listed in the "Risky Resource Management" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.
C/C++ 866 Weaknesses in this category are listed in the "Porous Defenses" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.
C/C++ 867 Weaknesses in this category are not part of the general Top 25, but they were part of the original nominee list from which the Top 25 was drawn.
C/C++ 868 CWE entries in this view (graph) are fully or partially eliminated by following the SEI CERT C++ Coding Standard, as published in 2016. This view is no longer being actively maintained, since it statically represents the coding rules as they were in 2016.
C/C++ 871 Weaknesses in this category are related to rules in the Expressions (EXP) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
C/C++ 872 Weaknesses in this category are related to rules in the Integers (INT) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
C/C++ 873 Weaknesses in this category are related to rules in the Floating Point Arithmetic (FLP) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
C/C++ 874 Weaknesses in this category are related to rules in the Arrays and the STL (ARR) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
C/C++ 875 Weaknesses in this category are related to rules in the Characters and Strings (STR) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
C/C++ 876 Weaknesses in this category are related to rules in the Memory Management (MEM) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
C/C++ 877 Weaknesses in this category are related to rules in the Input Output (FIO) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
C/C++ 878 Weaknesses in this category are related to rules in the Environment (ENV) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
C/C++ 879 Weaknesses in this category are related to rules in the Signals (SIG) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
C/C++ 880 Weaknesses in this category are related to rules in the Exceptions and Error Handling (ERR) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
C/C++ 881 Weaknesses in this category are related to rules in the Object Oriented Programming (OOP) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
C/C++ 882 Weaknesses in this category are related to rules in the Concurrency (CON) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
C/C++ 883 Weaknesses in this category are related to rules in the Miscellaneous (MSC) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
C/C++ 884 This view contains a selection of weaknesses that represent the variety of weaknesses that are captured in CWE, at a level of abstraction that is likely to be useful to most audiences. It can be used by researchers to determine how broad their theories, models, or tools are. It will also be used by the CWE content team in 2012 to focus quality improvement efforts for individual CWE entries.
C/C++ 885 This category identifies Software Fault Patterns (SFPs) within the Risky Values cluster (SFP1).
C/C++ 886 This category identifies Software Fault Patterns (SFPs) within the Unused entities cluster (SFP2).
C/C++ 887 This category identifies Software Fault Patterns (SFPs) within the API cluster (SFP3).
C/C++ 888 CWE identifiers in this view are associated with clusters of Software Fault Patterns (SFPs).
C/C++ 889 This category identifies Software Fault Patterns (SFPs) within the Exception Management cluster (SFP4, SFP5, SFP6).
C/C++ 890 This category identifies Software Fault Patterns (SFPs) within the Memory Access cluster (SFP7, SFP8).
C/C++ 891 This category identifies Software Fault Patterns (SFPs) within the Memory Management cluster (SFP38).
C/C++ 892 This category identifies Software Fault Patterns (SFPs) within the Resource Management cluster (SFP37).
C/C++ 893 This category identifies Software Fault Patterns (SFPs) within the Path Resolution cluster (SFP16, SFP17, SFP18).
C/C++ 894 This category identifies Software Fault Patterns (SFPs) within the Synchronization cluster (SFP19, SFP20, SFP21, SFP22).
C/C++ 895 This category identifies Software Fault Patterns (SFPs) within the Information Leak cluster (SFP23).
C/C++ 896 This category identifies Software Fault Patterns (SFPs) within the Tainted Input cluster (SFP24, SFP25, SFP26, SFP27).
C/C++ 897 This category identifies Software Fault Patterns (SFPs) within the Entry Points cluster (SFP28).
C/C++ 898 This category identifies Software Fault Patterns (SFPs) within the Authentication cluster (SFP29, SFP30, SFP31, SFP32, SFP33, SFP34).
C/C++ 899 This category identifies Software Fault Patterns (SFPs) within the Access Control cluster (SFP35).
C/C++ 900 CWE entries in this view (graph) are listed in the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.
C/C++ 901 This category identifies Software Fault Patterns (SFPs) within the Privilege cluster (SFP36).
C/C++ 902 This category identifies Software Fault Patterns (SFPs) within the Channel cluster.
C/C++ 903 This category identifies Software Fault Patterns (SFPs) within the Cryptography cluster.
C/C++ 905 This category identifies Software Fault Patterns (SFPs) within the Predictability cluster.
C/C++ 906 This category identifies Software Fault Patterns (SFPs) within the UI cluster.
C/C++ 907 This category identifies Software Fault Patterns (SFPs) within the Other cluster.
C/C++ 908 The product uses or accesses a resource that has not been initialized.
C/C++ 909 The product does not initialize a critical resource.
C/C++ 910 The product uses or accesses a file descriptor after it has been closed.
C/C++ 913 The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements.
C/C++ 916 The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive.
C/C++ 918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
C/C++ 922 The product stores sensitive information without properly limiting read or write access by unauthorized actors.
C/C++ 923 The product establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that it is communicating with the correct endpoint.
C/C++ 928 CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2013. This view is considered obsolete as a newer version of the OWASP Top 10 is available.
C/C++ 929 Weaknesses in this category are related to the A1 category in the OWASP Top 10 2013.
C/C++ 930 Weaknesses in this category are related to the A2 category in the OWASP Top 10 2013.
C/C++ 932 Weaknesses in this category are related to the A4 category in the OWASP Top 10 2013.
C/C++ 933 Weaknesses in this category are related to the A5 category in the OWASP Top 10 2013.
C/C++ 934 Weaknesses in this category are related to the A6 category in the OWASP Top 10 2013.
C/C++ 935 Weaknesses in this category are related to the A7 category in the OWASP Top 10 2013.
C/C++ 943 The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query.
C/C++ 944 This category identifies Software Fault Patterns (SFPs) within the Access Management cluster.
C/C++ 945 This category identifies Software Fault Patterns (SFPs) within the Insecure Resource Access cluster (SFP35).
C/C++ 946 This category identifies Software Fault Patterns (SFPs) within the Insecure Resource Permissions cluster.
C/C++ 947 This category identifies Software Fault Patterns (SFPs) within the Authentication Bypass cluster.
C/C++ 949 This category identifies Software Fault Patterns (SFPs) within the Faulty Endpoint Authentication cluster (SFP29).
C/C++ 950 This category identifies Software Fault Patterns (SFPs) within the Hardcoded Sensitive Data cluster (SFP33).
C/C++ 956 This category identifies Software Fault Patterns (SFPs) within the Channel Attack cluster.
C/C++ 957 This category identifies Software Fault Patterns (SFPs) within the Protocol Error cluster.
C/C++ 958 This category identifies Software Fault Patterns (SFPs) within the Broken Cryptography cluster.
C/C++ 959 This category identifies Software Fault Patterns (SFPs) within the Weak Cryptography cluster.
C/C++ 960 This category identifies Software Fault Patterns (SFPs) within the Ambiguous Exception Type cluster (SFP5).
C/C++ 961 This category identifies Software Fault Patterns (SFPs) within the Incorrect Exception Behavior cluster (SFP6).
C/C++ 962 This category identifies Software Fault Patterns (SFPs) within the Unchecked Status Condition cluster (SFP4).
C/C++ 963 This category identifies Software Fault Patterns (SFPs) within the Exposed Data cluster (SFP23).
C/C++ 964 This category identifies Software Fault Patterns (SFPs) within the Exposure Temporary File cluster.
C/C++ 966 This category identifies Software Fault Patterns (SFPs) within the Other Exposures cluster.
C/C++ 969 This category identifies Software Fault Patterns (SFPs) within the Faulty Memory Release cluster (SFP12).
C/C++ 970 This category identifies Software Fault Patterns (SFPs) within the Faulty Buffer Access cluster (SFP8).
C/C++ 971 This category identifies Software Fault Patterns (SFPs) within the Faulty Pointer Use cluster (SFP7).
C/C++ 973 This category identifies Software Fault Patterns (SFPs) within the Improper NULL Termination cluster (SFP11).
C/C++ 974 This category identifies Software Fault Patterns (SFPs) within the Incorrect Buffer Length Computation cluster (SFP10).
C/C++ 975 This category identifies Software Fault Patterns (SFPs) within the Architecture cluster.
C/C++ 976 This category identifies Software Fault Patterns (SFPs) within the Compiler cluster.
C/C++ 977 This category identifies Software Fault Patterns (SFPs) within the Design cluster.
C/C++ 978 This category identifies Software Fault Patterns (SFPs) within the Implementation cluster.
C/C++ 979 This category identifies Software Fault Patterns (SFPs) within the Failed Chroot Jail cluster (SFP17).
C/C++ 980 This category identifies Software Fault Patterns (SFPs) within the Link in Resource Name Resolution cluster (SFP18).
C/C++ 981 This category identifies Software Fault Patterns (SFPs) within the Path Traversal cluster (SFP16).
C/C++ 982 This category identifies Software Fault Patterns (SFPs) within the Failure to Release Resource cluster (SFP14).
C/C++ 983 This category identifies Software Fault Patterns (SFPs) within the Faulty Resource Use cluster (SFP15).
C/C++ 984 This category identifies Software Fault Patterns (SFPs) within the Life Cycle cluster.
C/C++ 985 This category identifies Software Fault Patterns (SFPs) within the Unrestricted Consumption cluster (SFP13).
C/C++ 986 This category identifies Software Fault Patterns (SFPs) within the Missing Lock cluster (SFP19).
C/C++ 987 This category identifies Software Fault Patterns (SFPs) within the Multiple Locks/Unlocks cluster (SFP21).
C/C++ 988 This category identifies Software Fault Patterns (SFPs) within the Race Condition Window cluster (SFP20).
C/C++ 990 This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Command cluster (SFP24).
C/C++ 991 This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Environment cluster (SFP27).
C/C++ 992 This category identifies Software Fault Patterns (SFPs) within the Faulty Input Transformation cluster.
C/C++ 993 This category identifies Software Fault Patterns (SFPs) within the Incorrect Input Handling cluster.
C/C++ 994 This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Variable cluster (SFP25).
C/C++ 995 This category identifies Software Fault Patterns (SFPs) within the Feature cluster.
C/C++ 997 This category identifies Software Fault Patterns (SFPs) within the Information Loss cluster.
C/C++ 998 This category identifies Software Fault Patterns (SFPs) within the Glitch in Computation cluster (SFP1).
C/C++ 1000 This view is intended to facilitate research into weaknesses, including their inter-dependencies, and can be leveraged to systematically identify theoretical gaps within CWE. It is mainly organized according to abstractions of behaviors instead of how they can be detected, where they appear in code, or when they are introduced in the development life cycle. By design, this view is expected to include every weakness within CWE.
C/C++ 1001 This category identifies Software Fault Patterns (SFPs) within the Use of an Improper API cluster (SFP3).
C/C++ 1002 This category identifies Software Fault Patterns (SFPs) within the Unexpected Entry Points cluster.
C/C++ 1003 CWE entries in this view (graph) may be used to categorize potential weaknesses within sources that handle public, third-party vulnerability information, such as the National Vulnerability Database (NVD). By design, this view is incomplete; it is limited to a small number of the most commonly-seen weaknesses, so that it is easier for humans to use. This view uses a shallow hierarchy of two levels in order to simplify the complex, category-oriented navigation of the entire CWE corpus.
C/C++ 1005 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that exist when an application does not properly validate or represent input. According to the authors of the Seven Pernicious Kingdoms, "Input validation and representation problems are caused by metacharacters, alternate encodings and numeric representations. Security problems result from trusting input."
C/C++ 1006 Weaknesses in this category are related to coding practices that are deemed unsafe and increase the chances that an exploitable vulnerability will be present in the application. These weaknesses do not directly introduce a vulnerability, but indicate that the product has not been carefully developed or maintained. If a program is complex, difficult to maintain, not portable, or shows evidence of neglect, then there is a higher likelihood that weaknesses are buried in the code.
C/C++ 1008 This view organizes weaknesses according to common architectural security tactics. It is intended to assist architects in identifying potential mistakes that can be made when designing software.
C/C++ 1009 Weaknesses in this category are related to the design and architecture of audit-based components of the system. Frequently these deal with logging user activities in order to identify attackers and modifications to the system. The weaknesses in this category could lead to a degradation of the quality of the audit capability if they are not addressed when designing or implementing a secure architecture.
C/C++ 1010 Weaknesses in this category are related to the design and architecture of authentication components of the system. Frequently these deal with verifying the entity is indeed who it claims to be. The weaknesses in this category could lead to a degradation of the quality of authentication if they are not addressed when designing or implementing a secure architecture.
C/C++ 1011 Weaknesses in this category are related to the design and architecture of a system's authorization components. Frequently these deal with enforcing that agents have the required permissions before performing certain operations, such as modifying data. The weaknesses in this category could lead to a degradation of quality of the authorization capability if they are not addressed when designing or implementing a secure architecture.
C/C++ 1012 Weaknesses in this category are related to the design and architecture of multiple security tactics and how they affect a system. For example, information exposure can impact the Limit Access and Limit Exposure security tactics. The weaknesses in this category could lead to a degradation of the quality of many capabilities if they are not addressed when designing or implementing a secure architecture.
C/C++ 1013 Weaknesses in this category are related to the design and architecture of data confidentiality in a system. Frequently these deal with the use of encryption libraries. The weaknesses in this category could lead to a degradation of the quality data encryption if they are not addressed when designing or implementing a secure architecture.
C/C++ 1014 Weaknesses in this category are related to the design and architecture of a system's identification management components. Frequently these deal with verifying that external agents provide inputs into the system. The weaknesses in this category could lead to a degradation of the quality of identification management if they are not addressed when designing or implementing a secure architecture.
C/C++ 1015 Weaknesses in this category are related to the design and architecture of system resources. Frequently these deal with restricting the amount of resources that are accessed by actors, such as memory, network connections, CPU or access points. The weaknesses in this category could lead to a degradation of the quality of authentication if they are not addressed when designing or implementing a secure architecture.
C/C++ 1016 Weaknesses in this category are related to the design and architecture of the entry points to a system. Frequently these deal with minimizing the attack surface through designing the system with the least needed amount of entry points. The weaknesses in this category could lead to a degradation of a system's defenses if they are not addressed when designing or implementing a secure architecture.
C/C++ 1019 Weaknesses in this category are related to the design and architecture of a system's input validation components. Frequently these deal with sanitizing, neutralizing and validating any externally provided inputs to minimize malformed data from entering the system and preventing code injection in the input data. The weaknesses in this category could lead to a degradation of the quality of data flow in a system if they are not addressed when designing or implementing a secure architecture.
C/C++ 1020 Weaknesses in this category are related to the design and architecture of a system's data integrity components. Frequently these deal with ensuring integrity of data, such as messages, resource files, deployment files, and configuration files. The weaknesses in this category could lead to a degradation of data integrity quality if they are not addressed when designing or implementing a secure architecture.
C/C++ 1025 The code performs a comparison between two entities, but the comparison examines the wrong factors or characteristics of the entities, which can lead to incorrect results and resultant weaknesses.
C/C++ 1026 CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2017.
C/C++ 1027 Weaknesses in this category are related to the A1 category in the OWASP Top 10 2017.
C/C++ 1028 Weaknesses in this category are related to the A2 category in the OWASP Top 10 2017.
C/C++ 1029 Weaknesses in this category are related to the A3 category in the OWASP Top 10 2017.
C/C++ 1031 Weaknesses in this category are related to the A5 category in the OWASP Top 10 2017.
C/C++ 1032 Weaknesses in this category are related to the A6 category in the OWASP Top 10 2017.
C/C++ 1037 The developer builds a security-critical protection mechanism into the software, but the processor optimizes the execution of the program such that the mechanism is removed or modified.
C/C++ 1041 The product has multiple functions, methods, procedures, macros, etc. that contain the same code.
C/C++ 1045 A parent class has a virtual destructor method, but the parent has a child class that does not have a virtual destructor.
C/C++ 1055 The product contains a class with inheritance from more than one concrete class.
C/C++ 1059 The product does not contain sufficient technical or engineering documentation (whether on paper or in electronic form) that contains descriptions of all the relevant software/hardware elements of the product, such as its usage, structure, architectural components, interfaces, design, implementation, configuration, operation, etc.
C/C++ 1061 The product does not sufficiently hide the internal representation and implementation details of data or methods, which might allow external components or modules to modify data unexpectedly, invoke unexpected functionality, or introduce dependencies that the programmer did not intend.
C/C++ 1076 The product's architecture, source code, design, documentation, or other artifact does not follow required conventions.
C/C++ 1077 The code performs a comparison such as an equality test between two float (floating point) values, but it uses comparison operators that do not account for the possibility of loss of precision.
C/C++ 1078 The source code does not follow desired style or formatting for indentation, white space, comments, etc.
C/C++ 1079 A parent class contains one or more child classes, but the parent class does not have a virtual destructor method.
C/C++ 1095 The product uses a loop with a control flow condition based on a value that is updated within the body of the loop.
C/C++ 1108 The code is structured in a way that relies too much on using or setting global variables throughout various points in the code, instead of preserving the associated information in a narrower, more local context.
C/C++ 1109 The code contains a callable, block, or other code element in which the same variable is used to control more than one unique task or store more than one instance of data.
C/C++ 1113 The source code uses comment styles or formats that are inconsistent or do not follow expected standards for the product.
C/C++ 1114 The source code contains whitespace that is inconsistent across the code or does not follow expected standards for the product.
C/C++ 1126 The source code declares a variable in one scope, but the variable is only used within a narrower scope.
C/C++ 1128 This view outlines the most important software quality issues as identified by the Consortium for Information & Software Quality (CISQ) Automated Quality Characteristic Measures, released in 2016. These measures are derived from Object Management Group (OMG) standards.
C/C++ 1129 Weaknesses in this category are related to the CISQ Quality Measures for Reliability, as documented in 2016 with the Automated Source Code CISQ Reliability Measure (ASCRM) Specification 1.0. Presence of these weaknesses could reduce the reliability of the software.
C/C++ 1130 Weaknesses in this category are related to the CISQ Quality Measures for Maintainability, as documented in 2016 with the Automated Source Code Maintainability Measure (ASCMM) Specification 1.0. Presence of these weaknesses could reduce the maintainability of the software.
C/C++ 1131 Weaknesses in this category are related to the CISQ Quality Measures for Security, as documented in 2016 with the Automated Source Code Security Measure (ASCSM) Specification 1.0. Presence of these weaknesses could reduce the security of the software.
C/C++ 1133 CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT Oracle Coding Standard for Java.
C/C++ 1134 Weaknesses in this category are related to the rules and recommendations in the Input Validation and Data Sanitization (IDS) section of the SEI CERT Oracle Secure Coding Standard for Java.
C/C++ 1135 Weaknesses in this category are related to the rules and recommendations in the Declarations and Initialization (DCL) section of the SEI CERT Oracle Secure Coding Standard for Java.
C/C++ 1136 Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) section of the SEI CERT Oracle Secure Coding Standard for Java.
C/C++ 1137 Weaknesses in this category are related to the rules and recommendations in the Numeric Types and Operations (NUM) section of the SEI CERT Oracle Secure Coding Standard for Java.
C/C++ 1139 Weaknesses in this category are related to the rules and recommendations in the Object Orientation (OBJ) section of the SEI CERT Oracle Secure Coding Standard for Java.
C/C++ 1140 Weaknesses in this category are related to the rules and recommendations in the Methods (MET) section of the SEI CERT Oracle Secure Coding Standard for Java.
C/C++ 1141 Weaknesses in this category are related to the rules and recommendations in the Exceptional Behavior (ERR) section of the SEI CERT Oracle Secure Coding Standard for Java.
C/C++ 1142 Weaknesses in this category are related to the rules and recommendations in the Visibility and Atomicity (VNA) section of the SEI CERT Oracle Secure Coding Standard for Java.
C/C++ 1143 Weaknesses in this category are related to the rules and recommendations in the Locking (LCK) section of the SEI CERT Oracle Secure Coding Standard for Java.
C/C++ 1147 Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) section of the SEI CERT Oracle Secure Coding Standard for Java.
C/C++ 1148 Weaknesses in this category are related to the rules and recommendations in the Serialization (SER) section of the SEI CERT Oracle Secure Coding Standard for Java.
C/C++ 1149 Weaknesses in this category are related to the rules and recommendations in the Platform Security (SEC) section of the SEI CERT Oracle Secure Coding Standard for Java.
C/C++ 1150 Weaknesses in this category are related to the rules and recommendations in the Runtime Environment (ENV) section of the SEI CERT Oracle Secure Coding Standard for Java.
C/C++ 1152 Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT Oracle Secure Coding Standard for Java.
C/C++ 1154 CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT C Coding Standard.
C/C++ 1156 Weaknesses in this category are related to the rules and recommendations in the Declarations and Initialization (DCL) section of the SEI CERT C Coding Standard.
C/C++ 1157 Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) section of the SEI CERT C Coding Standard.
C/C++ 1158 Weaknesses in this category are related to the rules and recommendations in the Integers (INT) section of the SEI CERT C Coding Standard.
C/C++ 1159 Weaknesses in this category are related to the rules and recommendations in the Floating Point (FLP) section of the SEI CERT C Coding Standard.
C/C++ 1160 Weaknesses in this category are related to the rules and recommendations in the Arrays (ARR) section of the SEI CERT C Coding Standard.
C/C++ 1161 Weaknesses in this category are related to the rules and recommendations in the Characters and Strings (STR) section of the SEI CERT C Coding Standard.
C/C++ 1162 Weaknesses in this category are related to the rules and recommendations in the Memory Management (MEM) section of the SEI CERT C Coding Standard.
C/C++ 1163 Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) section of the SEI CERT C Coding Standard.
C/C++ 1164 The product contains code that is not essential for execution, i.e. makes no state changes and has no side effects that alter data or control flow, such that removal of the code would have no impact to functionality or correctness.
C/C++ 1165 Weaknesses in this category are related to the rules and recommendations in the Environment (ENV) section of the SEI CERT C Coding Standard.
C/C++ 1166 Weaknesses in this category are related to the rules and recommendations in the Signals (SIG) section of the SEI CERT C Coding Standard.
C/C++ 1167 Weaknesses in this category are related to the rules and recommendations in the Error Handling (ERR) section of the SEI CERT C Coding Standard.
C/C++ 1168 Weaknesses in this category are related to the rules and recommendations in the Application Programming Interfaces (API) section of the SEI CERT C Coding Standard.
C/C++ 1169 Weaknesses in this category are related to the rules and recommendations in the Concurrency (CON) section of the SEI CERT C Coding Standard.
C/C++ 1170 Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT C Coding Standard.
C/C++ 1171 Weaknesses in this category are related to the rules and recommendations in the POSIX (POS) section of the SEI CERT C Coding Standard.
C/C++ 1172 Weaknesses in this category are related to the rules and recommendations in the Microsoft Windows (WIN) section of the SEI CERT C Coding Standard.
C/C++ 1177 The product uses a function, library, or third party component that has been explicitly prohibited, whether by the developer or the customer.
C/C++ 1178 CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT Perl Coding Standard.
C/C++ 1179 Weaknesses in this category are related to the rules and recommendations in the Input Validation and Data Sanitization (IDS) section of the SEI CERT Perl Coding Standard.
C/C++ 1180 Weaknesses in this category are related to the rules and recommendations in the Declarations and Initialization (DCL) section of the SEI CERT Perl Coding Standard.
C/C++ 1181 Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) section of the SEI CERT Perl Coding Standard.
C/C++ 1182 Weaknesses in this category are related to the rules and recommendations in the Integers (INT) section of the SEI CERT Perl Coding Standard.
C/C++ 1185 Weaknesses in this category are related to the rules and recommendations in the File Input and Output (FIO) section of the SEI CERT Perl Coding Standard.
C/C++ 1186 Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT Perl Coding Standard.
C/C++ 1194 This view organizes weaknesses around concepts that are frequently used or encountered in hardware design. Accordingly, this view can align closely with the perspectives of designers, manufacturers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping.
C/C++ 1195 Weaknesses in this category are root-caused to defects that arise in the semiconductor-manufacturing process or during the life cycle and supply chain.
C/C++ 1198 Weaknesses in this category are related to features and mechanisms providing hardware-based isolation and access control (e.g., identity, policy, locking control) of sensitive shared hardware resources such as registers and fuses.
C/C++ 1200 CWE entries in this view are listed in the 2019 CWE Top 25 Most Dangerous Software Errors.
C/C++ 1202 Weaknesses in this category are typically associated with memory (e.g., DRAM, SRAM) and storage technologies (e.g., NAND Flash, OTP, EEPROM, and eMMC).
C/C++ 1205 Weaknesses in this category are related to hardware implementations of cryptographic protocols and other hardware-security primitives such as physical unclonable functions (PUFs) and random number generators (RNGs).
C/C++ 1207 Weaknesses in this category are related to hardware debug and test interfaces such as JTAG and scan chain.
C/C++ 1208 Weaknesses in this category can arise in multiple areas of hardware design or can apply to a wide cross-section of components.
C/C++ 1210 Weaknesses in this category are related to audit-based components of a software system. Frequently these deal with logging user activities in order to identify undesired access and modifications to the system. The weaknesses in this category could lead to a degradation of the quality of the audit capability if they are not addressed.
C/C++ 1211 Weaknesses in this category are related to authentication components of a system. Frequently these deal with the ability to verify that an entity is indeed who it claims to be. If not addressed when designing or implementing a software system, these weaknesses could lead to a degradation of the quality of the authentication capability.
C/C++ 1212 Weaknesses in this category are related to authorization components of a system. Frequently these deal with the ability to enforce that agents have the required permissions before performing certain operations, such as modifying data. If not addressed when designing or implementing a software system, these weaknesses could lead to a degradation of the quality of the authorization capability.
C/C++ 1213 Weaknesses in this category are related to a software system's random number generation.
C/C++ 1214 Weaknesses in this category are related to a software system's data integrity components. Frequently these deal with the ability to ensure the integrity of data, such as messages, resource files, deployment files, and configuration files. The weaknesses in this category could lead to a degradation of data integrity quality if they are not addressed.
C/C++ 1215 Weaknesses in this category are related to a software system's components for input validation, output validation, or other kinds of validation. Validation is a frequently-used technique for ensuring that data conforms to expectations before it is further processed as input or output. There are many varieties of validation (see CWE-20, which is just for input validation). Validation is distinct from other techniques that attempt to modify data before processing it, although developers may consider all attempts to product "safe" inputs or outputs as some kind of validation. Regardless, validation is a powerful tool that is often used to minimize malformed data from entering the system, or indirectly avoid code injection or other potentially-malicious patterns when generating output. The weaknesses in this category could lead to a degradation of the quality of data flow in a system if they are not addressed.
C/C++ 1218 Weaknesses in this category are related to the handling of memory buffers within a software system.
C/C++ 1219 Weaknesses in this category are related to the handling of files within a software system. Files, directories, and folders are so central to information technology that many different weaknesses and variants have been discovered.
C/C++ 1226 Weaknesses in this category are associated with things being overly complex.
C/C++ 1228 Weaknesses in this category are related to the use of built-in functions or external APIs.
C/C++ 1237 This category identifies Software Fault Patterns (SFPs) within the Faulty Resource Release cluster (SFP37).
C/C++ 1238 This category identifies Software Fault Patterns (SFPs) within the Failure to Release Memory cluster (SFP38).
C/C++ 1241 The device uses an algorithm that is predictable and generates a pseudo-random number.
C/C++ 1305 This view outlines the most important software quality issues as identified by the Consortium for Information & Software Quality (CISQ) Automated Quality Characteristic Measures, released in 2020. These measures are derived from Object Management Group (OMG) standards.
C/C++ 1306 Weaknesses in this category are related to the CISQ Quality Measures for Reliability. Presence of these weaknesses could reduce the reliability of the software.
C/C++ 1307 Weaknesses in this category are related to the CISQ Quality Measures for Maintainability. Presence of these weaknesses could reduce the maintainability of the software.
C/C++ 1308 Weaknesses in this category are related to the CISQ Quality Measures for Security. Presence of these weaknesses could reduce the security of the software.
C/C++ 1309 Weaknesses in this category are related to the CISQ Quality Measures for Efficiency. Presence of these weaknesses could reduce the efficiency of the software.
C/C++ 1337 CWE entries in this view are listed in the 2021 CWE Top 25 Most Dangerous Software Weaknesses.
C/C++ 1340 This view outlines the SMM representation of the Automated Source Code Data Protection Measurement specifications, as identified by the Consortium for Information & Software Quality (CISQ) Working Group.
C/C++ 1341 The product attempts to close or release a resource or handle more than once, without any successful open between the close operations.
C/C++ 1344 CWE entries in this view (graph) are associated with the OWASP Top 10, as released in 2021.
C/C++ 1345 Weaknesses in this category are related to the A01 category "Broken Access Control" in the OWASP Top 10 2021.
C/C++ 1346 Weaknesses in this category are related to the A02 category "Cryptographic Failures" in the OWASP Top 10 2021.
C/C++ 1347 Weaknesses in this category are related to the A03 category "Injection" in the OWASP Top 10 2021.
C/C++ 1348 Weaknesses in this category are related to the A04 "Insecure Design" category in the OWASP Top 10 2021.
C/C++ 1349 Weaknesses in this category are related to the A05 category "Security Misconfiguration" in the OWASP Top 10 2021.
C/C++ 1350 CWE entries in this view are listed in the 2020 CWE Top 25 Most Dangerous Software Weaknesses.
C/C++ 1353 Weaknesses in this category are related to the A07 category "Identification and Authentication Failures" in the OWASP Top 10 2021.
C/C++ 1354 Weaknesses in this category are related to the A08 category "Software and Data Integrity Failures" in the OWASP Top 10 2021.
C/C++ 1355 Weaknesses in this category are related to the A09 category "Security Logging and Monitoring Failures" in the OWASP Top 10 2021.
C/C++ 1356 Weaknesses in this category are related to the A10 category "Server-Side Request Forgery (SSRF)" in the OWASP Top 10 2021.
C/C++ 1358 CWE entries in this view (graph) are associated with the Categories of Security Vulnerabilities in ICS, as published by the Securing Energy Infrastructure Executive Task Force (SEI ETF) in March 2022. Weaknesses and categories in this view are focused on issues that affect ICS (Industrial Control Systems) but have not been traditionally covered by CWE in the past due to its earlier emphasis on enterprise IT software. Note: weaknesses in this view are based on "Nearest IT Neighbor" recommendations and other suggestions by the CWE team. These relationships are likely to change in future CWE versions.
C/C++ 1359 Weaknesses in this category are related to the "ICS Communications" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.
C/C++ 1360 Weaknesses in this category are related to the "ICS Dependencies (& Architecture)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.
C/C++ 1361 Weaknesses in this category are related to the "ICS Supply Chain" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.
C/C++ 1362 Weaknesses in this category are related to the "ICS Engineering (Constructions/Deployment)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.
C/C++ 1363 Weaknesses in this category are related to the "ICS Operations (& Maintenance)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.
C/C++ 1364 Weaknesses in this category are related to the "Zone Boundary Failures" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Within an ICS system, for traffic that crosses through network zone boundaries, vulnerabilities arise when those boundaries were designed for safety or other purposes but are being repurposed for security." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
C/C++ 1366 Weaknesses in this category are related to the "Frail Security in Protocols" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Vulnerabilities arise as a result of mis-implementation or incomplete implementation of security in ICS implementations of communication protocols." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
C/C++ 1368 Weaknesses in this category are related to the "External Digital Systems" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Due to the highly interconnected technologies in use, an external dependency on another digital system could cause a confidentiality, integrity, or availability incident for the protected system." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
C/C++ 1369 Weaknesses in this category are related to the "IT/OT Convergence/Expansion" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "The increased penetration of DER devices and smart loads make emerging ICS networks more like IT networks and thus susceptible to vulnerabilities similar to those of IT networks." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
C/C++ 1370 Weaknesses in this category are related to the "Common Mode Frailties" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "At the component level, most ICS systems are assembled from common parts made by other companies. One or more of these common parts might contain a vulnerability that could result in a wide-spread incident." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
C/C++ 1371 Weaknesses in this category are related to the "Poorly Documented or Undocumented Features" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Undocumented capabilities and configurations pose a risk by not having a clear understanding of what the device is specifically supposed to do and only do. Therefore possibly opening up the attack surface and vulnerabilities." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
C/C++ 1372 Weaknesses in this category are related to the "OT Counterfeit and Malicious Corruption" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "In ICS, when this procurement process results in a vulnerability or component damage, it can have grid impacts or cause physical harm." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
C/C++ 1373 Weaknesses in this category are related to the "Trust Model Problems" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Assumptions made about the user during the design or construction phase may result in vulnerabilities after the system is installed if the user operates it using a different security approach or process than what was designed or built." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
C/C++ 1375 Weaknesses in this category are related to the "Gaps in Details/Data" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Highly complex systems are often operated by personnel who have years of experience in managing that particular facility or plant. Much of their knowledge is passed along through verbal or hands-on training but may not be fully documented in written practices and procedures." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
C/C++ 1376 Weaknesses in this category are related to the "Security Gaps in Commissioning" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "As a large system is brought online components of the system may remain vulnerable until the entire system is operating and functional and security controls are put in place. This creates a window of opportunity for an adversary during the commissioning process." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
C/C++ 1379 Weaknesses in this category are related to the "Human factors in ICS environments" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Environmental factors in ICS including physical duress, system complexities, and isolation may result in security gaps or inadequacies in the performance of individual duties and responsibilities." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
C/C++ 1382 Weaknesses in this category are related to the "Emerging Energy Technologies" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "With the rapid evolution of the energy system accelerated by the emergence of new technologies such as DERs, electric vehicles, advanced communications (5G+), novel and diverse challenges arise for secure and resilient operation of the system." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
C/C++ 1383 Weaknesses in this category are related to the "Compliance/Conformance with Regulatory Requirements" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "The ICS environment faces overlapping regulatory regimes and authorities with multiple focus areas (e.g., operational resiliency, physical safety, interoperability, and security) which can result in cyber security vulnerabilities when implemented as written due to gaps in considerations, outdatedness, or conflicting requirements." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
C/C++ 1387 CWE entries in this view are listed in the 2022 CWE Top 25 Most Dangerous Software Weaknesses.
C/C++ 1396 Weaknesses in this category are related to access control.
C/C++ 1397 Weaknesses in this category are related to comparison.
C/C++ 1398 Weaknesses in this category are related to component interaction.
C/C++ 1399 Weaknesses in this category are related to memory safety.
C/C++ 1400 This view organizes weaknesses around categories that are of interest to large-scale software assurance research to support the elimination of weaknesses using tactics such as secure language development. It is also intended to help tracking weakness trends in publicly disclosed vulnerability data. This view is comprehensive in that every weakness must be contained in it, unlike most other views that only use a subset of weaknesses. This view is structured with categories at the top level, with a second level of only weaknesses. Relationships among the weaknesses presented under the research view (CWE-1000) are not shown. Each weakness is added to only one category. All categories are mutually exclusive; that is, no weakness can be a member of more than one category. While weaknesses defy strict categorization along only one characteristic, the forced bucketing into a single category can simplify certain kinds of analysis. Note that the size of each category can vary widely because (1) CWE is not as well fleshed-out in some areas compared to others; (2) abstraction of the CWEs in the grouping might go down to Variant level for some buckets, versus others.
C/C++ 1401 Weaknesses in this category are related to concurrency.
C/C++ 1402 Weaknesses in this category are related to encryption.
C/C++ 1403 Weaknesses in this category are related to exposed resource.
C/C++ 1404 Weaknesses in this category are related to file handling.
C/C++ 1405 Weaknesses in this category are related to improper check or handling of exceptional conditions.
C/C++ 1406 Weaknesses in this category are related to improper input validation.
C/C++ 1407 Weaknesses in this category are related to improper neutralization.
C/C++ 1408 Weaknesses in this category are related to incorrect calculation.
C/C++ 1409 Weaknesses in this category are related to injection.
C/C++ 1410 Weaknesses in this category are related to insufficient control flow management.
C/C++ 1411 Weaknesses in this category are related to insufficient verification of data authenticity.
C/C++ 1412 Weaknesses in this category are related to poor coding practices.
C/C++ 1413 Weaknesses in this category are related to protection mechanism failure.
C/C++ 1414 Weaknesses in this category are related to randomness.
C/C++ 1415 Weaknesses in this category are related to resource control.
C/C++ 1416 Weaknesses in this category are related to resource lifecycle management.
C/C++ 1417 Weaknesses in this category are related to sensitive information exposure.
C/C++ 1418 Weaknesses in this category are related to violation of secure design principles.
CUDA 2 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that are typically introduced during unexpected environmental conditions. According to the authors of the Seven Pernicious Kingdoms, "This section includes everything that is outside of the source code but is still critical to the security of the product that is being created. Because the issues covered by this kingdom are not directly related to source code, we separated it from the rest of the kingdoms."
CUDA 4 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
CUDA 5 Information sent over a network can be compromised while in transit. An attacker may be able to read or modify the contents if the data are sent in plaintext or are weakly encrypted.
CUDA 14 Sensitive memory is cleared according to the source code, but compiler optimizations leave the memory untouched when it is not read from again, aka "dead store removal."
CUDA 16 Weaknesses in this category are typically introduced during the configuration of the software.
CUDA 17 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
CUDA 18 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
CUDA 19 Weaknesses in this category are typically found in functionality that processes data. Data processing is the manipulation of input to retrieve or save information.
CUDA 20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CUDA 21 This category has been deprecated. It was originally used for organizing weaknesses involving file names, which enabled access to files outside of a restricted directory (path traversal) or to perform operations on files that would otherwise be restricted (path equivalence). Consider using either the File Handling Issues category (CWE-1219) or the class Use of Incorrectly-Resolved Name or Reference (CWE-706).
CUDA 22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CUDA 23 The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.
CUDA 36 The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as "/abs/path" that can resolve to a location that is outside of that directory.
CUDA 59 The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
CUDA 66 The product does not handle or incorrectly handles a file name that identifies a "virtual" resource that is not directly specified within the directory that is associated with the file name, causing the product to perform file-based operations on a resource that is not a file.
CUDA 67 The product constructs pathnames from user input, but it does not handle or incorrectly handles a pathname containing a Windows device name such as AUX or CON. This typically leads to denial of service or an information exposure when the application attempts to process the pathname as a regular file.
CUDA 68 This category has been deprecated as it was found to be an unnecessary abstraction of platform specific details. Please refer to the category CWE-632 and weakness CWE-66 for relevant relationships.
CUDA 74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
CUDA 77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CUDA 78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
CUDA 88 The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.
CUDA 89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.
CUDA 91 The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.
CUDA 93 The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
CUDA 94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CUDA 99 The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control.
CUDA 113 The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.
CUDA 116 The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
CUDA 117 The product does not neutralize or incorrectly neutralizes output that is written to logs.
CUDA 118 The product does not restrict or incorrectly restricts operations within the boundaries of a resource that is accessed using an index or pointer, such as memory or files.
CUDA 119 The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.
CUDA 120 The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow.
CUDA 121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
CUDA 122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
CUDA 123 Any condition where the attacker has the ability to write an arbitrary value to an arbitrary location, often as the result of a buffer overflow.
CUDA 124 The product writes to a buffer using an index or pointer that references a memory location prior to the beginning of the buffer.
CUDA 125 The product reads data past the end, or before the beginning, of the intended buffer.
CUDA 126 The product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations after the targeted buffer.
CUDA 127 The product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations prior to the targeted buffer.
CUDA 128 Wrap around errors occur whenever a value is incremented past the maximum value for its type and therefore "wraps around" to a very small, negative, or undefined value.
CUDA 129 The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array.
CUDA 130 The product parses a formatted message or structure, but it does not handle or incorrectly handles a length field that is inconsistent with the actual length of the associated data.
CUDA 131 The product does not correctly calculate the size to be used when allocating a buffer, which could lead to a buffer overflow.
CUDA 133 Weaknesses in this category are related to the creation and modification of strings.
CUDA 134 The product uses a function that accepts a format string as an argument, but the format string originates from an external source.
CUDA 135 The product does not correctly calculate the length of strings that can contain wide or multi-byte characters.
CUDA 136 Weaknesses in this category are caused by improper data type transformation or improper handling of multiple data types.
CUDA 137 Weaknesses in this category are related to the creation or neutralization of data using an incorrect format.
CUDA 138 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as control elements or syntactic markers when they are sent to a downstream component.
CUDA 140 The product does not neutralize or incorrectly neutralizes delimiters.
CUDA 141 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as parameter or argument delimiters when they are sent to a downstream component.
CUDA 142 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as value delimiters when they are sent to a downstream component.
CUDA 143 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as record delimiters when they are sent to a downstream component.
CUDA 146 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as expression or command delimiters when they are sent to a downstream component.
CUDA 149 Quotes injected into a product can be used to compromise a system. As data are parsed, an injected/absent/duplicate/malformed use of quotes may cause the process to take unexpected actions.
CUDA 150 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component.
CUDA 157 The product does not properly handle the characters that are used to mark the beginning and ending of a group of entities, such as parentheses, brackets, and braces.
CUDA 169 This category has been deprecated. It was originally intended as a "catch-all" for input validation problems in technologies that did not have their own CWE, but introduces unnecessary depth to the hierarchy.
CUDA 170 The product does not terminate or incorrectly terminates a string or array with a null character or equivalent terminator.
CUDA 171 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. Weaknesses in this category were related to improper handling of data within protection mechanisms that attempt to perform neutralization for untrusted data. These weaknesses can be found in other similar categories.
CUDA 187 The product performs a comparison that only examines a portion of a factor before determining whether there is a match, such as a substring, leading to resultant weaknesses.
CUDA 188 The product makes invalid assumptions about how protocol data or memory is organized at a lower level, resulting in unintended program behavior.
CUDA 189 Weaknesses in this category are related to improper calculation or conversion of numbers.
CUDA 190 The product performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control.
CUDA 191 The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.
CUDA 192 Integer coercion refers to a set of flaws pertaining to the type casting, extension, or truncation of primitive data types.
CUDA 193 A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value.
CUDA 194 The product performs an operation on a number that causes it to be sign extended when it is transformed into a larger data type. When the original number is negative, this can produce unexpected values that lead to resultant weaknesses.
CUDA 195 The product uses a signed primitive and performs a cast to an unsigned primitive, which can produce an unexpected value if the value of the signed primitive can not be represented using an unsigned primitive.
CUDA 197 Truncation errors occur when a primitive is cast to a primitive of a smaller size and data is lost in the conversion.
CUDA 198 The product receives input from an upstream component, but it does not account for byte ordering (e.g. big-endian and little-endian) when processing the input, causing an incorrect number or value to be used.
CUDA 199 Weaknesses in this category are related to improper handling of sensitive information.
CUDA 200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CUDA 201 The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.
CUDA 209 The product generates an error message that includes sensitive information about its environment, users, or associated data.
CUDA 210 The product identifies an error condition and creates its own diagnostic or error messages that contain sensitive information.
CUDA 211 The product performs an operation that triggers an external diagnostic or error message that is not directly generated or controlled by the product, such as an error generated by the programming language interpreter that a software application uses. The error can contain sensitive system information.
CUDA 216 This entry has been deprecated, as it was not effective as a weakness and was structured more like a category. In addition, the name is inappropriate, since the "container" term is widely understood by developers in different ways than originally intended by PLOVER, the original source for this entry.
CUDA 221 The product does not record, or improperly records, security-relevant information that leads to an incorrect decision or hampers later analysis.
CUDA 226 The product releases a resource such as memory or a file so that it can be made available for reuse, but it does not clear or "zeroize" the information contained in the resource before the product performs a critical state transition or makes the resource available for reuse by other entities.
CUDA 227 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that involve the software using an API in a manner contrary to its intended use. According to the authors of the Seven Pernicious Kingdoms, "An API is a contract between a caller and a callee. The most common forms of API misuse occurs when the caller does not honor its end of this contract. For example, if a program does not call chdir() after calling chroot(), it violates the contract that specifies how to change the active root directory in a secure fashion. Another good example of library abuse is expecting the callee to return trustworthy DNS information to the caller. In this case, the caller misuses the callee API by making certain assumptions about its behavior (that the return value can be used for authentication purposes). One can also violate the caller-callee contract from the other side. For example, if a coder subclasses SecureRandom and returns a non-random value, the contract is violated."
CUDA 228 The product does not handle or incorrectly handles input that is not syntactically well-formed with respect to the associated specification.
CUDA 237 The product does not handle or incorrectly handles inputs that are related to complex structures.
CUDA 240 The product does not handle or incorrectly handles when two or more structural elements should be consistent, but are not.
CUDA 241 The product does not handle or incorrectly handles when a particular element is not the expected type, e.g. it expects a digit (0-9) but is provided with a letter (A-Z).
CUDA 242 The product calls a function that can never be guaranteed to work safely.
CUDA 243 The product uses the chroot() system call to create a jail, but does not change the working directory afterward. This does not prevent access to files outside of the jail.
CUDA 244 Using realloc() to resize buffers that store sensitive information can leave the sensitive information exposed to attack, because it is not removed from memory.
CUDA 247 This entry has been deprecated because it was a duplicate of CWE-350. All content has been transferred to CWE-350.
CUDA 248 An exception is thrown from a function, but it is not caught.
CUDA 249 This entry has been deprecated because of name confusion and an accidental combination of multiple weaknesses. Most of its content has been transferred to CWE-785.
CUDA 252 The product does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions.
CUDA 253 The product incorrectly checks a return value from a function, which prevents it from detecting errors or exceptional conditions.
CUDA 254 Software security is not security software. Here we're concerned with topics like authentication, access control, confidentiality, cryptography, and privilege management.
CUDA 255 Weaknesses in this category are related to the management of credentials.
CUDA 256 Storing a password in plaintext may result in a system compromise.
CUDA 257 The storage of passwords in a recoverable format makes them subject to password reuse attacks by malicious users. In fact, it should be noted that recoverable encrypted passwords provide no significant benefit over plaintext passwords since they are subject not only to reuse by malicious attackers but also by malicious insiders. If a system administrator can recover a password directly, or use a brute force search on the available information, the administrator can use the password on other accounts.
CUDA 259 The product contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components.
CUDA 264 Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control.
CUDA 265 Weaknesses in this category occur with improper handling, assignment, or management of privileges. A privilege is a property of an agent, such as a user. It lets the agent do things that are not ordinarily allowed. For example, there are privileges which allow an agent to perform maintenance functions such as restart a computer.
CUDA 269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
CUDA 271 The product does not drop privileges before passing control of a resource to an actor that does not have those privileges.
CUDA 272 The elevated privilege level required to perform operations such as chroot() should be dropped immediately after the operation is performed.
CUDA 273 The product attempts to drop privileges but does not check or incorrectly checks to see if the drop succeeded.
CUDA 275 Weaknesses in this category are related to improper assignment or handling of permissions.
CUDA 276 During installation, installed file permissions are set to allow anyone to modify those files.
CUDA 282 The product assigns the wrong ownership, or does not properly verify the ownership, of an object or resource.
CUDA 284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CUDA 285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CUDA 287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
CUDA 290 This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.
CUDA 291 The product uses an IP address for authentication.
CUDA 293 The referer field in HTTP requests can be easily modified and, as such, is not a valid means of message integrity checking.
CUDA 300 The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint.
CUDA 310 Weaknesses in this category are related to the design and implementation of data confidentiality and integrity. Frequently these deal with the use of encoding techniques, encryption libraries, and hashing algorithms. The weaknesses in this category could lead to a degradation of the quality data if they are not addressed.
CUDA 311 The product does not encrypt sensitive or critical information before storage or transmission.
CUDA 312 The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
CUDA 313 The product stores sensitive information in cleartext in a file, or on disk.
CUDA 314 The product stores sensitive information in cleartext in the registry.
CUDA 315 The product stores sensitive information in cleartext in a cookie.
CUDA 317 The product stores sensitive information in cleartext within the GUI.
CUDA 318 The product stores sensitive information in cleartext in an executable.
CUDA 319 The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.
CUDA 320 Weaknesses in this category are related to errors in the management of cryptographic keys.
CUDA 321 The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.
CUDA 326 The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
CUDA 327 The product uses a broken or risky cryptographic algorithm or protocol.
CUDA 328 The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (2nd preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack).
CUDA 330 The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.
CUDA 335 The product uses a Pseudo-Random Number Generator (PRNG) but does not correctly manage seeds.
CUDA 336 A Pseudo-Random Number Generator (PRNG) uses the same seed each time the product is initialized.
CUDA 337 A Pseudo-Random Number Generator (PRNG) is initialized from a predictable seed, such as the process ID or system time.
CUDA 338 The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.
CUDA 344 The product uses a constant value, name, or reference, but this value can (or should) vary across different environments.
CUDA 345 The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
CUDA 350 The product performs reverse DNS resolution on an IP address to obtain the hostname and make a security decision, but it does not properly ensure that the IP address is truly associated with the hostname.
CUDA 353 The product uses a transmission protocol that does not include a mechanism for verifying the integrity of the data during transmission, such as a checksum.
CUDA 355 Weaknesses in this category are related to or introduced in the User Interface (UI).
CUDA 359 The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.
CUDA 361 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses related to the improper management of time and state in an environment that supports simultaneous or near-simultaneous computation by multiple systems, processes, or threads. According to the authors of the Seven Pernicious Kingdoms, "Distributed computation is about time and state. That is, in order for more than one component to communicate, state must be shared, and all that takes time. Most programmers anthropomorphize their work. They think about one thread of control carrying out the entire program in the same way they would if they had to do the job themselves. Modern computers, however, switch between tasks very quickly, and in multi-core, multi-CPU, or distributed systems, two events may take place at exactly the same time. Defects rush to fill the gap between the programmer's model of how a program executes and what happens in reality. These defects are related to unexpected interactions between threads, processes, time, and information. These interactions happen through shared state: semaphores, variables, the file system, and, basically, anything that can store information."
CUDA 362 The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.
CUDA 363 The product checks the status of a file or directory before accessing it, which produces a race condition in which the file can be replaced with a link before the access is performed, causing the product to access the wrong file.
CUDA 364 The product uses a signal handler that introduces a race condition.
CUDA 366 If two threads of execution use a resource simultaneously, there exists the possibility that resources may be used while invalid, in turn making the state of execution undefined.
CUDA 367 The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. This can cause the product to perform invalid actions when the resource is in an unexpected state.
CUDA 369 The product divides a value by zero.
CUDA 376 This category has been deprecated. It was originally used for organizing the Development View (CWE-699), but it introduced unnecessary complexity and depth to the resulting tree. Consider using the File Handling Issues category (CWE-1219).
CUDA 377 Creating and using insecure temporary files can leave application and system data vulnerable to attack.
CUDA 379 The product creates a temporary file in a directory whose permissions allow unintended actors to determine the file's existence or otherwise access that file.
CUDA 380 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
CUDA 381 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
CUDA 387 Weaknesses in this category are related to the improper handling of signals.
CUDA 388 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that occur when an application does not properly handle errors that occur during processing. According to the authors of the Seven Pernicious Kingdoms, "Errors and error handling represent a class of API. Errors related to error handling are so common that they deserve a special kingdom of their own. As with 'API Abuse,' there are two ways to introduce an error-related security vulnerability: the most common one is handling errors poorly (or not at all). The second is producing errors that either give out too much information (to possible attackers) or are difficult to handle."
CUDA 389 This category includes weaknesses that occur if a function does not generate the correct return/status code, or if the application does not handle all possible return/status codes that could be generated by a function. This type of problem is most often found in conditions that are rarely encountered during the normal operation of the product. Presumably, most bugs related to common conditions are found and eliminated during development and testing. In some cases, the attacker can directly control or influence the environment to trigger the rare conditions.
CUDA 391 [PLANNED FOR DEPRECATION. SEE MAINTENANCE NOTES AND CONSIDER CWE-252, CWE-248, OR CWE-1069.] Ignoring exceptions and other error conditions may allow an attacker to induce unexpected behavior unnoticed.
CUDA 393 A function or operation returns an incorrect return value or status code that does not indicate an error, but causes the product to modify its behavior based on the incorrect result.
CUDA 394 The product does not properly check when a function or operation returns a value that is legitimate for the function, but is not expected by the product.
CUDA 396 Catching overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities.
CUDA 397 Throwing overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities.
CUDA 398 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that do not directly introduce a weakness or vulnerability, but indicate that the product has not been carefully developed or maintained. According to the authors of the Seven Pernicious Kingdoms, "Poor code quality leads to unpredictable behavior. From a user's perspective that often manifests itself as poor usability. For an adversary it provides an opportunity to stress the system in unexpected ways."
CUDA 399 Weaknesses in this category are related to improper management of system resources.
CUDA 400 The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.
CUDA 401 The product does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory.
CUDA 404 The product does not release or incorrectly releases a resource before it is made available for re-use.
CUDA 411 Weaknesses in this category are related to improper handling of locks that are used to control access to resources.
CUDA 415 The product calls free() twice on the same memory address, potentially leading to modification of unexpected memory locations.
CUDA 416 Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.
CUDA 417 Weaknesses in this category are related to improper handling of communication channels and access paths. These weaknesses include problems in creating, managing, or removing alternate channels and alternate paths. Some of these can overlap virtual file problems and are commonly used in "bypass" attacks, such as those that exploit authentication errors.
CUDA 427 The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.
CUDA 429 Weaknesses in this category are related to improper management of handlers.
CUDA 435 An interaction error occurs when two entities have correct behavior when running independently of each other, but when they are integrated as components in a larger system or process, they introduce incorrect behaviors that may cause resultant weaknesses.
CUDA 438 Weaknesses in this category are related to unexpected behaviors from code that an application uses.
CUDA 441 The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor.
CUDA 442 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
CUDA 452 Weaknesses in this category occur in behaviors that are used for initialization and breakdown.
CUDA 456 The product does not initialize critical variables, which causes the execution environment to use unexpected values.
CUDA 457 The code uses a variable that has not been initialized, leading to unpredictable or unintended results.
CUDA 459 The product does not properly "clean up" and remove temporary or supporting resources after they have been used.
CUDA 460 The product does not clean up its state or incorrectly cleans up its state when an exception is thrown, leading to unexpected state or control flow.
CUDA 461 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
CUDA 464 The accidental addition of a data-structure sentinel can cause serious programming logic problems.
CUDA 465 Weaknesses in this category are related to improper handling of pointers.
CUDA 467 The code calls sizeof() on a malloced pointer type, which always returns the wordsize/8. This can produce an unexpected result if the programmer intended to determine how much memory has been allocated.
CUDA 468 In C and C++, one may often accidentally refer to the wrong memory due to the semantics of when math operations are implicitly scaled.
CUDA 469 The product subtracts one pointer from another in order to determine size, but this calculation can be incorrect if the pointers do not exist in the same memory chunk.
CUDA 471 The product does not properly protect an assumed-immutable element from being modified by an attacker.
CUDA 475 The behavior of this function is undefined unless its control parameter is set to a specific value.
CUDA 476 A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.
CUDA 477 The code uses deprecated or obsolete functions, which suggests that the code has not been actively reviewed or maintained.
CUDA 478 The code does not have a default case in an expression with multiple conditions, such as a switch statement.
CUDA 479 The product defines a signal handler that calls a non-reentrant function.
CUDA 480 The product accidentally uses the wrong operator, which changes the logic in security-relevant ways.
CUDA 481 The code uses an operator for assignment when the intention was to perform a comparison.
CUDA 482 The code uses an operator for comparison when the intention was to perform an assignment.
CUDA 483 The code does not explicitly delimit a block that is intended to contain 2 or more statements, creating a logic error.
CUDA 484 The product omits a break statement within a switch or similar construct, causing code associated with multiple conditions to execute. This can cause problems when the programmer only intended to execute code associated with one condition.
CUDA 485 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that occur when the product does not sufficiently encapsulate critical data or functionality. According to the authors of the Seven Pernicious Kingdoms, "Encapsulation is about drawing strong boundaries. In a web browser that might mean ensuring that your mobile code cannot be abused by other mobile code. On the server it might mean differentiation between validated data and unvalidated data, between one user's data and another's, or between data users are allowed to see and data that they are not."
CUDA 489 The product is deployed to unauthorized actors with debugging code still enabled or active, which can create unintended entry points or expose sensitive information.
CUDA 490 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
CUDA 493 The product has a critical public variable that is not final, which allows the variable to be modified to contain unexpected values.
CUDA 497 The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does.
CUDA 500 An object contains a public static field that is not marked final, which might allow it to be modified in unexpected ways.
CUDA 505 This category has been deprecated as it was originally used for organizing the Development View (CWE-699), but it introduced unnecessary complexity and depth to the resulting tree.
CUDA 522 The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
CUDA 523 Login pages do not use adequate measures to protect the user name and password while they are in transit from the client to the server.
CUDA 526 The product uses an environment variable to store unencrypted sensitive information.
CUDA 528 The product generates a core dump file in a directory, archive, or other resource that is stored, transferred, or otherwise made accessible to unauthorized actors.
CUDA 532 Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.
CUDA 535 A command shell error message indicates that there exists an unhandled exception in the web application code. In many cases, an attacker can leverage the conditions that cause these errors in order to gain unauthorized access to the system.
CUDA 536 A servlet error message indicates that there exists an unhandled exception in your web application code and may provide useful information to an attacker.
CUDA 538 The product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the sensitive information.
CUDA 539 The web application uses persistent cookies, but the cookies contain sensitive information.
CUDA 543 The product uses the singleton pattern when creating a resource within a multithreaded environment.
CUDA 547 The product uses hard-coded constants instead of symbolic names for security-critical values, which increases the likelihood of mistakes during code maintenance or security policy change.
CUDA 550 Certain conditions, such as network failure, will cause a server error message to be displayed.
CUDA 552 The product makes files or directories accessible to unauthorized actors, even though they should not be.
CUDA 557 Weaknesses in this category are related to concurrent use of shared resources.
CUDA 558 The product uses the getlogin() function in a multithreaded context, potentially causing it to return incorrect values.
CUDA 559 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
CUDA 561 The product contains dead code, which can never be executed.
CUDA 562 A function returns the address of a stack variable, which will cause unintended program behavior, typically in the form of a crash.
CUDA 563 The variable's value is assigned but never used, making it a dead store.
CUDA 566 The product uses a database table that includes records that should not be accessible to an actor, but it executes a SQL statement with a primary key that can be controlled by that actor.
CUDA 567 The product does not properly synchronize shared data, such as static variables across threads, which can lead to undefined behavior and unpredictable data changes.
CUDA 569 Weaknesses in this category are related to incorrectly written expressions within code.
CUDA 570 The product contains an expression that will always evaluate to false.
CUDA 571 The product contains an expression that will always evaluate to true.
CUDA 573 The product does not follow or incorrectly follows the specifications as required by the implementation language, environment, framework, protocol, or platform.
CUDA 590 The product calls free() on a pointer to memory that was not allocated using associated heap allocation functions such as malloc(), calloc(), or realloc().
CUDA 592 This weakness has been deprecated because it covered redundant concepts already described in CWE-287.
CUDA 595 The product compares object references instead of the contents of the objects themselves, preventing it from detecting equivalent objects.
CUDA 597 The product uses the wrong operator when comparing a string, such as using "==" when the .equals() method should be used instead.
CUDA 606 The product does not properly check inputs that are used for loop conditions, potentially leading to a denial of service or other consequences because of excessive looping.
CUDA 610 The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.
CUDA 617 The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.
CUDA 628 The product calls a function, procedure, or routine with arguments that are not correctly specified, leading to always-incorrect behavior and resultant weaknesses.
CUDA 629 CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2007. This view is considered obsolete as a newer version of the OWASP Top 10 is available.
CUDA 632 This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE.
CUDA 633 This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE.
CUDA 634 This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE.
CUDA 635 CWE nodes in this view (slice) were used by NIST to categorize vulnerabilities within NVD, from 2008 to 2016. This original version has been used by many other projects.
CUDA 637 The product uses a more complex mechanism than necessary, which could lead to resultant weaknesses when the mechanism is not correctly understood, modeled, configured, implemented, or used.
CUDA 639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
CUDA 643 The product uses external input to dynamically construct an XPath expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query.
CUDA 644 The product does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers, such as Flash.
CUDA 655 The product has a protection mechanism that is too difficult or inconvenient to use, encouraging non-malicious users to disable or bypass the mechanism, whether by accident or on purpose.
CUDA 657 The product violates well-established principles for secure design.
CUDA 662 The product utilizes multiple threads or processes to allow temporary access to a shared resource that can only be exclusive to one process at a time, but it does not properly synchronize these actions, which might cause simultaneous accesses of this resource by multiple threads or processes.
CUDA 663 The product calls a non-reentrant function in a concurrent context in which a competing code sequence (e.g. thread or signal handler) may have an opportunity to call the same function or otherwise influence its state.
CUDA 664 The product does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release.
CUDA 665 The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.
CUDA 666 The product performs an operation on a resource at the wrong phase of the resource's lifecycle, which can lead to unexpected behaviors.
CUDA 667 The product does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors.
CUDA 668 The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
CUDA 669 The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource.
CUDA 670 The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated.
CUDA 671 The product uses security features in a way that prevents the product's administrator from tailoring security settings to reflect the environment in which the product is being used. This introduces resultant weaknesses or prevents it from operating at a level of security that is desired by the administrator.
CUDA 672 The product uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked.
CUDA 674 The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.
CUDA 675 The product performs the same operation on a resource two or more times, when the operation should only be applied once.
CUDA 676 The product invokes a potentially dangerous function that could introduce a vulnerability if it is used incorrectly, but the function can also be used safely.
CUDA 680 The product performs a calculation to determine how much memory to allocate, but an integer overflow can occur that causes less memory to be allocated than expected, leading to a buffer overflow.
CUDA 681 When converting from one data type to another, such as long to integer, data can be omitted or translated in a way that produces unexpected values. If the resulting values are used in a sensitive context, then dangerous behaviors may occur.
CUDA 682 The product performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management.
CUDA 683 The product calls a function, procedure, or routine, but the caller specifies the arguments in an incorrect order, leading to resultant weaknesses.
CUDA 684 The code does not function according to its published specifications, potentially leading to incorrect usage.
CUDA 685 The product calls a function, procedure, or routine, but the caller specifies too many arguments, or too few arguments, which may lead to undefined behavior and resultant weaknesses.
CUDA 686 The product calls a function, procedure, or routine, but the caller specifies an argument that is the wrong data type, which may lead to resultant weaknesses.
CUDA 687 The product calls a function, procedure, or routine, but the caller specifies an argument that contains the wrong value, which may lead to resultant weaknesses.
CUDA 691 The code does not sufficiently manage its control flow during execution, creating conditions in which the control flow can be modified in unexpected ways.
CUDA 693 The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.
CUDA 694 The product uses multiple resources that can have the same identifier, in a context in which unique identifiers are required.
CUDA 696 The product performs multiple related behaviors, but the behaviors are performed in the wrong order in ways which may produce resultant weaknesses.
CUDA 697 The product compares two entities in a security-relevant context, but the comparison is incorrect, which may lead to resultant weaknesses.
CUDA 699 This view organizes weaknesses around concepts that are frequently used or encountered in software development. This includes all aspects of the software development lifecycle including both architecture and implementation. Accordingly, this view can align closely with the perspectives of architects, developers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping.
CUDA 700 This view (graph) organizes weaknesses using a hierarchical structure that is similar to that used by Seven Pernicious Kingdoms.
CUDA 703 The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product.
CUDA 704 The product does not correctly convert an object, resource, or structure from one type to a different type.
CUDA 705 The product does not properly return control flow to the proper location after it has completed a task or detected an unusual condition.
CUDA 706 The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.
CUDA 707 The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component.
CUDA 710 The product does not follow certain coding rules for development, which can lead to resultant weaknesses or increase the severity of the associated vulnerabilities.
CUDA 711 CWE entries in this view (graph) are associated with the OWASP Top 10, as released in 2004, and as required for compliance with PCI DSS version 1.1. This view is considered obsolete as a newer version of the OWASP Top 10 is available.
CUDA 713 Weaknesses in this category are related to the A2 category in the OWASP Top 10 2007.
CUDA 714 Weaknesses in this category are related to the A3 category in the OWASP Top 10 2007.
CUDA 715 Weaknesses in this category are related to the A4 category in the OWASP Top 10 2007.
CUDA 717 Weaknesses in this category are related to the A6 category in the OWASP Top 10 2007.
CUDA 718 Weaknesses in this category are related to the A7 category in the OWASP Top 10 2007.
CUDA 719 Weaknesses in this category are related to the A8 category in the OWASP Top 10 2007.
CUDA 720 Weaknesses in this category are related to the A9 category in the OWASP Top 10 2007.
CUDA 721 Weaknesses in this category are related to the A10 category in the OWASP Top 10 2007.
CUDA 722 Weaknesses in this category are related to the A1 category in the OWASP Top 10 2004.
CUDA 723 Weaknesses in this category are related to the A2 category in the OWASP Top 10 2004.
CUDA 724 Weaknesses in this category are related to the A3 category in the OWASP Top 10 2004.
CUDA 725 Weaknesses in this category are related to the A4 category in the OWASP Top 10 2004.
CUDA 726 Weaknesses in this category are related to the A5 category in the OWASP Top 10 2004.
CUDA 727 Weaknesses in this category are related to the A6 category in the OWASP Top 10 2004.
CUDA 728 Weaknesses in this category are related to the A7 category in the OWASP Top 10 2004.
CUDA 729 Weaknesses in this category are related to the A8 category in the OWASP Top 10 2004.
CUDA 730 Weaknesses in this category are related to the A9 category in the OWASP Top 10 2004.
CUDA 731 Weaknesses in this category are related to the A10 category in the OWASP Top 10 2004.
CUDA 732 The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.
CUDA 733 The developer builds a security-critical protection mechanism into the software, but the compiler optimizes the program such that the mechanism is removed or modified.
CUDA 734 CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT C Secure Coding Standard" published in 2008. This view is considered obsolete, as a newer version of the coding standard is available. This view statically represents the coding rules as they were in 2008.
CUDA 735 Weaknesses in this category are related to the rules and recommendations in the Preprocessor (PRE) chapter of the CERT C Secure Coding Standard (2008).
CUDA 736 Weaknesses in this category are related to the rules and recommendations in the Declarations and Initialization (DCL) chapter of the CERT C Secure Coding Standard (2008).
CUDA 737 Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) chapter of the CERT C Secure Coding Standard (2008).
CUDA 738 Weaknesses in this category are related to the rules and recommendations in the Integers (INT) chapter of the CERT C Secure Coding Standard (2008).
CUDA 739 Weaknesses in this category are related to the rules and recommendations in the Floating Point (FLP) chapter of the CERT C Secure Coding Standard (2008).
CUDA 740 Weaknesses in this category are related to the rules and recommendations in the Arrays (ARR) chapter of the CERT C Secure Coding Standard (2008).
CUDA 741 Weaknesses in this category are related to the rules and recommendations in the Characters and Strings (STR) chapter of the CERT C Secure Coding Standard (2008).
CUDA 742 Weaknesses in this category are related to the rules and recommendations in the Memory Management (MEM) chapter of the CERT C Secure Coding Standard (2008).
CUDA 743 Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) chapter of the CERT C Secure Coding Standard (2008).
CUDA 744 Weaknesses in this category are related to the rules and recommendations in the Environment (ENV) chapter of the CERT C Secure Coding Standard (2008).
CUDA 745 Weaknesses in this category are related to the rules and recommendations in the Signals (SIG) chapter of the CERT C Secure Coding Standard (2008).
CUDA 746 Weaknesses in this category are related to the rules and recommendations in the Error Handling (ERR) chapter of the CERT C Secure Coding Standard (2008).
CUDA 747 Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) chapter of the CERT C Secure Coding Standard (2008).
CUDA 748 Weaknesses in this category are related to the rules and recommendations in the POSIX (POS) appendix of the CERT C Secure Coding Standard (2008).
CUDA 750 CWE entries in this view (graph) are listed in the 2009 CWE/SANS Top 25 Programming Errors. This view is considered obsolete as a newer version of the Top 25 is available.
CUDA 751 Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2009 CWE/SANS Top 25 Programming Errors.
CUDA 752 Weaknesses in this category are listed in the "Risky Resource Management" section of the 2009 CWE/SANS Top 25 Programming Errors.
CUDA 753 Weaknesses in this category are listed in the "Porous Defenses" section of the 2009 CWE/SANS Top 25 Programming Errors.
CUDA 754 The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.
CUDA 755 The product does not handle or incorrectly handles an exceptional condition.
CUDA 758 The product uses an API function, data structure, or other entity in a way that relies on properties that are not always guaranteed to hold for that entity.
CUDA 759 The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product does not also use a salt as part of the input.
CUDA 760 The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product uses a predictable salt as part of the input.
CUDA 762 The product attempts to return a memory resource to the system, but it calls a release function that is not compatible with the function that was originally used to allocate that resource.
CUDA 763 The product attempts to return a memory resource to the system, but it calls the wrong release function or calls the appropriate release function incorrectly.
CUDA 764 The product locks a critical resource more times than intended, leading to an unexpected state in the system.
CUDA 765 The product unlocks a critical resource more times than intended, leading to an unexpected state in the system.
CUDA 769 This entry has been deprecated because it was a duplicate of CWE-774. All content has been transferred to CWE-774.
CUDA 770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.
CUDA 771 The product does not properly maintain a reference to a resource that has been allocated, which prevents the resource from being reclaimed.
CUDA 772 The product does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.
CUDA 775 The product does not release a file descriptor or handle after its effective lifetime has ended, i.e., after the file descriptor/handle is no longer needed.
CUDA 783 The product uses an expression in which operator precedence causes incorrect logic to be used.
CUDA 786 The product reads or writes to a buffer using an index or pointer that references a memory location prior to the beginning of the buffer.
CUDA 787 The product writes data past the end, or before the beginning, of the intended buffer.
CUDA 788 The product reads or writes to a buffer using an index or pointer that references a memory location after the end of the buffer.
CUDA 789 The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated.
CUDA 798 The product contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.
CUDA 800 CWE entries in this view (graph) are listed in the 2010 CWE/SANS Top 25 Programming Errors. This view is considered obsolete as a newer version of the Top 25 is available.
CUDA 801 Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2010 CWE/SANS Top 25 Programming Errors.
CUDA 802 Weaknesses in this category are listed in the "Risky Resource Management" section of the 2010 CWE/SANS Top 25 Programming Errors.
CUDA 803 Weaknesses in this category are listed in the "Porous Defenses" section of the 2010 CWE/SANS Top 25 Programming Errors.
CUDA 805 The product uses a sequential operation to read or write a buffer, but it uses an incorrect length value that causes it to access memory that is outside of the bounds of the buffer.
CUDA 806 The product uses the size of a source buffer when reading from or writing to a destination buffer, which may cause it to access memory that is outside of the bounds of the buffer.
CUDA 807 The product uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism.
CUDA 808 Weaknesses in this category are not part of the general Top 25, but they were part of the original nominee list from which the Top 25 was drawn.
CUDA 809 CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2010. This view is considered obsolete as a newer version of the OWASP Top 10 is available.
CUDA 810 Weaknesses in this category are related to the A1 category in the OWASP Top 10 2010.
CUDA 812 Weaknesses in this category are related to the A3 category in the OWASP Top 10 2010.
CUDA 813 Weaknesses in this category are related to the A4 category in the OWASP Top 10 2010.
CUDA 815 Weaknesses in this category are related to the A6 category in the OWASP Top 10 2010.
CUDA 816 Weaknesses in this category are related to the A7 category in the OWASP Top 10 2010.
CUDA 817 Weaknesses in this category are related to the A8 category in the OWASP Top 10 2010.
CUDA 818 Weaknesses in this category are related to the A9 category in the OWASP Top 10 2010.
CUDA 820 The product utilizes a shared resource in a concurrent manner but does not attempt to synchronize access to the resource.
CUDA 823 The product performs pointer arithmetic on a valid pointer, but it uses an offset that can point outside of the intended range of valid memory locations for the resulting pointer.
CUDA 824 The product accesses or uses a pointer that has not been initialized.
CUDA 825 The product dereferences a pointer that contains a location for memory that was previously valid, but is no longer valid.
CUDA 828 The product defines a signal handler that contains code sequences that are not asynchronous-safe, i.e., the functionality is not reentrant, or it can be interrupted.
CUDA 833 The product contains multiple threads or executable segments that are waiting for each other to release a necessary lock, resulting in deadlock.
CUDA 834 The product performs an iteration or loop without sufficiently limiting the number of times that the loop is executed.
CUDA 835 The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.
CUDA 839 The product checks a value to ensure that it is less than or equal to a maximum, but it does not also verify that the value is greater than or equal to the minimum.
CUDA 840 Weaknesses in this category identify some of the underlying problems that commonly allow attackers to manipulate the business logic of an application. Errors in business logic can be devastating to an entire application. They can be difficult to find automatically, since they typically involve legitimate use of the application's functionality. However, many business logic errors can exhibit patterns that are similar to well-understood implementation and design weaknesses.
CUDA 843 The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.
CUDA 844 CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT Oracle Secure Coding Standard for Java" published in 2011. This view is considered obsolete as a newer version of the coding standard is available.
CUDA 845 Weaknesses in this category are related to rules in the Input Validation and Data Sanitization (IDS) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
CUDA 846 Weaknesses in this category are related to rules in the Declarations and Initialization (DCL) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
CUDA 847 Weaknesses in this category are related to rules in the Expressions (EXP) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
CUDA 848 Weaknesses in this category are related to rules in the Numeric Types and Operations (NUM) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
CUDA 849 Weaknesses in this category are related to rules in the Object Orientation (OBJ) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
CUDA 850 Weaknesses in this category are related to rules in the Methods (MET) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
CUDA 851 Weaknesses in this category are related to rules in the Exceptional Behavior (ERR) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
CUDA 852 Weaknesses in this category are related to rules in the Visibility and Atomicity (VNA) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
CUDA 853 Weaknesses in this category are related to rules in the Locking (LCK) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
CUDA 854 Weaknesses in this category are related to rules in the Thread APIs (THI) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
CUDA 857 Weaknesses in this category are related to rules in the Input Output (FIO) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
CUDA 858 Weaknesses in this category are related to rules in the Serialization (SER) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
CUDA 859 Weaknesses in this category are related to rules in the Platform Security (SEC) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
CUDA 860 Weaknesses in this category are related to rules in the Runtime Environment (ENV) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
CUDA 861 Weaknesses in this category are related to rules in the Miscellaneous (MSC) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
CUDA 862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CUDA 864 Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.
CUDA 865 Weaknesses in this category are listed in the "Risky Resource Management" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.
CUDA 866 Weaknesses in this category are listed in the "Porous Defenses" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.
CUDA 867 Weaknesses in this category are not part of the general Top 25, but they were part of the original nominee list from which the Top 25 was drawn.
CUDA 868 CWE entries in this view (graph) are fully or partially eliminated by following the SEI CERT C++ Coding Standard, as published in 2016. This view is no longer being actively maintained, since it statically represents the coding rules as they were in 2016.
CUDA 871 Weaknesses in this category are related to rules in the Expressions (EXP) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
CUDA 872 Weaknesses in this category are related to rules in the Integers (INT) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
CUDA 873 Weaknesses in this category are related to rules in the Floating Point Arithmetic (FLP) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
CUDA 874 Weaknesses in this category are related to rules in the Arrays and the STL (ARR) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
CUDA 875 Weaknesses in this category are related to rules in the Characters and Strings (STR) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
CUDA 876 Weaknesses in this category are related to rules in the Memory Management (MEM) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
CUDA 877 Weaknesses in this category are related to rules in the Input Output (FIO) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
CUDA 878 Weaknesses in this category are related to rules in the Environment (ENV) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
CUDA 879 Weaknesses in this category are related to rules in the Signals (SIG) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
CUDA 880 Weaknesses in this category are related to rules in the Exceptions and Error Handling (ERR) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
CUDA 881 Weaknesses in this category are related to rules in the Object Oriented Programming (OOP) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
CUDA 882 Weaknesses in this category are related to rules in the Concurrency (CON) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
CUDA 883 Weaknesses in this category are related to rules in the Miscellaneous (MSC) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
CUDA 884 This view contains a selection of weaknesses that represent the variety of weaknesses that are captured in CWE, at a level of abstraction that is likely to be useful to most audiences. It can be used by researchers to determine how broad their theories, models, or tools are. It will also be used by the CWE content team in 2012 to focus quality improvement efforts for individual CWE entries.
CUDA 885 This category identifies Software Fault Patterns (SFPs) within the Risky Values cluster (SFP1).
CUDA 886 This category identifies Software Fault Patterns (SFPs) within the Unused entities cluster (SFP2).
CUDA 887 This category identifies Software Fault Patterns (SFPs) within the API cluster (SFP3).
CUDA 888 CWE identifiers in this view are associated with clusters of Software Fault Patterns (SFPs).
CUDA 889 This category identifies Software Fault Patterns (SFPs) within the Exception Management cluster (SFP4, SFP5, SFP6).
CUDA 890 This category identifies Software Fault Patterns (SFPs) within the Memory Access cluster (SFP7, SFP8).
CUDA 891 This category identifies Software Fault Patterns (SFPs) within the Memory Management cluster (SFP38).
CUDA 892 This category identifies Software Fault Patterns (SFPs) within the Resource Management cluster (SFP37).
CUDA 893 This category identifies Software Fault Patterns (SFPs) within the Path Resolution cluster (SFP16, SFP17, SFP18).
CUDA 894 This category identifies Software Fault Patterns (SFPs) within the Synchronization cluster (SFP19, SFP20, SFP21, SFP22).
CUDA 895 This category identifies Software Fault Patterns (SFPs) within the Information Leak cluster (SFP23).
CUDA 896 This category identifies Software Fault Patterns (SFPs) within the Tainted Input cluster (SFP24, SFP25, SFP26, SFP27).
CUDA 897 This category identifies Software Fault Patterns (SFPs) within the Entry Points cluster (SFP28).
CUDA 898 This category identifies Software Fault Patterns (SFPs) within the Authentication cluster (SFP29, SFP30, SFP31, SFP32, SFP33, SFP34).
CUDA 899 This category identifies Software Fault Patterns (SFPs) within the Access Control cluster (SFP35).
CUDA 900 CWE entries in this view (graph) are listed in the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.
CUDA 901 This category identifies Software Fault Patterns (SFPs) within the Privilege cluster (SFP36).
CUDA 902 This category identifies Software Fault Patterns (SFPs) within the Channel cluster.
CUDA 903 This category identifies Software Fault Patterns (SFPs) within the Cryptography cluster.
CUDA 905 This category identifies Software Fault Patterns (SFPs) within the Predictability cluster.
CUDA 906 This category identifies Software Fault Patterns (SFPs) within the UI cluster.
CUDA 907 This category identifies Software Fault Patterns (SFPs) within the Other cluster.
CUDA 908 The product uses or accesses a resource that has not been initialized.
CUDA 909 The product does not initialize a critical resource.
CUDA 910 The product uses or accesses a file descriptor after it has been closed.
CUDA 913 The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements.
CUDA 916 The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive.
CUDA 918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
CUDA 922 The product stores sensitive information without properly limiting read or write access by unauthorized actors.
CUDA 923 The product establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that it is communicating with the correct endpoint.
CUDA 928 CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2013. This view is considered obsolete as a newer version of the OWASP Top 10 is available.
CUDA 929 Weaknesses in this category are related to the A1 category in the OWASP Top 10 2013.
CUDA 930 Weaknesses in this category are related to the A2 category in the OWASP Top 10 2013.
CUDA 932 Weaknesses in this category are related to the A4 category in the OWASP Top 10 2013.
CUDA 933 Weaknesses in this category are related to the A5 category in the OWASP Top 10 2013.
CUDA 934 Weaknesses in this category are related to the A6 category in the OWASP Top 10 2013.
CUDA 935 Weaknesses in this category are related to the A7 category in the OWASP Top 10 2013.
CUDA 943 The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query.
CUDA 944 This category identifies Software Fault Patterns (SFPs) within the Access Management cluster.
CUDA 945 This category identifies Software Fault Patterns (SFPs) within the Insecure Resource Access cluster (SFP35).
CUDA 946 This category identifies Software Fault Patterns (SFPs) within the Insecure Resource Permissions cluster.
CUDA 947 This category identifies Software Fault Patterns (SFPs) within the Authentication Bypass cluster.
CUDA 949 This category identifies Software Fault Patterns (SFPs) within the Faulty Endpoint Authentication cluster (SFP29).
CUDA 950 This category identifies Software Fault Patterns (SFPs) within the Hardcoded Sensitive Data cluster (SFP33).
CUDA 956 This category identifies Software Fault Patterns (SFPs) within the Channel Attack cluster.
CUDA 957 This category identifies Software Fault Patterns (SFPs) within the Protocol Error cluster.
CUDA 958 This category identifies Software Fault Patterns (SFPs) within the Broken Cryptography cluster.
CUDA 959 This category identifies Software Fault Patterns (SFPs) within the Weak Cryptography cluster.
CUDA 960 This category identifies Software Fault Patterns (SFPs) within the Ambiguous Exception Type cluster (SFP5).
CUDA 961 This category identifies Software Fault Patterns (SFPs) within the Incorrect Exception Behavior cluster (SFP6).
CUDA 962 This category identifies Software Fault Patterns (SFPs) within the Unchecked Status Condition cluster (SFP4).
CUDA 963 This category identifies Software Fault Patterns (SFPs) within the Exposed Data cluster (SFP23).
CUDA 964 This category identifies Software Fault Patterns (SFPs) within the Exposure Temporary File cluster.
CUDA 966 This category identifies Software Fault Patterns (SFPs) within the Other Exposures cluster.
CUDA 969 This category identifies Software Fault Patterns (SFPs) within the Faulty Memory Release cluster (SFP12).
CUDA 970 This category identifies Software Fault Patterns (SFPs) within the Faulty Buffer Access cluster (SFP8).
CUDA 971 This category identifies Software Fault Patterns (SFPs) within the Faulty Pointer Use cluster (SFP7).
CUDA 973 This category identifies Software Fault Patterns (SFPs) within the Improper NULL Termination cluster (SFP11).
CUDA 974 This category identifies Software Fault Patterns (SFPs) within the Incorrect Buffer Length Computation cluster (SFP10).
CUDA 975 This category identifies Software Fault Patterns (SFPs) within the Architecture cluster.
CUDA 976 This category identifies Software Fault Patterns (SFPs) within the Compiler cluster.
CUDA 977 This category identifies Software Fault Patterns (SFPs) within the Design cluster.
CUDA 978 This category identifies Software Fault Patterns (SFPs) within the Implementation cluster.
CUDA 979 This category identifies Software Fault Patterns (SFPs) within the Failed Chroot Jail cluster (SFP17).
CUDA 980 This category identifies Software Fault Patterns (SFPs) within the Link in Resource Name Resolution cluster (SFP18).
CUDA 981 This category identifies Software Fault Patterns (SFPs) within the Path Traversal cluster (SFP16).
CUDA 982 This category identifies Software Fault Patterns (SFPs) within the Failure to Release Resource cluster (SFP14).
CUDA 983 This category identifies Software Fault Patterns (SFPs) within the Faulty Resource Use cluster (SFP15).
CUDA 984 This category identifies Software Fault Patterns (SFPs) within the Life Cycle cluster.
CUDA 985 This category identifies Software Fault Patterns (SFPs) within the Unrestricted Consumption cluster (SFP13).
CUDA 986 This category identifies Software Fault Patterns (SFPs) within the Missing Lock cluster (SFP19).
CUDA 987 This category identifies Software Fault Patterns (SFPs) within the Multiple Locks/Unlocks cluster (SFP21).
CUDA 988 This category identifies Software Fault Patterns (SFPs) within the Race Condition Window cluster (SFP20).
CUDA 990 This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Command cluster (SFP24).
CUDA 991 This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Environment cluster (SFP27).
CUDA 992 This category identifies Software Fault Patterns (SFPs) within the Faulty Input Transformation cluster.
CUDA 993 This category identifies Software Fault Patterns (SFPs) within the Incorrect Input Handling cluster.
CUDA 994 This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Variable cluster (SFP25).
CUDA 995 This category identifies Software Fault Patterns (SFPs) within the Feature cluster.
CUDA 997 This category identifies Software Fault Patterns (SFPs) within the Information Loss cluster.
CUDA 998 This category identifies Software Fault Patterns (SFPs) within the Glitch in Computation cluster (SFP1).
CUDA 1000 This view is intended to facilitate research into weaknesses, including their inter-dependencies, and can be leveraged to systematically identify theoretical gaps within CWE. It is mainly organized according to abstractions of behaviors instead of how they can be detected, where they appear in code, or when they are introduced in the development life cycle. By design, this view is expected to include every weakness within CWE.
CUDA 1001 This category identifies Software Fault Patterns (SFPs) within the Use of an Improper API cluster (SFP3).
CUDA 1002 This category identifies Software Fault Patterns (SFPs) within the Unexpected Entry Points cluster.
CUDA 1003 CWE entries in this view (graph) may be used to categorize potential weaknesses within sources that handle public, third-party vulnerability information, such as the National Vulnerability Database (NVD). By design, this view is incomplete; it is limited to a small number of the most commonly-seen weaknesses, so that it is easier for humans to use. This view uses a shallow hierarchy of two levels in order to simplify the complex, category-oriented navigation of the entire CWE corpus.
CUDA 1005 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that exist when an application does not properly validate or represent input. According to the authors of the Seven Pernicious Kingdoms, "Input validation and representation problems are caused by metacharacters, alternate encodings and numeric representations. Security problems result from trusting input."
CUDA 1006 Weaknesses in this category are related to coding practices that are deemed unsafe and increase the chances that an exploitable vulnerability will be present in the application. These weaknesses do not directly introduce a vulnerability, but indicate that the product has not been carefully developed or maintained. If a program is complex, difficult to maintain, not portable, or shows evidence of neglect, then there is a higher likelihood that weaknesses are buried in the code.
CUDA 1008 This view organizes weaknesses according to common architectural security tactics. It is intended to assist architects in identifying potential mistakes that can be made when designing software.
CUDA 1009 Weaknesses in this category are related to the design and architecture of audit-based components of the system. Frequently these deal with logging user activities in order to identify attackers and modifications to the system. The weaknesses in this category could lead to a degradation of the quality of the audit capability if they are not addressed when designing or implementing a secure architecture.
CUDA 1010 Weaknesses in this category are related to the design and architecture of authentication components of the system. Frequently these deal with verifying the entity is indeed who it claims to be. The weaknesses in this category could lead to a degradation of the quality of authentication if they are not addressed when designing or implementing a secure architecture.
CUDA 1011 Weaknesses in this category are related to the design and architecture of a system's authorization components. Frequently these deal with enforcing that agents have the required permissions before performing certain operations, such as modifying data. The weaknesses in this category could lead to a degradation of quality of the authorization capability if they are not addressed when designing or implementing a secure architecture.
CUDA 1012 Weaknesses in this category are related to the design and architecture of multiple security tactics and how they affect a system. For example, information exposure can impact the Limit Access and Limit Exposure security tactics. The weaknesses in this category could lead to a degradation of the quality of many capabilities if they are not addressed when designing or implementing a secure architecture.
CUDA 1013 Weaknesses in this category are related to the design and architecture of data confidentiality in a system. Frequently these deal with the use of encryption libraries. The weaknesses in this category could lead to a degradation of the quality data encryption if they are not addressed when designing or implementing a secure architecture.
CUDA 1014 Weaknesses in this category are related to the design and architecture of a system's identification management components. Frequently these deal with verifying that external agents provide inputs into the system. The weaknesses in this category could lead to a degradation of the quality of identification management if they are not addressed when designing or implementing a secure architecture.
CUDA 1015 Weaknesses in this category are related to the design and architecture of system resources. Frequently these deal with restricting the amount of resources that are accessed by actors, such as memory, network connections, CPU or access points. The weaknesses in this category could lead to a degradation of the quality of authentication if they are not addressed when designing or implementing a secure architecture.
CUDA 1016 Weaknesses in this category are related to the design and architecture of the entry points to a system. Frequently these deal with minimizing the attack surface through designing the system with the least needed amount of entry points. The weaknesses in this category could lead to a degradation of a system's defenses if they are not addressed when designing or implementing a secure architecture.
CUDA 1019 Weaknesses in this category are related to the design and architecture of a system's input validation components. Frequently these deal with sanitizing, neutralizing and validating any externally provided inputs to minimize malformed data from entering the system and preventing code injection in the input data. The weaknesses in this category could lead to a degradation of the quality of data flow in a system if they are not addressed when designing or implementing a secure architecture.
CUDA 1020 Weaknesses in this category are related to the design and architecture of a system's data integrity components. Frequently these deal with ensuring integrity of data, such as messages, resource files, deployment files, and configuration files. The weaknesses in this category could lead to a degradation of data integrity quality if they are not addressed when designing or implementing a secure architecture.
CUDA 1025 The code performs a comparison between two entities, but the comparison examines the wrong factors or characteristics of the entities, which can lead to incorrect results and resultant weaknesses.
CUDA 1026 CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2017.
CUDA 1027 Weaknesses in this category are related to the A1 category in the OWASP Top 10 2017.
CUDA 1028 Weaknesses in this category are related to the A2 category in the OWASP Top 10 2017.
CUDA 1029 Weaknesses in this category are related to the A3 category in the OWASP Top 10 2017.
CUDA 1031 Weaknesses in this category are related to the A5 category in the OWASP Top 10 2017.
CUDA 1032 Weaknesses in this category are related to the A6 category in the OWASP Top 10 2017.
CUDA 1037 The developer builds a security-critical protection mechanism into the software, but the processor optimizes the execution of the program such that the mechanism is removed or modified.
CUDA 1041 The product has multiple functions, methods, procedures, macros, etc. that contain the same code.
CUDA 1045 A parent class has a virtual destructor method, but the parent has a child class that does not have a virtual destructor.
CUDA 1055 The product contains a class with inheritance from more than one concrete class.
CUDA 1059 The product does not contain sufficient technical or engineering documentation (whether on paper or in electronic form) that contains descriptions of all the relevant software/hardware elements of the product, such as its usage, structure, architectural components, interfaces, design, implementation, configuration, operation, etc.
CUDA 1061 The product does not sufficiently hide the internal representation and implementation details of data or methods, which might allow external components or modules to modify data unexpectedly, invoke unexpected functionality, or introduce dependencies that the programmer did not intend.
CUDA 1076 The product's architecture, source code, design, documentation, or other artifact does not follow required conventions.
CUDA 1077 The code performs a comparison such as an equality test between two float (floating point) values, but it uses comparison operators that do not account for the possibility of loss of precision.
CUDA 1078 The source code does not follow desired style or formatting for indentation, white space, comments, etc.
CUDA 1079 A parent class contains one or more child classes, but the parent class does not have a virtual destructor method.
CUDA 1095 The product uses a loop with a control flow condition based on a value that is updated within the body of the loop.
CUDA 1108 The code is structured in a way that relies too much on using or setting global variables throughout various points in the code, instead of preserving the associated information in a narrower, more local context.
CUDA 1109 The code contains a callable, block, or other code element in which the same variable is used to control more than one unique task or store more than one instance of data.
CUDA 1113 The source code uses comment styles or formats that are inconsistent or do not follow expected standards for the product.
CUDA 1114 The source code contains whitespace that is inconsistent across the code or does not follow expected standards for the product.
CUDA 1126 The source code declares a variable in one scope, but the variable is only used within a narrower scope.
CUDA 1128 This view outlines the most important software quality issues as identified by the Consortium for Information & Software Quality (CISQ) Automated Quality Characteristic Measures, released in 2016. These measures are derived from Object Management Group (OMG) standards.
CUDA 1129 Weaknesses in this category are related to the CISQ Quality Measures for Reliability, as documented in 2016 with the Automated Source Code CISQ Reliability Measure (ASCRM) Specification 1.0. Presence of these weaknesses could reduce the reliability of the software.
CUDA 1130 Weaknesses in this category are related to the CISQ Quality Measures for Maintainability, as documented in 2016 with the Automated Source Code Maintainability Measure (ASCMM) Specification 1.0. Presence of these weaknesses could reduce the maintainability of the software.
CUDA 1131 Weaknesses in this category are related to the CISQ Quality Measures for Security, as documented in 2016 with the Automated Source Code Security Measure (ASCSM) Specification 1.0. Presence of these weaknesses could reduce the security of the software.
CUDA 1133 CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT Oracle Coding Standard for Java.
CUDA 1134 Weaknesses in this category are related to the rules and recommendations in the Input Validation and Data Sanitization (IDS) section of the SEI CERT Oracle Secure Coding Standard for Java.
CUDA 1135 Weaknesses in this category are related to the rules and recommendations in the Declarations and Initialization (DCL) section of the SEI CERT Oracle Secure Coding Standard for Java.
CUDA 1136 Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) section of the SEI CERT Oracle Secure Coding Standard for Java.
CUDA 1137 Weaknesses in this category are related to the rules and recommendations in the Numeric Types and Operations (NUM) section of the SEI CERT Oracle Secure Coding Standard for Java.
CUDA 1139 Weaknesses in this category are related to the rules and recommendations in the Object Orientation (OBJ) section of the SEI CERT Oracle Secure Coding Standard for Java.
CUDA 1140 Weaknesses in this category are related to the rules and recommendations in the Methods (MET) section of the SEI CERT Oracle Secure Coding Standard for Java.
CUDA 1141 Weaknesses in this category are related to the rules and recommendations in the Exceptional Behavior (ERR) section of the SEI CERT Oracle Secure Coding Standard for Java.
CUDA 1142 Weaknesses in this category are related to the rules and recommendations in the Visibility and Atomicity (VNA) section of the SEI CERT Oracle Secure Coding Standard for Java.
CUDA 1143 Weaknesses in this category are related to the rules and recommendations in the Locking (LCK) section of the SEI CERT Oracle Secure Coding Standard for Java.
CUDA 1147 Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) section of the SEI CERT Oracle Secure Coding Standard for Java.
CUDA 1148 Weaknesses in this category are related to the rules and recommendations in the Serialization (SER) section of the SEI CERT Oracle Secure Coding Standard for Java.
CUDA 1149 Weaknesses in this category are related to the rules and recommendations in the Platform Security (SEC) section of the SEI CERT Oracle Secure Coding Standard for Java.
CUDA 1150 Weaknesses in this category are related to the rules and recommendations in the Runtime Environment (ENV) section of the SEI CERT Oracle Secure Coding Standard for Java.
CUDA 1152 Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT Oracle Secure Coding Standard for Java.
CUDA 1154 CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT C Coding Standard.
CUDA 1156 Weaknesses in this category are related to the rules and recommendations in the Declarations and Initialization (DCL) section of the SEI CERT C Coding Standard.
CUDA 1157 Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) section of the SEI CERT C Coding Standard.
CUDA 1158 Weaknesses in this category are related to the rules and recommendations in the Integers (INT) section of the SEI CERT C Coding Standard.
CUDA 1159 Weaknesses in this category are related to the rules and recommendations in the Floating Point (FLP) section of the SEI CERT C Coding Standard.
CUDA 1160 Weaknesses in this category are related to the rules and recommendations in the Arrays (ARR) section of the SEI CERT C Coding Standard.
CUDA 1161 Weaknesses in this category are related to the rules and recommendations in the Characters and Strings (STR) section of the SEI CERT C Coding Standard.
CUDA 1162 Weaknesses in this category are related to the rules and recommendations in the Memory Management (MEM) section of the SEI CERT C Coding Standard.
CUDA 1163 Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) section of the SEI CERT C Coding Standard.
CUDA 1164 The product contains code that is not essential for execution, i.e. makes no state changes and has no side effects that alter data or control flow, such that removal of the code would have no impact to functionality or correctness.
CUDA 1165 Weaknesses in this category are related to the rules and recommendations in the Environment (ENV) section of the SEI CERT C Coding Standard.
CUDA 1166 Weaknesses in this category are related to the rules and recommendations in the Signals (SIG) section of the SEI CERT C Coding Standard.
CUDA 1167 Weaknesses in this category are related to the rules and recommendations in the Error Handling (ERR) section of the SEI CERT C Coding Standard.
CUDA 1168 Weaknesses in this category are related to the rules and recommendations in the Application Programming Interfaces (API) section of the SEI CERT C Coding Standard.
CUDA 1169 Weaknesses in this category are related to the rules and recommendations in the Concurrency (CON) section of the SEI CERT C Coding Standard.
CUDA 1170 Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT C Coding Standard.
CUDA 1171 Weaknesses in this category are related to the rules and recommendations in the POSIX (POS) section of the SEI CERT C Coding Standard.
CUDA 1172 Weaknesses in this category are related to the rules and recommendations in the Microsoft Windows (WIN) section of the SEI CERT C Coding Standard.
CUDA 1177 The product uses a function, library, or third party component that has been explicitly prohibited, whether by the developer or the customer.
CUDA 1178 CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT Perl Coding Standard.
CUDA 1179 Weaknesses in this category are related to the rules and recommendations in the Input Validation and Data Sanitization (IDS) section of the SEI CERT Perl Coding Standard.
CUDA 1180 Weaknesses in this category are related to the rules and recommendations in the Declarations and Initialization (DCL) section of the SEI CERT Perl Coding Standard.
CUDA 1181 Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) section of the SEI CERT Perl Coding Standard.
CUDA 1182 Weaknesses in this category are related to the rules and recommendations in the Integers (INT) section of the SEI CERT Perl Coding Standard.
CUDA 1185 Weaknesses in this category are related to the rules and recommendations in the File Input and Output (FIO) section of the SEI CERT Perl Coding Standard.
CUDA 1186 Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT Perl Coding Standard.
CUDA 1194 This view organizes weaknesses around concepts that are frequently used or encountered in hardware design. Accordingly, this view can align closely with the perspectives of designers, manufacturers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping.
CUDA 1195 Weaknesses in this category are root-caused to defects that arise in the semiconductor-manufacturing process or during the life cycle and supply chain.
CUDA 1198 Weaknesses in this category are related to features and mechanisms providing hardware-based isolation and access control (e.g., identity, policy, locking control) of sensitive shared hardware resources such as registers and fuses.
CUDA 1200 CWE entries in this view are listed in the 2019 CWE Top 25 Most Dangerous Software Errors.
CUDA 1202 Weaknesses in this category are typically associated with memory (e.g., DRAM, SRAM) and storage technologies (e.g., NAND Flash, OTP, EEPROM, and eMMC).
CUDA 1205 Weaknesses in this category are related to hardware implementations of cryptographic protocols and other hardware-security primitives such as physical unclonable functions (PUFs) and random number generators (RNGs).
CUDA 1207 Weaknesses in this category are related to hardware debug and test interfaces such as JTAG and scan chain.
CUDA 1208 Weaknesses in this category can arise in multiple areas of hardware design or can apply to a wide cross-section of components.
CUDA 1210 Weaknesses in this category are related to audit-based components of a software system. Frequently these deal with logging user activities in order to identify undesired access and modifications to the system. The weaknesses in this category could lead to a degradation of the quality of the audit capability if they are not addressed.
CUDA 1211 Weaknesses in this category are related to authentication components of a system. Frequently these deal with the ability to verify that an entity is indeed who it claims to be. If not addressed when designing or implementing a software system, these weaknesses could lead to a degradation of the quality of the authentication capability.
CUDA 1212 Weaknesses in this category are related to authorization components of a system. Frequently these deal with the ability to enforce that agents have the required permissions before performing certain operations, such as modifying data. If not addressed when designing or implementing a software system, these weaknesses could lead to a degradation of the quality of the authorization capability.
CUDA 1213 Weaknesses in this category are related to a software system's random number generation.
CUDA 1214 Weaknesses in this category are related to a software system's data integrity components. Frequently these deal with the ability to ensure the integrity of data, such as messages, resource files, deployment files, and configuration files. The weaknesses in this category could lead to a degradation of data integrity quality if they are not addressed.
CUDA 1215 Weaknesses in this category are related to a software system's components for input validation, output validation, or other kinds of validation. Validation is a frequently-used technique for ensuring that data conforms to expectations before it is further processed as input or output. There are many varieties of validation (see CWE-20, which is just for input validation). Validation is distinct from other techniques that attempt to modify data before processing it, although developers may consider all attempts to product "safe" inputs or outputs as some kind of validation. Regardless, validation is a powerful tool that is often used to minimize malformed data from entering the system, or indirectly avoid code injection or other potentially-malicious patterns when generating output. The weaknesses in this category could lead to a degradation of the quality of data flow in a system if they are not addressed.
CUDA 1218 Weaknesses in this category are related to the handling of memory buffers within a software system.
CUDA 1219 Weaknesses in this category are related to the handling of files within a software system. Files, directories, and folders are so central to information technology that many different weaknesses and variants have been discovered.
CUDA 1226 Weaknesses in this category are associated with things being overly complex.
CUDA 1228 Weaknesses in this category are related to the use of built-in functions or external APIs.
CUDA 1237 This category identifies Software Fault Patterns (SFPs) within the Faulty Resource Release cluster (SFP37).
CUDA 1238 This category identifies Software Fault Patterns (SFPs) within the Failure to Release Memory cluster (SFP38).
CUDA 1241 The device uses an algorithm that is predictable and generates a pseudo-random number.
CUDA 1305 This view outlines the most important software quality issues as identified by the Consortium for Information & Software Quality (CISQ) Automated Quality Characteristic Measures, released in 2020. These measures are derived from Object Management Group (OMG) standards.
CUDA 1306 Weaknesses in this category are related to the CISQ Quality Measures for Reliability. Presence of these weaknesses could reduce the reliability of the software.
CUDA 1307 Weaknesses in this category are related to the CISQ Quality Measures for Maintainability. Presence of these weaknesses could reduce the maintainability of the software.
CUDA 1308 Weaknesses in this category are related to the CISQ Quality Measures for Security. Presence of these weaknesses could reduce the security of the software.
CUDA 1309 Weaknesses in this category are related to the CISQ Quality Measures for Efficiency. Presence of these weaknesses could reduce the efficiency of the software.
CUDA 1337 CWE entries in this view are listed in the 2021 CWE Top 25 Most Dangerous Software Weaknesses.
CUDA 1340 This view outlines the SMM representation of the Automated Source Code Data Protection Measurement specifications, as identified by the Consortium for Information & Software Quality (CISQ) Working Group.
CUDA 1341 The product attempts to close or release a resource or handle more than once, without any successful open between the close operations.
CUDA 1344 CWE entries in this view (graph) are associated with the OWASP Top 10, as released in 2021.
CUDA 1345 Weaknesses in this category are related to the A01 category "Broken Access Control" in the OWASP Top 10 2021.
CUDA 1346 Weaknesses in this category are related to the A02 category "Cryptographic Failures" in the OWASP Top 10 2021.
CUDA 1347 Weaknesses in this category are related to the A03 category "Injection" in the OWASP Top 10 2021.
CUDA 1348 Weaknesses in this category are related to the A04 "Insecure Design" category in the OWASP Top 10 2021.
CUDA 1349 Weaknesses in this category are related to the A05 category "Security Misconfiguration" in the OWASP Top 10 2021.
CUDA 1350 CWE entries in this view are listed in the 2020 CWE Top 25 Most Dangerous Software Weaknesses.
CUDA 1353 Weaknesses in this category are related to the A07 category "Identification and Authentication Failures" in the OWASP Top 10 2021.
CUDA 1354 Weaknesses in this category are related to the A08 category "Software and Data Integrity Failures" in the OWASP Top 10 2021.
CUDA 1355 Weaknesses in this category are related to the A09 category "Security Logging and Monitoring Failures" in the OWASP Top 10 2021.
CUDA 1356 Weaknesses in this category are related to the A10 category "Server-Side Request Forgery (SSRF)" in the OWASP Top 10 2021.
CUDA 1358 CWE entries in this view (graph) are associated with the Categories of Security Vulnerabilities in ICS, as published by the Securing Energy Infrastructure Executive Task Force (SEI ETF) in March 2022. Weaknesses and categories in this view are focused on issues that affect ICS (Industrial Control Systems) but have not been traditionally covered by CWE in the past due to its earlier emphasis on enterprise IT software. Note: weaknesses in this view are based on "Nearest IT Neighbor" recommendations and other suggestions by the CWE team. These relationships are likely to change in future CWE versions.
CUDA 1359 Weaknesses in this category are related to the "ICS Communications" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.
CUDA 1360 Weaknesses in this category are related to the "ICS Dependencies (& Architecture)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.
CUDA 1361 Weaknesses in this category are related to the "ICS Supply Chain" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.
CUDA 1362 Weaknesses in this category are related to the "ICS Engineering (Constructions/Deployment)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.
CUDA 1363 Weaknesses in this category are related to the "ICS Operations (& Maintenance)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.
CUDA 1364 Weaknesses in this category are related to the "Zone Boundary Failures" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Within an ICS system, for traffic that crosses through network zone boundaries, vulnerabilities arise when those boundaries were designed for safety or other purposes but are being repurposed for security." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
CUDA 1366 Weaknesses in this category are related to the "Frail Security in Protocols" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Vulnerabilities arise as a result of mis-implementation or incomplete implementation of security in ICS implementations of communication protocols." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
CUDA 1368 Weaknesses in this category are related to the "External Digital Systems" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Due to the highly interconnected technologies in use, an external dependency on another digital system could cause a confidentiality, integrity, or availability incident for the protected system." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
CUDA 1369 Weaknesses in this category are related to the "IT/OT Convergence/Expansion" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "The increased penetration of DER devices and smart loads make emerging ICS networks more like IT networks and thus susceptible to vulnerabilities similar to those of IT networks." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
CUDA 1370 Weaknesses in this category are related to the "Common Mode Frailties" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "At the component level, most ICS systems are assembled from common parts made by other companies. One or more of these common parts might contain a vulnerability that could result in a wide-spread incident." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
CUDA 1371 Weaknesses in this category are related to the "Poorly Documented or Undocumented Features" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Undocumented capabilities and configurations pose a risk by not having a clear understanding of what the device is specifically supposed to do and only do. Therefore possibly opening up the attack surface and vulnerabilities." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
CUDA 1372 Weaknesses in this category are related to the "OT Counterfeit and Malicious Corruption" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "In ICS, when this procurement process results in a vulnerability or component damage, it can have grid impacts or cause physical harm." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
CUDA 1373 Weaknesses in this category are related to the "Trust Model Problems" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Assumptions made about the user during the design or construction phase may result in vulnerabilities after the system is installed if the user operates it using a different security approach or process than what was designed or built." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
CUDA 1375 Weaknesses in this category are related to the "Gaps in Details/Data" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Highly complex systems are often operated by personnel who have years of experience in managing that particular facility or plant. Much of their knowledge is passed along through verbal or hands-on training but may not be fully documented in written practices and procedures." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
CUDA 1376 Weaknesses in this category are related to the "Security Gaps in Commissioning" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "As a large system is brought online components of the system may remain vulnerable until the entire system is operating and functional and security controls are put in place. This creates a window of opportunity for an adversary during the commissioning process." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
CUDA 1379 Weaknesses in this category are related to the "Human factors in ICS environments" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Environmental factors in ICS including physical duress, system complexities, and isolation may result in security gaps or inadequacies in the performance of individual duties and responsibilities." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
CUDA 1382 Weaknesses in this category are related to the "Emerging Energy Technologies" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "With the rapid evolution of the energy system accelerated by the emergence of new technologies such as DERs, electric vehicles, advanced communications (5G+), novel and diverse challenges arise for secure and resilient operation of the system." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
CUDA 1383 Weaknesses in this category are related to the "Compliance/Conformance with Regulatory Requirements" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "The ICS environment faces overlapping regulatory regimes and authorities with multiple focus areas (e.g., operational resiliency, physical safety, interoperability, and security) which can result in cyber security vulnerabilities when implemented as written due to gaps in considerations, outdatedness, or conflicting requirements." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
CUDA 1387 CWE entries in this view are listed in the 2022 CWE Top 25 Most Dangerous Software Weaknesses.
CUDA 1396 Weaknesses in this category are related to access control.
CUDA 1397 Weaknesses in this category are related to comparison.
CUDA 1398 Weaknesses in this category are related to component interaction.
CUDA 1399 Weaknesses in this category are related to memory safety.
CUDA 1400 This view organizes weaknesses around categories that are of interest to large-scale software assurance research to support the elimination of weaknesses using tactics such as secure language development. It is also intended to help tracking weakness trends in publicly disclosed vulnerability data. This view is comprehensive in that every weakness must be contained in it, unlike most other views that only use a subset of weaknesses. This view is structured with categories at the top level, with a second level of only weaknesses. Relationships among the weaknesses presented under the research view (CWE-1000) are not shown. Each weakness is added to only one category. All categories are mutually exclusive; that is, no weakness can be a member of more than one category. While weaknesses defy strict categorization along only one characteristic, the forced bucketing into a single category can simplify certain kinds of analysis. Note that the size of each category can vary widely because (1) CWE is not as well fleshed-out in some areas compared to others; (2) abstraction of the CWEs in the grouping might go down to Variant level for some buckets, versus others.
CUDA 1401 Weaknesses in this category are related to concurrency.
CUDA 1402 Weaknesses in this category are related to encryption.
CUDA 1403 Weaknesses in this category are related to exposed resource.
CUDA 1404 Weaknesses in this category are related to file handling.
CUDA 1405 Weaknesses in this category are related to improper check or handling of exceptional conditions.
CUDA 1406 Weaknesses in this category are related to improper input validation.
CUDA 1407 Weaknesses in this category are related to improper neutralization.
CUDA 1408 Weaknesses in this category are related to incorrect calculation.
CUDA 1409 Weaknesses in this category are related to injection.
CUDA 1410 Weaknesses in this category are related to insufficient control flow management.
CUDA 1411 Weaknesses in this category are related to insufficient verification of data authenticity.
CUDA 1412 Weaknesses in this category are related to poor coding practices.
CUDA 1413 Weaknesses in this category are related to protection mechanism failure.
CUDA 1414 Weaknesses in this category are related to randomness.
CUDA 1415 Weaknesses in this category are related to resource control.
CUDA 1416 Weaknesses in this category are related to resource lifecycle management.
CUDA 1417 Weaknesses in this category are related to sensitive information exposure.
CUDA 1418 Weaknesses in this category are related to violation of secure design principles.
Go 2 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that are typically introduced during unexpected environmental conditions. According to the authors of the Seven Pernicious Kingdoms, "This section includes everything that is outside of the source code but is still critical to the security of the product that is being created. Because the issues covered by this kingdom are not directly related to source code, we separated it from the rest of the kingdoms."
Go 4 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
Go 5 Information sent over a network can be compromised while in transit. An attacker may be able to read or modify the contents if the data are sent in plaintext or are weakly encrypted.
Go 16 Weaknesses in this category are typically introduced during the configuration of the software.
Go 17 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
Go 18 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
Go 19 Weaknesses in this category are typically found in functionality that processes data. Data processing is the manipulation of input to retrieve or save information.
Go 20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Go 21 This category has been deprecated. It was originally used for organizing weaknesses involving file names, which enabled access to files outside of a restricted directory (path traversal) or to perform operations on files that would otherwise be restricted (path equivalence). Consider using either the File Handling Issues category (CWE-1219) or the class Use of Incorrectly-Resolved Name or Reference (CWE-706).
Go 22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Go 23 The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.
Go 36 The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as "/abs/path" that can resolve to a location that is outside of that directory.
Go 74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Go 77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Go 78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Go 79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Go 80 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.
Go 82 The web application does not neutralize or incorrectly neutralizes scripting elements within attributes of HTML IMG tags, such as the src attribute.
Go 83 The product does not neutralize or incorrectly neutralizes "javascript:" or other URIs from dangerous attributes within tags, such as onmouseover, onload, onerror, or style.
Go 85 The web application does not filter user-controlled input for executable script disguised using doubling of the involved characters.
Go 86 The product does not neutralize or incorrectly neutralizes invalid characters or byte sequences in the middle of tag names, URI schemes, and other identifiers.
Go 87 The product does not neutralize or incorrectly neutralizes user-controlled input for alternate script syntax.
Go 88 The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.
Go 89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.
Go 91 The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.
Go 93 The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
Go 94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Go 95 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").
Go 113 The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.
Go 116 The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
Go 117 The product does not neutralize or incorrectly neutralizes output that is written to logs.
Go 118 The product does not restrict or incorrectly restricts operations within the boundaries of a resource that is accessed using an index or pointer, such as memory or files.
Go 119 The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.
Go 133 Weaknesses in this category are related to the creation and modification of strings.
Go 137 Weaknesses in this category are related to the creation or neutralization of data using an incorrect format.
Go 138 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as control elements or syntactic markers when they are sent to a downstream component.
Go 140 The product does not neutralize or incorrectly neutralizes delimiters.
Go 141 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as parameter or argument delimiters when they are sent to a downstream component.
Go 142 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as value delimiters when they are sent to a downstream component.
Go 143 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as record delimiters when they are sent to a downstream component.
Go 146 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as expression or command delimiters when they are sent to a downstream component.
Go 149 Quotes injected into a product can be used to compromise a system. As data are parsed, an injected/absent/duplicate/malformed use of quotes may cause the process to take unexpected actions.
Go 150 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component.
Go 157 The product does not properly handle the characters that are used to mark the beginning and ending of a group of entities, such as parentheses, brackets, and braces.
Go 171 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. Weaknesses in this category were related to improper handling of data within protection mechanisms that attempt to perform neutralization for untrusted data. These weaknesses can be found in other similar categories.
Go 183 The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is too permissive - that is, it allows an input that is unsafe, leading to resultant weaknesses.
Go 189 Weaknesses in this category are related to improper calculation or conversion of numbers.
Go 199 Weaknesses in this category are related to improper handling of sensitive information.
Go 200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Go 201 The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.
Go 209 The product generates an error message that includes sensitive information about its environment, users, or associated data.
Go 210 The product identifies an error condition and creates its own diagnostic or error messages that contain sensitive information.
Go 211 The product performs an operation that triggers an external diagnostic or error message that is not directly generated or controlled by the product, such as an error generated by the programming language interpreter that a software application uses. The error can contain sensitive system information.
Go 221 The product does not record, or improperly records, security-relevant information that leads to an incorrect decision or hampers later analysis.
Go 223 The product does not record or display information that would be important for identifying the source or nature of an attack, or determining if an action is safe.
Go 226 The product releases a resource such as memory or a file so that it can be made available for reuse, but it does not clear or "zeroize" the information contained in the resource before the product performs a critical state transition or makes the resource available for reuse by other entities.
Go 227 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that involve the software using an API in a manner contrary to its intended use. According to the authors of the Seven Pernicious Kingdoms, "An API is a contract between a caller and a callee. The most common forms of API misuse occurs when the caller does not honor its end of this contract. For example, if a program does not call chdir() after calling chroot(), it violates the contract that specifies how to change the active root directory in a secure fashion. Another good example of library abuse is expecting the callee to return trustworthy DNS information to the caller. In this case, the caller misuses the callee API by making certain assumptions about its behavior (that the return value can be used for authentication purposes). One can also violate the caller-callee contract from the other side. For example, if a coder subclasses SecureRandom and returns a non-random value, the contract is violated."
Go 249 This entry has been deprecated because of name confusion and an accidental combination of multiple weaknesses. Most of its content has been transferred to CWE-785.
Go 252 The product does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions.
Go 253 The product incorrectly checks a return value from a function, which prevents it from detecting errors or exceptional conditions.
Go 254 Software security is not security software. Here we're concerned with topics like authentication, access control, confidentiality, cryptography, and privilege management.
Go 255 Weaknesses in this category are related to the management of credentials.
Go 256 Storing a password in plaintext may result in a system compromise.
Go 257 The storage of passwords in a recoverable format makes them subject to password reuse attacks by malicious users. In fact, it should be noted that recoverable encrypted passwords provide no significant benefit over plaintext passwords since they are subject not only to reuse by malicious attackers but also by malicious insiders. If a system administrator can recover a password directly, or use a brute force search on the available information, the administrator can use the password on other accounts.
Go 259 The product contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components.
Go 264 Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control.
Go 265 Weaknesses in this category occur with improper handling, assignment, or management of privileges. A privilege is a property of an agent, such as a user. It lets the agent do things that are not ordinarily allowed. For example, there are privileges which allow an agent to perform maintenance functions such as restart a computer.
Go 275 Weaknesses in this category are related to improper assignment or handling of permissions.
Go 284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Go 285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
Go 287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Go 295 The product does not validate, or incorrectly validates, a certificate.
Go 300 The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint.
Go 304 The product implements an authentication technique, but it skips a step that weakens the technique.
Go 306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Go 310 Weaknesses in this category are related to the design and implementation of data confidentiality and integrity. Frequently these deal with the use of encoding techniques, encryption libraries, and hashing algorithms. The weaknesses in this category could lead to a degradation of the quality data if they are not addressed.
Go 311 The product does not encrypt sensitive or critical information before storage or transmission.
Go 312 The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
Go 313 The product stores sensitive information in cleartext in a file, or on disk.
Go 314 The product stores sensitive information in cleartext in the registry.
Go 315 The product stores sensitive information in cleartext in a cookie.
Go 317 The product stores sensitive information in cleartext within the GUI.
Go 318 The product stores sensitive information in cleartext in an executable.
Go 319 The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.
Go 320 Weaknesses in this category are related to errors in the management of cryptographic keys.
Go 321 The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.
Go 326 The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
Go 327 The product uses a broken or risky cryptographic algorithm or protocol.
Go 328 The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (2nd preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack).
Go 330 The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.
Go 344 The product uses a constant value, name, or reference, but this value can (or should) vary across different environments.
Go 345 The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
Go 346 The product does not properly verify that the source of data or communication is valid.
Go 352 The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.
Go 353 The product uses a transmission protocol that does not include a mechanism for verifying the integrity of the data during transmission, such as a checksum.
Go 355 Weaknesses in this category are related to or introduced in the User Interface (UI).
Go 359 The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.
Go 361 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses related to the improper management of time and state in an environment that supports simultaneous or near-simultaneous computation by multiple systems, processes, or threads. According to the authors of the Seven Pernicious Kingdoms, "Distributed computation is about time and state. That is, in order for more than one component to communicate, state must be shared, and all that takes time. Most programmers anthropomorphize their work. They think about one thread of control carrying out the entire program in the same way they would if they had to do the job themselves. Modern computers, however, switch between tasks very quickly, and in multi-core, multi-CPU, or distributed systems, two events may take place at exactly the same time. Defects rush to fill the gap between the programmer's model of how a program executes and what happens in reality. These defects are related to unexpected interactions between threads, processes, time, and information. These interactions happen through shared state: semaphores, variables, the file system, and, basically, anything that can store information."
Go 362 The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.
Go 366 If two threads of execution use a resource simultaneously, there exists the possibility that resources may be used while invalid, in turn making the state of execution undefined.
Go 369 The product divides a value by zero.
Go 371 Weaknesses in this category are related to improper management of system state.
Go 384 Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.
Go 388 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that occur when an application does not properly handle errors that occur during processing. According to the authors of the Seven Pernicious Kingdoms, "Errors and error handling represent a class of API. Errors related to error handling are so common that they deserve a special kingdom of their own. As with 'API Abuse,' there are two ways to introduce an error-related security vulnerability: the most common one is handling errors poorly (or not at all). The second is producing errors that either give out too much information (to possible attackers) or are difficult to handle."
Go 389 This category includes weaknesses that occur if a function does not generate the correct return/status code, or if the application does not handle all possible return/status codes that could be generated by a function. This type of problem is most often found in conditions that are rarely encountered during the normal operation of the product. Presumably, most bugs related to common conditions are found and eliminated during development and testing. In some cases, the attacker can directly control or influence the environment to trigger the rare conditions.
Go 398 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that do not directly introduce a weakness or vulnerability, but indicate that the product has not been carefully developed or maintained. According to the authors of the Seven Pernicious Kingdoms, "Poor code quality leads to unpredictable behavior. From a user's perspective that often manifests itself as poor usability. For an adversary it provides an opportunity to stress the system in unexpected ways."
Go 399 Weaknesses in this category are related to improper management of system resources.
Go 404 The product does not release or incorrectly releases a resource before it is made available for re-use.
Go 405 The product does not properly control situations in which an adversary can cause the product to consume or produce excessive resources without requiring the adversary to invest equivalent work or otherwise prove authorization, i.e., the adversary's influence is "asymmetric."
Go 409 The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.
Go 411 Weaknesses in this category are related to improper handling of locks that are used to control access to resources.
Go 417 Weaknesses in this category are related to improper handling of communication channels and access paths. These weaknesses include problems in creating, managing, or removing alternate channels and alternate paths. Some of these can overlap virtual file problems and are commonly used in "bypass" attacks, such as those that exploit authentication errors.
Go 435 An interaction error occurs when two entities have correct behavior when running independently of each other, but when they are integrated as components in a larger system or process, they introduce incorrect behaviors that may cause resultant weaknesses.
Go 436 Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.
Go 438 Weaknesses in this category are related to unexpected behaviors from code that an application uses.
Go 441 The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor.
Go 442 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
Go 452 Weaknesses in this category occur in behaviors that are used for initialization and breakdown.
Go 459 The product does not properly "clean up" and remove temporary or supporting resources after they have been used.
Go 465 Weaknesses in this category are related to improper handling of pointers.
Go 476 A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.
Go 480 The product accidentally uses the wrong operator, which changes the logic in security-relevant ways.
Go 485 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that occur when the product does not sufficiently encapsulate critical data or functionality. According to the authors of the Seven Pernicious Kingdoms, "Encapsulation is about drawing strong boundaries. In a web browser that might mean ensuring that your mobile code cannot be abused by other mobile code. On the server it might mean differentiation between validated data and unvalidated data, between one user's data and another's, or between data users are allowed to see and data that they are not."
Go 497 The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does.
Go 502 The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
Go 505 This category has been deprecated as it was originally used for organizing the Development View (CWE-699), but it introduced unnecessary complexity and depth to the resulting tree.
Go 522 The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
Go 523 Login pages do not use adequate measures to protect the user name and password while they are in transit from the client to the server.
Go 526 The product uses an environment variable to store unencrypted sensitive information.
Go 532 Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.
Go 536 A servlet error message indicates that there exists an unhandled exception in your web application code and may provide useful information to an attacker.
Go 538 The product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the sensitive information.
Go 539 The web application uses persistent cookies, but the cookies contain sensitive information.
Go 548 A directory listing is inappropriately exposed, yielding potentially sensitive information to attackers.
Go 550 Certain conditions, such as network failure, will cause a server error message to be displayed.
Go 552 The product makes files or directories accessible to unauthorized actors, even though they should not be.
Go 557 Weaknesses in this category are related to concurrent use of shared resources.
Go 561 The product contains dead code, which can never be executed.
Go 563 The variable's value is assigned but never used, making it a dead store.
Go 565 The product relies on the existence or values of cookies when performing security-critical operations, but it does not properly ensure that the setting is valid for the associated user.
Go 566 The product uses a database table that includes records that should not be accessible to an actor, but it executes a SQL statement with a primary key that can be controlled by that actor.
Go 567 The product does not properly synchronize shared data, such as static variables across threads, which can lead to undefined behavior and unpredictable data changes.
Go 569 Weaknesses in this category are related to incorrectly written expressions within code.
Go 573 The product does not follow or incorrectly follows the specifications as required by the implementation language, environment, framework, protocol, or platform.
Go 601 A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.
Go 602 The product is composed of a server that relies on the client to implement a mechanism that is intended to protect the server.
Go 610 The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.
Go 611 The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
Go 613 According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
Go 614 The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session.
Go 617 The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.
Go 624 The product uses a regular expression that either (1) contains an executable component with user-controlled inputs, or (2) allows a user to enable execution by inserting pattern modifiers.
Go 629 CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2007. This view is considered obsolete as a newer version of the OWASP Top 10 is available.
Go 632 This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE.
Go 633 This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE.
Go 634 This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE.
Go 635 CWE nodes in this view (slice) were used by NIST to categorize vulnerabilities within NVD, from 2008 to 2016. This original version has been used by many other projects.
Go 639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Go 642 The product stores security-critical state information about its users, or the product itself, in a location that is accessible to unauthorized actors.
Go 643 The product uses external input to dynamically construct an XPath expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query.
Go 644 The product does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers, such as Flash.
Go 657 The product violates well-established principles for secure design.
Go 662 The product utilizes multiple threads or processes to allow temporary access to a shared resource that can only be exclusive to one process at a time, but it does not properly synchronize these actions, which might cause simultaneous accesses of this resource by multiple threads or processes.
Go 664 The product does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release.
Go 666 The product performs an operation on a resource at the wrong phase of the resource's lifecycle, which can lead to unexpected behaviors.
Go 667 The product does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors.
Go 668 The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
Go 669 The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource.
Go 670 The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated.
Go 671 The product uses security features in a way that prevents the product's administrator from tailoring security settings to reflect the environment in which the product is being used. This introduces resultant weaknesses or prevents it from operating at a level of security that is desired by the administrator.
Go 672 The product uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked.
Go 674 The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.
Go 675 The product performs the same operation on a resource two or more times, when the operation should only be applied once.
Go 682 The product performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management.
Go 691 The code does not sufficiently manage its control flow during execution, creating conditions in which the control flow can be modified in unexpected ways.
Go 692 The product uses a denylist-based protection mechanism to defend against XSS attacks, but the denylist is incomplete, allowing XSS variants to succeed.
Go 693 The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.
Go 697 The product compares two entities in a security-relevant context, but the comparison is incorrect, which may lead to resultant weaknesses.
Go 699 This view organizes weaknesses around concepts that are frequently used or encountered in software development. This includes all aspects of the software development lifecycle including both architecture and implementation. Accordingly, this view can align closely with the perspectives of architects, developers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping.
Go 700 This view (graph) organizes weaknesses using a hierarchical structure that is similar to that used by Seven Pernicious Kingdoms.
Go 703 The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product.
Go 706 The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.
Go 707 The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component.
Go 710 The product does not follow certain coding rules for development, which can lead to resultant weaknesses or increase the severity of the associated vulnerabilities.
Go 711 CWE entries in this view (graph) are associated with the OWASP Top 10, as released in 2004, and as required for compliance with PCI DSS version 1.1. This view is considered obsolete as a newer version of the OWASP Top 10 is available.
Go 712 Weaknesses in this category are related to the A1 category in the OWASP Top 10 2007.
Go 713 Weaknesses in this category are related to the A2 category in the OWASP Top 10 2007.
Go 714 Weaknesses in this category are related to the A3 category in the OWASP Top 10 2007.
Go 715 Weaknesses in this category are related to the A4 category in the OWASP Top 10 2007.
Go 716 Weaknesses in this category are related to the A5 category in the OWASP Top 10 2007.
Go 717 Weaknesses in this category are related to the A6 category in the OWASP Top 10 2007.
Go 718 Weaknesses in this category are related to the A7 category in the OWASP Top 10 2007.
Go 719 Weaknesses in this category are related to the A8 category in the OWASP Top 10 2007.
Go 720 Weaknesses in this category are related to the A9 category in the OWASP Top 10 2007.
Go 721 Weaknesses in this category are related to the A10 category in the OWASP Top 10 2007.
Go 722 Weaknesses in this category are related to the A1 category in the OWASP Top 10 2004.
Go 723 Weaknesses in this category are related to the A2 category in the OWASP Top 10 2004.
Go 724 Weaknesses in this category are related to the A3 category in the OWASP Top 10 2004.
Go 725 Weaknesses in this category are related to the A4 category in the OWASP Top 10 2004.
Go 726 Weaknesses in this category are related to the A5 category in the OWASP Top 10 2004.
Go 727 Weaknesses in this category are related to the A6 category in the OWASP Top 10 2004.
Go 728 Weaknesses in this category are related to the A7 category in the OWASP Top 10 2004.
Go 729 Weaknesses in this category are related to the A8 category in the OWASP Top 10 2004.
Go 730 Weaknesses in this category are related to the A9 category in the OWASP Top 10 2004.
Go 731 Weaknesses in this category are related to the A10 category in the OWASP Top 10 2004.
Go 732 The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.
Go 734 CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT C Secure Coding Standard" published in 2008. This view is considered obsolete, as a newer version of the coding standard is available. This view statically represents the coding rules as they were in 2008.
Go 737 Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) chapter of the CERT C Secure Coding Standard (2008).
Go 738 Weaknesses in this category are related to the rules and recommendations in the Integers (INT) chapter of the CERT C Secure Coding Standard (2008).
Go 739 Weaknesses in this category are related to the rules and recommendations in the Floating Point (FLP) chapter of the CERT C Secure Coding Standard (2008).
Go 740 Weaknesses in this category are related to the rules and recommendations in the Arrays (ARR) chapter of the CERT C Secure Coding Standard (2008).
Go 741 Weaknesses in this category are related to the rules and recommendations in the Characters and Strings (STR) chapter of the CERT C Secure Coding Standard (2008).
Go 742 Weaknesses in this category are related to the rules and recommendations in the Memory Management (MEM) chapter of the CERT C Secure Coding Standard (2008).
Go 743 Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) chapter of the CERT C Secure Coding Standard (2008).
Go 744 Weaknesses in this category are related to the rules and recommendations in the Environment (ENV) chapter of the CERT C Secure Coding Standard (2008).
Go 745 Weaknesses in this category are related to the rules and recommendations in the Signals (SIG) chapter of the CERT C Secure Coding Standard (2008).
Go 746 Weaknesses in this category are related to the rules and recommendations in the Error Handling (ERR) chapter of the CERT C Secure Coding Standard (2008).
Go 747 Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) chapter of the CERT C Secure Coding Standard (2008).
Go 748 Weaknesses in this category are related to the rules and recommendations in the POSIX (POS) appendix of the CERT C Secure Coding Standard (2008).
Go 749 The product provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted.
Go 750 CWE entries in this view (graph) are listed in the 2009 CWE/SANS Top 25 Programming Errors. This view is considered obsolete as a newer version of the Top 25 is available.
Go 751 Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2009 CWE/SANS Top 25 Programming Errors.
Go 752 Weaknesses in this category are listed in the "Risky Resource Management" section of the 2009 CWE/SANS Top 25 Programming Errors.
Go 753 Weaknesses in this category are listed in the "Porous Defenses" section of the 2009 CWE/SANS Top 25 Programming Errors.
Go 754 The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.
Go 755 The product does not handle or incorrectly handles an exceptional condition.
Go 764 The product locks a critical resource more times than intended, leading to an unexpected state in the system.
Go 765 The product unlocks a critical resource more times than intended, leading to an unexpected state in the system.
Go 776 The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.
Go 778 When a security-critical event occurs, the product either does not record the event or omits important details about the event when logging it.
Go 783 The product uses an expression in which operator precedence causes incorrect logic to be used.
Go 798 The product contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.
Go 800 CWE entries in this view (graph) are listed in the 2010 CWE/SANS Top 25 Programming Errors. This view is considered obsolete as a newer version of the Top 25 is available.
Go 801 Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2010 CWE/SANS Top 25 Programming Errors.
Go 802 Weaknesses in this category are listed in the "Risky Resource Management" section of the 2010 CWE/SANS Top 25 Programming Errors.
Go 803 Weaknesses in this category are listed in the "Porous Defenses" section of the 2010 CWE/SANS Top 25 Programming Errors.
Go 808 Weaknesses in this category are not part of the general Top 25, but they were part of the original nominee list from which the Top 25 was drawn.
Go 809 CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2010. This view is considered obsolete as a newer version of the OWASP Top 10 is available.
Go 810 Weaknesses in this category are related to the A1 category in the OWASP Top 10 2010.
Go 811 Weaknesses in this category are related to the A2 category in the OWASP Top 10 2010.
Go 812 Weaknesses in this category are related to the A3 category in the OWASP Top 10 2010.
Go 813 Weaknesses in this category are related to the A4 category in the OWASP Top 10 2010.
Go 814 Weaknesses in this category are related to the A5 category in the OWASP Top 10 2010.
Go 815 Weaknesses in this category are related to the A6 category in the OWASP Top 10 2010.
Go 816 Weaknesses in this category are related to the A7 category in the OWASP Top 10 2010.
Go 817 Weaknesses in this category are related to the A8 category in the OWASP Top 10 2010.
Go 818 Weaknesses in this category are related to the A9 category in the OWASP Top 10 2010.
Go 819 Weaknesses in this category are related to the A10 category in the OWASP Top 10 2010.
Go 820 The product utilizes a shared resource in a concurrent manner but does not attempt to synchronize access to the resource.
Go 833 The product contains multiple threads or executable segments that are waiting for each other to release a necessary lock, resulting in deadlock.
Go 834 The product performs an iteration or loop without sufficiently limiting the number of times that the loop is executed.
Go 835 The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.
Go 840 Weaknesses in this category identify some of the underlying problems that commonly allow attackers to manipulate the business logic of an application. Errors in business logic can be devastating to an entire application. They can be difficult to find automatically, since they typically involve legitimate use of the application's functionality. However, many business logic errors can exhibit patterns that are similar to well-understood implementation and design weaknesses.
Go 844 CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT Oracle Secure Coding Standard for Java" published in 2011. This view is considered obsolete as a newer version of the coding standard is available.
Go 845 Weaknesses in this category are related to rules in the Input Validation and Data Sanitization (IDS) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
Go 847 Weaknesses in this category are related to rules in the Expressions (EXP) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
Go 848 Weaknesses in this category are related to rules in the Numeric Types and Operations (NUM) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
Go 850 Weaknesses in this category are related to rules in the Methods (MET) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
Go 851 Weaknesses in this category are related to rules in the Exceptional Behavior (ERR) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
Go 852 Weaknesses in this category are related to rules in the Visibility and Atomicity (VNA) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
Go 853 Weaknesses in this category are related to rules in the Locking (LCK) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
Go 855 Weaknesses in this category are related to rules in the Thread Pools (TPS) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
Go 857 Weaknesses in this category are related to rules in the Input Output (FIO) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
Go 858 Weaknesses in this category are related to rules in the Serialization (SER) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
Go 859 Weaknesses in this category are related to rules in the Platform Security (SEC) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
Go 860 Weaknesses in this category are related to rules in the Runtime Environment (ENV) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
Go 861 Weaknesses in this category are related to rules in the Miscellaneous (MSC) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
Go 862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Go 864 Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.
Go 865 Weaknesses in this category are listed in the "Risky Resource Management" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.
Go 866 Weaknesses in this category are listed in the "Porous Defenses" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.
Go 867 Weaknesses in this category are not part of the general Top 25, but they were part of the original nominee list from which the Top 25 was drawn.
Go 868 CWE entries in this view (graph) are fully or partially eliminated by following the SEI CERT C++ Coding Standard, as published in 2016. This view is no longer being actively maintained, since it statically represents the coding rules as they were in 2016.
Go 871 Weaknesses in this category are related to rules in the Expressions (EXP) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
Go 872 Weaknesses in this category are related to rules in the Integers (INT) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
Go 873 Weaknesses in this category are related to rules in the Floating Point Arithmetic (FLP) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
Go 874 Weaknesses in this category are related to rules in the Arrays and the STL (ARR) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
Go 875 Weaknesses in this category are related to rules in the Characters and Strings (STR) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
Go 876 Weaknesses in this category are related to rules in the Memory Management (MEM) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
Go 877 Weaknesses in this category are related to rules in the Input Output (FIO) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
Go 878 Weaknesses in this category are related to rules in the Environment (ENV) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
Go 879 Weaknesses in this category are related to rules in the Signals (SIG) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
Go 880 Weaknesses in this category are related to rules in the Exceptions and Error Handling (ERR) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
Go 881 Weaknesses in this category are related to rules in the Object Oriented Programming (OOP) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
Go 882 Weaknesses in this category are related to rules in the Concurrency (CON) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
Go 883 Weaknesses in this category are related to rules in the Miscellaneous (MSC) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
Go 884 This view contains a selection of weaknesses that represent the variety of weaknesses that are captured in CWE, at a level of abstraction that is likely to be useful to most audiences. It can be used by researchers to determine how broad their theories, models, or tools are. It will also be used by the CWE content team in 2012 to focus quality improvement efforts for individual CWE entries.
Go 885 This category identifies Software Fault Patterns (SFPs) within the Risky Values cluster (SFP1).
Go 886 This category identifies Software Fault Patterns (SFPs) within the Unused entities cluster (SFP2).
Go 887 This category identifies Software Fault Patterns (SFPs) within the API cluster (SFP3).
Go 888 CWE identifiers in this view are associated with clusters of Software Fault Patterns (SFPs).
Go 889 This category identifies Software Fault Patterns (SFPs) within the Exception Management cluster (SFP4, SFP5, SFP6).
Go 890 This category identifies Software Fault Patterns (SFPs) within the Memory Access cluster (SFP7, SFP8).
Go 892 This category identifies Software Fault Patterns (SFPs) within the Resource Management cluster (SFP37).
Go 893 This category identifies Software Fault Patterns (SFPs) within the Path Resolution cluster (SFP16, SFP17, SFP18).
Go 894 This category identifies Software Fault Patterns (SFPs) within the Synchronization cluster (SFP19, SFP20, SFP21, SFP22).
Go 895 This category identifies Software Fault Patterns (SFPs) within the Information Leak cluster (SFP23).
Go 896 This category identifies Software Fault Patterns (SFPs) within the Tainted Input cluster (SFP24, SFP25, SFP26, SFP27).
Go 898 This category identifies Software Fault Patterns (SFPs) within the Authentication cluster (SFP29, SFP30, SFP31, SFP32, SFP33, SFP34).
Go 899 This category identifies Software Fault Patterns (SFPs) within the Access Control cluster (SFP35).
Go 900 CWE entries in this view (graph) are listed in the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.
Go 902 This category identifies Software Fault Patterns (SFPs) within the Channel cluster.
Go 903 This category identifies Software Fault Patterns (SFPs) within the Cryptography cluster.
Go 905 This category identifies Software Fault Patterns (SFPs) within the Predictability cluster.
Go 906 This category identifies Software Fault Patterns (SFPs) within the UI cluster.
Go 907 This category identifies Software Fault Patterns (SFPs) within the Other cluster.
Go 913 The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements.
Go 918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Go 922 The product stores sensitive information without properly limiting read or write access by unauthorized actors.
Go 923 The product establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that it is communicating with the correct endpoint.
Go 928 CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2013. This view is considered obsolete as a newer version of the OWASP Top 10 is available.
Go 929 Weaknesses in this category are related to the A1 category in the OWASP Top 10 2013.
Go 930 Weaknesses in this category are related to the A2 category in the OWASP Top 10 2013.
Go 931 Weaknesses in this category are related to the A3 category in the OWASP Top 10 2013.
Go 932 Weaknesses in this category are related to the A4 category in the OWASP Top 10 2013.
Go 933 Weaknesses in this category are related to the A5 category in the OWASP Top 10 2013.
Go 934 Weaknesses in this category are related to the A6 category in the OWASP Top 10 2013.
Go 935 Weaknesses in this category are related to the A7 category in the OWASP Top 10 2013.
Go 936 Weaknesses in this category are related to the A8 category in the OWASP Top 10 2013.
Go 938 Weaknesses in this category are related to the A10 category in the OWASP Top 10 2013.
Go 942 The product uses a cross-domain policy file that includes domains that should not be trusted.
Go 943 The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query.
Go 944 This category identifies Software Fault Patterns (SFPs) within the Access Management cluster.
Go 945 This category identifies Software Fault Patterns (SFPs) within the Insecure Resource Access cluster (SFP35).
Go 946 This category identifies Software Fault Patterns (SFPs) within the Insecure Resource Permissions cluster.
Go 947 This category identifies Software Fault Patterns (SFPs) within the Authentication Bypass cluster.
Go 949 This category identifies Software Fault Patterns (SFPs) within the Faulty Endpoint Authentication cluster (SFP29).
Go 950 This category identifies Software Fault Patterns (SFPs) within the Hardcoded Sensitive Data cluster (SFP33).
Go 951 This category identifies Software Fault Patterns (SFPs) within the Insecure Authentication Policy cluster.
Go 952 This category identifies Software Fault Patterns (SFPs) within the Missing Authentication cluster.
Go 956 This category identifies Software Fault Patterns (SFPs) within the Channel Attack cluster.
Go 957 This category identifies Software Fault Patterns (SFPs) within the Protocol Error cluster.
Go 958 This category identifies Software Fault Patterns (SFPs) within the Broken Cryptography cluster.
Go 959 This category identifies Software Fault Patterns (SFPs) within the Weak Cryptography cluster.
Go 961 This category identifies Software Fault Patterns (SFPs) within the Incorrect Exception Behavior cluster (SFP6).
Go 962 This category identifies Software Fault Patterns (SFPs) within the Unchecked Status Condition cluster (SFP4).
Go 963 This category identifies Software Fault Patterns (SFPs) within the Exposed Data cluster (SFP23).
Go 966 This category identifies Software Fault Patterns (SFPs) within the Other Exposures cluster.
Go 970 This category identifies Software Fault Patterns (SFPs) within the Faulty Buffer Access cluster (SFP8).
Go 971 This category identifies Software Fault Patterns (SFPs) within the Faulty Pointer Use cluster (SFP7).
Go 975 This category identifies Software Fault Patterns (SFPs) within the Architecture cluster.
Go 977 This category identifies Software Fault Patterns (SFPs) within the Design cluster.
Go 978 This category identifies Software Fault Patterns (SFPs) within the Implementation cluster.
Go 980 This category identifies Software Fault Patterns (SFPs) within the Link in Resource Name Resolution cluster (SFP18).
Go 981 This category identifies Software Fault Patterns (SFPs) within the Path Traversal cluster (SFP16).
Go 982 This category identifies Software Fault Patterns (SFPs) within the Failure to Release Resource cluster (SFP14).
Go 983 This category identifies Software Fault Patterns (SFPs) within the Faulty Resource Use cluster (SFP15).
Go 984 This category identifies Software Fault Patterns (SFPs) within the Life Cycle cluster.
Go 985 This category identifies Software Fault Patterns (SFPs) within the Unrestricted Consumption cluster (SFP13).
Go 986 This category identifies Software Fault Patterns (SFPs) within the Missing Lock cluster (SFP19).
Go 987 This category identifies Software Fault Patterns (SFPs) within the Multiple Locks/Unlocks cluster (SFP21).
Go 988 This category identifies Software Fault Patterns (SFPs) within the Race Condition Window cluster (SFP20).
Go 990 This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Command cluster (SFP24).
Go 991 This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Environment cluster (SFP27).
Go 992 This category identifies Software Fault Patterns (SFPs) within the Faulty Input Transformation cluster.
Go 994 This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Variable cluster (SFP25).
Go 997 This category identifies Software Fault Patterns (SFPs) within the Information Loss cluster.
Go 998 This category identifies Software Fault Patterns (SFPs) within the Glitch in Computation cluster (SFP1).
Go 1000 This view is intended to facilitate research into weaknesses, including their inter-dependencies, and can be leveraged to systematically identify theoretical gaps within CWE. It is mainly organized according to abstractions of behaviors instead of how they can be detected, where they appear in code, or when they are introduced in the development life cycle. By design, this view is expected to include every weakness within CWE.
Go 1001 This category identifies Software Fault Patterns (SFPs) within the Use of an Improper API cluster (SFP3).
Go 1003 CWE entries in this view (graph) may be used to categorize potential weaknesses within sources that handle public, third-party vulnerability information, such as the National Vulnerability Database (NVD). By design, this view is incomplete; it is limited to a small number of the most commonly-seen weaknesses, so that it is easier for humans to use. This view uses a shallow hierarchy of two levels in order to simplify the complex, category-oriented navigation of the entire CWE corpus.
Go 1004 The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag.
Go 1005 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that exist when an application does not properly validate or represent input. According to the authors of the Seven Pernicious Kingdoms, "Input validation and representation problems are caused by metacharacters, alternate encodings and numeric representations. Security problems result from trusting input."
Go 1006 Weaknesses in this category are related to coding practices that are deemed unsafe and increase the chances that an exploitable vulnerability will be present in the application. These weaknesses do not directly introduce a vulnerability, but indicate that the product has not been carefully developed or maintained. If a program is complex, difficult to maintain, not portable, or shows evidence of neglect, then there is a higher likelihood that weaknesses are buried in the code.
Go 1008 This view organizes weaknesses according to common architectural security tactics. It is intended to assist architects in identifying potential mistakes that can be made when designing software.
Go 1009 Weaknesses in this category are related to the design and architecture of audit-based components of the system. Frequently these deal with logging user activities in order to identify attackers and modifications to the system. The weaknesses in this category could lead to a degradation of the quality of the audit capability if they are not addressed when designing or implementing a secure architecture.
Go 1010 Weaknesses in this category are related to the design and architecture of authentication components of the system. Frequently these deal with verifying the entity is indeed who it claims to be. The weaknesses in this category could lead to a degradation of the quality of authentication if they are not addressed when designing or implementing a secure architecture.
Go 1011 Weaknesses in this category are related to the design and architecture of a system's authorization components. Frequently these deal with enforcing that agents have the required permissions before performing certain operations, such as modifying data. The weaknesses in this category could lead to a degradation of quality of the authorization capability if they are not addressed when designing or implementing a secure architecture.
Go 1012 Weaknesses in this category are related to the design and architecture of multiple security tactics and how they affect a system. For example, information exposure can impact the Limit Access and Limit Exposure security tactics. The weaknesses in this category could lead to a degradation of the quality of many capabilities if they are not addressed when designing or implementing a secure architecture.
Go 1013 Weaknesses in this category are related to the design and architecture of data confidentiality in a system. Frequently these deal with the use of encryption libraries. The weaknesses in this category could lead to a degradation of the quality data encryption if they are not addressed when designing or implementing a secure architecture.
Go 1014 Weaknesses in this category are related to the design and architecture of a system's identification management components. Frequently these deal with verifying that external agents provide inputs into the system. The weaknesses in this category could lead to a degradation of the quality of identification management if they are not addressed when designing or implementing a secure architecture.
Go 1015 Weaknesses in this category are related to the design and architecture of system resources. Frequently these deal with restricting the amount of resources that are accessed by actors, such as memory, network connections, CPU or access points. The weaknesses in this category could lead to a degradation of the quality of authentication if they are not addressed when designing or implementing a secure architecture.
Go 1016 Weaknesses in this category are related to the design and architecture of the entry points to a system. Frequently these deal with minimizing the attack surface through designing the system with the least needed amount of entry points. The weaknesses in this category could lead to a degradation of a system's defenses if they are not addressed when designing or implementing a secure architecture.
Go 1018 Weaknesses in this category are related to the design and architecture of session management. Frequently these deal with the information or status about each user and their access rights for the duration of multiple requests. The weaknesses in this category could lead to a degradation of the quality of session management if they are not addressed when designing or implementing a secure architecture.
Go 1019 Weaknesses in this category are related to the design and architecture of a system's input validation components. Frequently these deal with sanitizing, neutralizing and validating any externally provided inputs to minimize malformed data from entering the system and preventing code injection in the input data. The weaknesses in this category could lead to a degradation of the quality of data flow in a system if they are not addressed when designing or implementing a secure architecture.
Go 1020 Weaknesses in this category are related to the design and architecture of a system's data integrity components. Frequently these deal with ensuring integrity of data, such as messages, resource files, deployment files, and configuration files. The weaknesses in this category could lead to a degradation of data integrity quality if they are not addressed when designing or implementing a secure architecture.
Go 1025 The code performs a comparison between two entities, but the comparison examines the wrong factors or characteristics of the entities, which can lead to incorrect results and resultant weaknesses.
Go 1026 CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2017.
Go 1027 Weaknesses in this category are related to the A1 category in the OWASP Top 10 2017.
Go 1028 Weaknesses in this category are related to the A2 category in the OWASP Top 10 2017.
Go 1029 Weaknesses in this category are related to the A3 category in the OWASP Top 10 2017.
Go 1030 Weaknesses in this category are related to the A4 category in the OWASP Top 10 2017.
Go 1031 Weaknesses in this category are related to the A5 category in the OWASP Top 10 2017.
Go 1032 Weaknesses in this category are related to the A6 category in the OWASP Top 10 2017.
Go 1033 Weaknesses in this category are related to the A7 category in the OWASP Top 10 2017.
Go 1034 Weaknesses in this category are related to the A8 category in the OWASP Top 10 2017.
Go 1036 Weaknesses in this category are related to the A10 category in the OWASP Top 10 2017.
Go 1041 The product has multiple functions, methods, procedures, macros, etc. that contain the same code.
Go 1128 This view outlines the most important software quality issues as identified by the Consortium for Information & Software Quality (CISQ) Automated Quality Characteristic Measures, released in 2016. These measures are derived from Object Management Group (OMG) standards.
Go 1129 Weaknesses in this category are related to the CISQ Quality Measures for Reliability, as documented in 2016 with the Automated Source Code CISQ Reliability Measure (ASCRM) Specification 1.0. Presence of these weaknesses could reduce the reliability of the software.
Go 1130 Weaknesses in this category are related to the CISQ Quality Measures for Maintainability, as documented in 2016 with the Automated Source Code Maintainability Measure (ASCMM) Specification 1.0. Presence of these weaknesses could reduce the maintainability of the software.
Go 1131 Weaknesses in this category are related to the CISQ Quality Measures for Security, as documented in 2016 with the Automated Source Code Security Measure (ASCSM) Specification 1.0. Presence of these weaknesses could reduce the security of the software.
Go 1133 CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT Oracle Coding Standard for Java.
Go 1134 Weaknesses in this category are related to the rules and recommendations in the Input Validation and Data Sanitization (IDS) section of the SEI CERT Oracle Secure Coding Standard for Java.
Go 1136 Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) section of the SEI CERT Oracle Secure Coding Standard for Java.
Go 1137 Weaknesses in this category are related to the rules and recommendations in the Numeric Types and Operations (NUM) section of the SEI CERT Oracle Secure Coding Standard for Java.
Go 1140 Weaknesses in this category are related to the rules and recommendations in the Methods (MET) section of the SEI CERT Oracle Secure Coding Standard for Java.
Go 1141 Weaknesses in this category are related to the rules and recommendations in the Exceptional Behavior (ERR) section of the SEI CERT Oracle Secure Coding Standard for Java.
Go 1142 Weaknesses in this category are related to the rules and recommendations in the Visibility and Atomicity (VNA) section of the SEI CERT Oracle Secure Coding Standard for Java.
Go 1143 Weaknesses in this category are related to the rules and recommendations in the Locking (LCK) section of the SEI CERT Oracle Secure Coding Standard for Java.
Go 1145 Weaknesses in this category are related to the rules and recommendations in the Thread Pools (TPS) section of the SEI CERT Oracle Secure Coding Standard for Java.
Go 1147 Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) section of the SEI CERT Oracle Secure Coding Standard for Java.
Go 1148 Weaknesses in this category are related to the rules and recommendations in the Serialization (SER) section of the SEI CERT Oracle Secure Coding Standard for Java.
Go 1149 Weaknesses in this category are related to the rules and recommendations in the Platform Security (SEC) section of the SEI CERT Oracle Secure Coding Standard for Java.
Go 1150 Weaknesses in this category are related to the rules and recommendations in the Runtime Environment (ENV) section of the SEI CERT Oracle Secure Coding Standard for Java.
Go 1152 Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT Oracle Secure Coding Standard for Java.
Go 1154 CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT C Coding Standard.
Go 1157 Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) section of the SEI CERT C Coding Standard.
Go 1158 Weaknesses in this category are related to the rules and recommendations in the Integers (INT) section of the SEI CERT C Coding Standard.
Go 1159 Weaknesses in this category are related to the rules and recommendations in the Floating Point (FLP) section of the SEI CERT C Coding Standard.
Go 1160 Weaknesses in this category are related to the rules and recommendations in the Arrays (ARR) section of the SEI CERT C Coding Standard.
Go 1161 Weaknesses in this category are related to the rules and recommendations in the Characters and Strings (STR) section of the SEI CERT C Coding Standard.
Go 1162 Weaknesses in this category are related to the rules and recommendations in the Memory Management (MEM) section of the SEI CERT C Coding Standard.
Go 1163 Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) section of the SEI CERT C Coding Standard.
Go 1164 The product contains code that is not essential for execution, i.e. makes no state changes and has no side effects that alter data or control flow, such that removal of the code would have no impact to functionality or correctness.
Go 1165 Weaknesses in this category are related to the rules and recommendations in the Environment (ENV) section of the SEI CERT C Coding Standard.
Go 1166 Weaknesses in this category are related to the rules and recommendations in the Signals (SIG) section of the SEI CERT C Coding Standard.
Go 1167 Weaknesses in this category are related to the rules and recommendations in the Error Handling (ERR) section of the SEI CERT C Coding Standard.
Go 1169 Weaknesses in this category are related to the rules and recommendations in the Concurrency (CON) section of the SEI CERT C Coding Standard.
Go 1170 Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT C Coding Standard.
Go 1171 Weaknesses in this category are related to the rules and recommendations in the POSIX (POS) section of the SEI CERT C Coding Standard.
Go 1172 Weaknesses in this category are related to the rules and recommendations in the Microsoft Windows (WIN) section of the SEI CERT C Coding Standard.
Go 1178 CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT Perl Coding Standard.
Go 1179 Weaknesses in this category are related to the rules and recommendations in the Input Validation and Data Sanitization (IDS) section of the SEI CERT Perl Coding Standard.
Go 1181 Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) section of the SEI CERT Perl Coding Standard.
Go 1182 Weaknesses in this category are related to the rules and recommendations in the Integers (INT) section of the SEI CERT Perl Coding Standard.
Go 1186 Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT Perl Coding Standard.
Go 1194 This view organizes weaknesses around concepts that are frequently used or encountered in hardware design. Accordingly, this view can align closely with the perspectives of designers, manufacturers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping.
Go 1198 Weaknesses in this category are related to features and mechanisms providing hardware-based isolation and access control (e.g., identity, policy, locking control) of sensitive shared hardware resources such as registers and fuses.
Go 1200 CWE entries in this view are listed in the 2019 CWE Top 25 Most Dangerous Software Errors.
Go 1202 Weaknesses in this category are typically associated with memory (e.g., DRAM, SRAM) and storage technologies (e.g., NAND Flash, OTP, EEPROM, and eMMC).
Go 1207 Weaknesses in this category are related to hardware debug and test interfaces such as JTAG and scan chain.
Go 1210 Weaknesses in this category are related to audit-based components of a software system. Frequently these deal with logging user activities in order to identify undesired access and modifications to the system. The weaknesses in this category could lead to a degradation of the quality of the audit capability if they are not addressed.
Go 1211 Weaknesses in this category are related to authentication components of a system. Frequently these deal with the ability to verify that an entity is indeed who it claims to be. If not addressed when designing or implementing a software system, these weaknesses could lead to a degradation of the quality of the authentication capability.
Go 1212 Weaknesses in this category are related to authorization components of a system. Frequently these deal with the ability to enforce that agents have the required permissions before performing certain operations, such as modifying data. If not addressed when designing or implementing a software system, these weaknesses could lead to a degradation of the quality of the authorization capability.
Go 1213 Weaknesses in this category are related to a software system's random number generation.
Go 1214 Weaknesses in this category are related to a software system's data integrity components. Frequently these deal with the ability to ensure the integrity of data, such as messages, resource files, deployment files, and configuration files. The weaknesses in this category could lead to a degradation of data integrity quality if they are not addressed.
Go 1215 Weaknesses in this category are related to a software system's components for input validation, output validation, or other kinds of validation. Validation is a frequently-used technique for ensuring that data conforms to expectations before it is further processed as input or output. There are many varieties of validation (see CWE-20, which is just for input validation). Validation is distinct from other techniques that attempt to modify data before processing it, although developers may consider all attempts to product "safe" inputs or outputs as some kind of validation. Regardless, validation is a powerful tool that is often used to minimize malformed data from entering the system, or indirectly avoid code injection or other potentially-malicious patterns when generating output. The weaknesses in this category could lead to a degradation of the quality of data flow in a system if they are not addressed.
Go 1217 Weaknesses in this category are related to session management. Frequently these deal with the information or status about each user and their access rights for the duration of multiple requests. The weaknesses in this category could lead to a degradation of the quality of session management if they are not addressed.
Go 1219 Weaknesses in this category are related to the handling of files within a software system. Files, directories, and folders are so central to information technology that many different weaknesses and variants have been discovered.
Go 1228 Weaknesses in this category are related to the use of built-in functions or external APIs.
Go 1275 The SameSite attribute for sensitive cookies is not set, or an insecure value is used.
Go 1305 This view outlines the most important software quality issues as identified by the Consortium for Information & Software Quality (CISQ) Automated Quality Characteristic Measures, released in 2020. These measures are derived from Object Management Group (OMG) standards.
Go 1306 Weaknesses in this category are related to the CISQ Quality Measures for Reliability. Presence of these weaknesses could reduce the reliability of the software.
Go 1307 Weaknesses in this category are related to the CISQ Quality Measures for Maintainability. Presence of these weaknesses could reduce the maintainability of the software.
Go 1308 Weaknesses in this category are related to the CISQ Quality Measures for Security. Presence of these weaknesses could reduce the security of the software.
Go 1309 Weaknesses in this category are related to the CISQ Quality Measures for Efficiency. Presence of these weaknesses could reduce the efficiency of the software.
Go 1337 CWE entries in this view are listed in the 2021 CWE Top 25 Most Dangerous Software Weaknesses.
Go 1340 This view outlines the SMM representation of the Automated Source Code Data Protection Measurement specifications, as identified by the Consortium for Information & Software Quality (CISQ) Working Group.
Go 1344 CWE entries in this view (graph) are associated with the OWASP Top 10, as released in 2021.
Go 1345 Weaknesses in this category are related to the A01 category "Broken Access Control" in the OWASP Top 10 2021.
Go 1346 Weaknesses in this category are related to the A02 category "Cryptographic Failures" in the OWASP Top 10 2021.
Go 1347 Weaknesses in this category are related to the A03 category "Injection" in the OWASP Top 10 2021.
Go 1348 Weaknesses in this category are related to the A04 "Insecure Design" category in the OWASP Top 10 2021.
Go 1349 Weaknesses in this category are related to the A05 category "Security Misconfiguration" in the OWASP Top 10 2021.
Go 1350 CWE entries in this view are listed in the 2020 CWE Top 25 Most Dangerous Software Weaknesses.
Go 1353 Weaknesses in this category are related to the A07 category "Identification and Authentication Failures" in the OWASP Top 10 2021.
Go 1354 Weaknesses in this category are related to the A08 category "Software and Data Integrity Failures" in the OWASP Top 10 2021.
Go 1355 Weaknesses in this category are related to the A09 category "Security Logging and Monitoring Failures" in the OWASP Top 10 2021.
Go 1356 Weaknesses in this category are related to the A10 category "Server-Side Request Forgery (SSRF)" in the OWASP Top 10 2021.
Go 1358 CWE entries in this view (graph) are associated with the Categories of Security Vulnerabilities in ICS, as published by the Securing Energy Infrastructure Executive Task Force (SEI ETF) in March 2022. Weaknesses and categories in this view are focused on issues that affect ICS (Industrial Control Systems) but have not been traditionally covered by CWE in the past due to its earlier emphasis on enterprise IT software. Note: weaknesses in this view are based on "Nearest IT Neighbor" recommendations and other suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Go 1359 Weaknesses in this category are related to the "ICS Communications" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.
Go 1360 Weaknesses in this category are related to the "ICS Dependencies (& Architecture)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.
Go 1361 Weaknesses in this category are related to the "ICS Supply Chain" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.
Go 1362 Weaknesses in this category are related to the "ICS Engineering (Constructions/Deployment)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.
Go 1363 Weaknesses in this category are related to the "ICS Operations (& Maintenance)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.
Go 1364 Weaknesses in this category are related to the "Zone Boundary Failures" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Within an ICS system, for traffic that crosses through network zone boundaries, vulnerabilities arise when those boundaries were designed for safety or other purposes but are being repurposed for security." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Go 1366 Weaknesses in this category are related to the "Frail Security in Protocols" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Vulnerabilities arise as a result of mis-implementation or incomplete implementation of security in ICS implementations of communication protocols." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Go 1368 Weaknesses in this category are related to the "External Digital Systems" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Due to the highly interconnected technologies in use, an external dependency on another digital system could cause a confidentiality, integrity, or availability incident for the protected system." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Go 1369 Weaknesses in this category are related to the "IT/OT Convergence/Expansion" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "The increased penetration of DER devices and smart loads make emerging ICS networks more like IT networks and thus susceptible to vulnerabilities similar to those of IT networks." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Go 1370 Weaknesses in this category are related to the "Common Mode Frailties" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "At the component level, most ICS systems are assembled from common parts made by other companies. One or more of these common parts might contain a vulnerability that could result in a wide-spread incident." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Go 1372 Weaknesses in this category are related to the "OT Counterfeit and Malicious Corruption" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "In ICS, when this procurement process results in a vulnerability or component damage, it can have grid impacts or cause physical harm." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Go 1375 Weaknesses in this category are related to the "Gaps in Details/Data" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Highly complex systems are often operated by personnel who have years of experience in managing that particular facility or plant. Much of their knowledge is passed along through verbal or hands-on training but may not be fully documented in written practices and procedures." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Go 1376 Weaknesses in this category are related to the "Security Gaps in Commissioning" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "As a large system is brought online components of the system may remain vulnerable until the entire system is operating and functional and security controls are put in place. This creates a window of opportunity for an adversary during the commissioning process." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Go 1382 Weaknesses in this category are related to the "Emerging Energy Technologies" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "With the rapid evolution of the energy system accelerated by the emergence of new technologies such as DERs, electric vehicles, advanced communications (5G+), novel and diverse challenges arise for secure and resilient operation of the system." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Go 1383 Weaknesses in this category are related to the "Compliance/Conformance with Regulatory Requirements" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "The ICS environment faces overlapping regulatory regimes and authorities with multiple focus areas (e.g., operational resiliency, physical safety, interoperability, and security) which can result in cyber security vulnerabilities when implemented as written due to gaps in considerations, outdatedness, or conflicting requirements." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Go 1387 CWE entries in this view are listed in the 2022 CWE Top 25 Most Dangerous Software Weaknesses.
Go 1396 Weaknesses in this category are related to access control.
Go 1397 Weaknesses in this category are related to comparison.
Go 1398 Weaknesses in this category are related to component interaction.
Go 1399 Weaknesses in this category are related to memory safety.
Go 1400 This view organizes weaknesses around categories that are of interest to large-scale software assurance research to support the elimination of weaknesses using tactics such as secure language development. It is also intended to help tracking weakness trends in publicly disclosed vulnerability data. This view is comprehensive in that every weakness must be contained in it, unlike most other views that only use a subset of weaknesses. This view is structured with categories at the top level, with a second level of only weaknesses. Relationships among the weaknesses presented under the research view (CWE-1000) are not shown. Each weakness is added to only one category. All categories are mutually exclusive; that is, no weakness can be a member of more than one category. While weaknesses defy strict categorization along only one characteristic, the forced bucketing into a single category can simplify certain kinds of analysis. Note that the size of each category can vary widely because (1) CWE is not as well fleshed-out in some areas compared to others; (2) abstraction of the CWEs in the grouping might go down to Variant level for some buckets, versus others.
Go 1401 Weaknesses in this category are related to concurrency.
Go 1402 Weaknesses in this category are related to encryption.
Go 1403 Weaknesses in this category are related to exposed resource.
Go 1404 Weaknesses in this category are related to file handling.
Go 1405 Weaknesses in this category are related to improper check or handling of exceptional conditions.
Go 1406 Weaknesses in this category are related to improper input validation.
Go 1407 Weaknesses in this category are related to improper neutralization.
Go 1408 Weaknesses in this category are related to incorrect calculation.
Go 1409 Weaknesses in this category are related to injection.
Go 1410 Weaknesses in this category are related to insufficient control flow management.
Go 1411 Weaknesses in this category are related to insufficient verification of data authenticity.
Go 1412 Weaknesses in this category are related to poor coding practices.
Go 1413 Weaknesses in this category are related to protection mechanism failure.
Go 1414 Weaknesses in this category are related to randomness.
Go 1415 Weaknesses in this category are related to resource control.
Go 1416 Weaknesses in this category are related to resource lifecycle management.
Go 1417 Weaknesses in this category are related to sensitive information exposure.
Go 1418 Weaknesses in this category are related to violation of secure design principles.
Java 2 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that are typically introduced during unexpected environmental conditions. According to the authors of the Seven Pernicious Kingdoms, "This section includes everything that is outside of the source code but is still critical to the security of the product that is being created. Because the issues covered by this kingdom are not directly related to source code, we separated it from the rest of the kingdoms."
Java 4 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
Java 5 Information sent over a network can be compromised while in transit. An attacker may be able to read or modify the contents if the data are sent in plaintext or are weakly encrypted.
Java 16 Weaknesses in this category are typically introduced during the configuration of the software.
Java 17 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
Java 18 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
Java 19 Weaknesses in this category are typically found in functionality that processes data. Data processing is the manipulation of input to retrieve or save information.
Java 20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Java 21 This category has been deprecated. It was originally used for organizing weaknesses involving file names, which enabled access to files outside of a restricted directory (path traversal) or to perform operations on files that would otherwise be restricted (path equivalence). Consider using either the File Handling Issues category (CWE-1219) or the class Use of Incorrectly-Resolved Name or Reference (CWE-706).
Java 22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Java 23 The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.
Java 36 The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as "/abs/path" that can resolve to a location that is outside of that directory.
Java 66 The product does not handle or incorrectly handles a file name that identifies a "virtual" resource that is not directly specified within the directory that is associated with the file name, causing the product to perform file-based operations on a resource that is not a file.
Java 67 The product constructs pathnames from user input, but it does not handle or incorrectly handles a pathname containing a Windows device name such as AUX or CON. This typically leads to denial of service or an information exposure when the application attempts to process the pathname as a regular file.
Java 68 This category has been deprecated as it was found to be an unnecessary abstraction of platform specific details. Please refer to the category CWE-632 and weakness CWE-66 for relevant relationships.
Java 73 The product allows user input to control or influence paths or file names that are used in filesystem operations.
Java 74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Java 77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Java 78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Java 79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Java 80 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.
Java 81 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters that could be interpreted as web-scripting elements when they are sent to an error page.
Java 82 The web application does not neutralize or incorrectly neutralizes scripting elements within attributes of HTML IMG tags, such as the src attribute.
Java 83 The product does not neutralize or incorrectly neutralizes "javascript:" or other URIs from dangerous attributes within tags, such as onmouseover, onload, onerror, or style.
Java 85 The web application does not filter user-controlled input for executable script disguised using doubling of the involved characters.
Java 86 The product does not neutralize or incorrectly neutralizes invalid characters or byte sequences in the middle of tag names, URI schemes, and other identifiers.
Java 87 The product does not neutralize or incorrectly neutralizes user-controlled input for alternate script syntax.
Java 88 The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.
Java 89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.
Java 90 The product constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component.
Java 91 The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.
Java 93 The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
Java 94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Java 95 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").
Java 96 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before inserting the input into an executable resource, such as a library, configuration file, or template.
Java 97 The product generates a web page, but does not neutralize or incorrectly neutralizes user-controllable input that could be interpreted as a server-side include (SSI) directive.
Java 99 The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control.
Java 100 This category has been deprecated. It was originally intended as a "catch-all" for input validation problems in technologies that did not have their own CWE, but introduces unnecessary depth to the hierarchy.
Java 101 This category has been deprecated. It was originally used for organizing the Development View (CWE-69 9), but it introduced unnecessary complexity and depth to the resulting tree.
Java 102 The product uses multiple validation forms with the same name, which might cause the Struts Validator to validate a form that the programmer does not expect.
Java 103 The product has a validator form that either does not define a validate() method, or defines a validate() method but does not call super.validate().
Java 104 If a form bean does not extend an ActionForm subclass of the Validator framework, it can expose the application to other weaknesses related to insufficient input validation.
Java 106 When an application does not use an input validation framework such as the Struts Validator, there is a greater risk of introducing weaknesses related to insufficient input validation.
Java 111 When a Java application uses the Java Native Interface (JNI) to call code written in another programming language, it can expose the application to weaknesses in that code, even if those weaknesses cannot occur in Java.
Java 113 The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.
Java 114 Executing commands or loading libraries from an untrusted source or in an untrusted environment can cause an application to execute malicious commands (and payloads) on behalf of an attacker.
Java 116 The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
Java 117 The product does not neutralize or incorrectly neutralizes output that is written to logs.
Java 118 The product does not restrict or incorrectly restricts operations within the boundaries of a resource that is accessed using an index or pointer, such as memory or files.
Java 119 The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.
Java 133 Weaknesses in this category are related to the creation and modification of strings.
Java 134 The product uses a function that accepts a format string as an argument, but the format string originates from an external source.
Java 135 The product does not correctly calculate the length of strings that can contain wide or multi-byte characters.
Java 136 Weaknesses in this category are caused by improper data type transformation or improper handling of multiple data types.
Java 137 Weaknesses in this category are related to the creation or neutralization of data using an incorrect format.
Java 138 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as control elements or syntactic markers when they are sent to a downstream component.
Java 140 The product does not neutralize or incorrectly neutralizes delimiters.
Java 141 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as parameter or argument delimiters when they are sent to a downstream component.
Java 142 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as value delimiters when they are sent to a downstream component.
Java 143 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as record delimiters when they are sent to a downstream component.
Java 146 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as expression or command delimiters when they are sent to a downstream component.
Java 149 Quotes injected into a product can be used to compromise a system. As data are parsed, an injected/absent/duplicate/malformed use of quotes may cause the process to take unexpected actions.
Java 150 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component.
Java 157 The product does not properly handle the characters that are used to mark the beginning and ending of a group of entities, such as parentheses, brackets, and braces.
Java 171 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. Weaknesses in this category were related to improper handling of data within protection mechanisms that attempt to perform neutralization for untrusted data. These weaknesses can be found in other similar categories.
Java 172 The product does not properly encode or decode the data, resulting in unexpected values.
Java 176 The product does not properly handle when an input contains Unicode encoding.
Java 179 The product validates input before applying protection mechanisms that modify the input, which could allow an attacker to bypass the validation via dangerous inputs that only arise after the modification.
Java 180 The product validates input before it is canonicalized, which prevents the product from detecting data that becomes invalid after the canonicalization step.
Java 182 The product filters data in a way that causes it to be reduced or "collapsed" into an unsafe value that violates an expected security property.
Java 183 The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is too permissive - that is, it allows an input that is unsafe, leading to resultant weaknesses.
Java 185 The product specifies a regular expression in a way that causes data to be improperly matched or compared.
Java 187 The product performs a comparison that only examines a portion of a factor before determining whether there is a match, such as a substring, leading to resultant weaknesses.
Java 188 The product makes invalid assumptions about how protocol data or memory is organized at a lower level, resulting in unintended program behavior.
Java 189 Weaknesses in this category are related to improper calculation or conversion of numbers.
Java 190 The product performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control.
Java 192 Integer coercion refers to a set of flaws pertaining to the type casting, extension, or truncation of primitive data types.
Java 198 The product receives input from an upstream component, but it does not account for byte ordering (e.g. big-endian and little-endian) when processing the input, causing an incorrect number or value to be used.
Java 199 Weaknesses in this category are related to improper handling of sensitive information.
Java 200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Java 201 The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.
Java 209 The product generates an error message that includes sensitive information about its environment, users, or associated data.
Java 210 The product identifies an error condition and creates its own diagnostic or error messages that contain sensitive information.
Java 211 The product performs an operation that triggers an external diagnostic or error message that is not directly generated or controlled by the product, such as an error generated by the programming language interpreter that a software application uses. The error can contain sensitive system information.
Java 216 This entry has been deprecated, as it was not effective as a weakness and was structured more like a category. In addition, the name is inappropriate, since the "container" term is widely understood by developers in different ways than originally intended by PLOVER, the original source for this entry.
Java 218 This weakness has been deprecated because it was a duplicate of CWE-493. All content has been transferred to CWE-493.
Java 221 The product does not record, or improperly records, security-relevant information that leads to an incorrect decision or hampers later analysis.
Java 223 The product does not record or display information that would be important for identifying the source or nature of an attack, or determining if an action is safe.
Java 226 The product releases a resource such as memory or a file so that it can be made available for reuse, but it does not clear or "zeroize" the information contained in the resource before the product performs a critical state transition or makes the resource available for reuse by other entities.
Java 227 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that involve the software using an API in a manner contrary to its intended use. According to the authors of the Seven Pernicious Kingdoms, "An API is a contract between a caller and a callee. The most common forms of API misuse occurs when the caller does not honor its end of this contract. For example, if a program does not call chdir() after calling chroot(), it violates the contract that specifies how to change the active root directory in a secure fashion. Another good example of library abuse is expecting the callee to return trustworthy DNS information to the caller. In this case, the caller misuses the callee API by making certain assumptions about its behavior (that the return value can be used for authentication purposes). One can also violate the caller-callee contract from the other side. For example, if a coder subclasses SecureRandom and returns a non-random value, the contract is violated."
Java 242 The product calls a function that can never be guaranteed to work safely.
Java 245 The J2EE application directly manages connections, instead of using the container's connection management facilities.
Java 246 The J2EE application directly uses sockets instead of using framework method calls.
Java 247 This entry has been deprecated because it was a duplicate of CWE-350. All content has been transferred to CWE-350.
Java 249 This entry has been deprecated because of name confusion and an accidental combination of multiple weaknesses. Most of its content has been transferred to CWE-785.
Java 250 The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.
Java 252 The product does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions.
Java 253 The product incorrectly checks a return value from a function, which prevents it from detecting errors or exceptional conditions.
Java 254 Software security is not security software. Here we're concerned with topics like authentication, access control, confidentiality, cryptography, and privilege management.
Java 255 Weaknesses in this category are related to the management of credentials.
Java 256 Storing a password in plaintext may result in a system compromise.
Java 257 The storage of passwords in a recoverable format makes them subject to password reuse attacks by malicious users. In fact, it should be noted that recoverable encrypted passwords provide no significant benefit over plaintext passwords since they are subject not only to reuse by malicious attackers but also by malicious insiders. If a system administrator can recover a password directly, or use a brute force search on the available information, the administrator can use the password on other accounts.
Java 258 Using an empty string as a password is insecure.
Java 259 The product contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components.
Java 260 The product stores a password in a configuration file that might be accessible to actors who do not know the password.
Java 261 Obscuring a password with a trivial encoding does not protect the password.
Java 263 The product supports password aging, but the expiration period is too long.
Java 264 Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control.
Java 265 Weaknesses in this category occur with improper handling, assignment, or management of privileges. A privilege is a property of an agent, such as a user. It lets the agent do things that are not ordinarily allowed. For example, there are privileges which allow an agent to perform maintenance functions such as restart a computer.
Java 266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
Java 269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Java 271 The product does not drop privileges before passing control of a resource to an actor that does not have those privileges.
Java 272 The elevated privilege level required to perform operations such as chroot() should be dropped immediately after the operation is performed.
Java 275 Weaknesses in this category are related to improper assignment or handling of permissions.
Java 276 During installation, installed file permissions are set to allow anyone to modify those files.
Java 284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Java 285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
Java 287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Java 290 This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.
Java 291 The product uses an IP address for authentication.
Java 293 The referer field in HTTP requests can be easily modified and, as such, is not a valid means of message integrity checking.
Java 295 The product does not validate, or incorrectly validates, a certificate.
Java 296 The product does not follow, or incorrectly follows, the chain of trust for a certificate back to a trusted root certificate, resulting in incorrect trust of any resource that is associated with that certificate.
Java 297 The product communicates with a host that provides a certificate, but the product does not properly ensure that the certificate is actually associated with that host.
Java 299 The product does not check or incorrectly checks the revocation status of a certificate, which may cause it to use a certificate that has been compromised.
Java 300 The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint.
Java 302 The authentication scheme or implementation uses key data elements that are assumed to be immutable, but can be controlled or modified by the attacker.
Java 304 The product implements an authentication technique, but it skips a step that weakens the technique.
Java 306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Java 308 The use of single-factor authentication can lead to unnecessary risk of compromise when compared with the benefits of a dual-factor authentication scheme.
Java 309 The use of password systems as the primary means of authentication may be subject to several flaws or shortcomings, each reducing the effectiveness of the mechanism.
Java 310 Weaknesses in this category are related to the design and implementation of data confidentiality and integrity. Frequently these deal with the use of encoding techniques, encryption libraries, and hashing algorithms. The weaknesses in this category could lead to a degradation of the quality data if they are not addressed.
Java 311 The product does not encrypt sensitive or critical information before storage or transmission.
Java 312 The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
Java 313 The product stores sensitive information in cleartext in a file, or on disk.
Java 314 The product stores sensitive information in cleartext in the registry.
Java 315 The product stores sensitive information in cleartext in a cookie.
Java 317 The product stores sensitive information in cleartext within the GUI.
Java 318 The product stores sensitive information in cleartext in an executable.
Java 319 The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.
Java 320 Weaknesses in this category are related to errors in the management of cryptographic keys.
Java 321 The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.
Java 324 The product uses a cryptographic key or password past its expiration date, which diminishes its safety significantly by increasing the timing window for cracking attacks against that key.
Java 326 The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
Java 327 The product uses a broken or risky cryptographic algorithm or protocol.
Java 328 The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (2nd preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack).
Java 330 The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.
Java 335 The product uses a Pseudo-Random Number Generator (PRNG) but does not correctly manage seeds.
Java 336 A Pseudo-Random Number Generator (PRNG) uses the same seed each time the product is initialized.
Java 337 A Pseudo-Random Number Generator (PRNG) is initialized from a predictable seed, such as the process ID or system time.
Java 338 The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.
Java 344 The product uses a constant value, name, or reference, but this value can (or should) vary across different environments.
Java 345 The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
Java 346 The product does not properly verify that the source of data or communication is valid.
Java 347 The product does not verify, or incorrectly verifies, the cryptographic signature for data.
Java 350 The product performs reverse DNS resolution on an IP address to obtain the hostname and make a security decision, but it does not properly ensure that the IP address is truly associated with the hostname.
Java 352 The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.
Java 353 The product uses a transmission protocol that does not include a mechanism for verifying the integrity of the data during transmission, such as a checksum.
Java 355 Weaknesses in this category are related to or introduced in the User Interface (UI).
Java 358 The product does not implement or incorrectly implements one or more security-relevant checks as specified by the design of a standardized algorithm, protocol, or technique.
Java 359 The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.
Java 361 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses related to the improper management of time and state in an environment that supports simultaneous or near-simultaneous computation by multiple systems, processes, or threads. According to the authors of the Seven Pernicious Kingdoms, "Distributed computation is about time and state. That is, in order for more than one component to communicate, state must be shared, and all that takes time. Most programmers anthropomorphize their work. They think about one thread of control carrying out the entire program in the same way they would if they had to do the job themselves. Modern computers, however, switch between tasks very quickly, and in multi-core, multi-CPU, or distributed systems, two events may take place at exactly the same time. Defects rush to fill the gap between the programmer's model of how a program executes and what happens in reality. These defects are related to unexpected interactions between threads, processes, time, and information. These interactions happen through shared state: semaphores, variables, the file system, and, basically, anything that can store information."
Java 362 The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.
Java 366 If two threads of execution use a resource simultaneously, there exists the possibility that resources may be used while invalid, in turn making the state of execution undefined.
Java 369 The product divides a value by zero.
Java 371 Weaknesses in this category are related to improper management of system state.
Java 374 The product sends non-cloned mutable data as an argument to a method or function.
Java 375 Sending non-cloned mutable data as a return value may result in that data being altered or deleted by the calling function.
Java 380 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
Java 381 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
Java 382 A J2EE application uses System.exit(), which also shuts down its container.
Java 383 Thread management in a Web application is forbidden in some circumstances and is always highly error prone.
Java 384 Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.
Java 388 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that occur when an application does not properly handle errors that occur during processing. According to the authors of the Seven Pernicious Kingdoms, "Errors and error handling represent a class of API. Errors related to error handling are so common that they deserve a special kingdom of their own. As with 'API Abuse,' there are two ways to introduce an error-related security vulnerability: the most common one is handling errors poorly (or not at all). The second is producing errors that either give out too much information (to possible attackers) or are difficult to handle."
Java 389 This category includes weaknesses that occur if a function does not generate the correct return/status code, or if the application does not handle all possible return/status codes that could be generated by a function. This type of problem is most often found in conditions that are rarely encountered during the normal operation of the product. Presumably, most bugs related to common conditions are found and eliminated during development and testing. In some cases, the attacker can directly control or influence the environment to trigger the rare conditions.
Java 390 The product detects a specific error, but takes no actions to handle the error.
Java 391 [PLANNED FOR DEPRECATION. SEE MAINTENANCE NOTES AND CONSIDER CWE-252, CWE-248, OR CWE-1069.] Ignoring exceptions and other error conditions may allow an attacker to induce unexpected behavior unnoticed.
Java 392 The product encounters an error but does not provide a status code or return value to indicate that an error has occurred.
Java 396 Catching overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities.
Java 397 Throwing overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities.
Java 398 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that do not directly introduce a weakness or vulnerability, but indicate that the product has not been carefully developed or maintained. According to the authors of the Seven Pernicious Kingdoms, "Poor code quality leads to unpredictable behavior. From a user's perspective that often manifests itself as poor usability. For an adversary it provides an opportunity to stress the system in unexpected ways."
Java 399 Weaknesses in this category are related to improper management of system resources.
Java 400 The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.
Java 401 The product does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory.
Java 402 The product makes resources available to untrusted parties when those resources are only intended to be accessed by the product.
Java 403 A process does not close sensitive file descriptors before invoking a child process, which allows the child to perform unauthorized I/O operations using those descriptors.
Java 404 The product does not release or incorrectly releases a resource before it is made available for re-use.
Java 405 The product does not properly control situations in which an adversary can cause the product to consume or produce excessive resources without requiring the adversary to invest equivalent work or otherwise prove authorization, i.e., the adversary's influence is "asymmetric."
Java 409 The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.
Java 411 Weaknesses in this category are related to improper handling of locks that are used to control access to resources.
Java 413 The product does not lock or does not correctly lock a resource when the product must have exclusive access to the resource.
Java 417 Weaknesses in this category are related to improper handling of communication channels and access paths. These weaknesses include problems in creating, managing, or removing alternate channels and alternate paths. Some of these can overlap virtual file problems and are commonly used in "bypass" attacks, such as those that exploit authentication errors.
Java 427 The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.
Java 435 An interaction error occurs when two entities have correct behavior when running independently of each other, but when they are integrated as components in a larger system or process, they introduce incorrect behaviors that may cause resultant weaknesses.
Java 436 Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.
Java 438 Weaknesses in this category are related to unexpected behaviors from code that an application uses.
Java 440 A feature, API, or function does not perform according to its specification.
Java 441 The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor.
Java 442 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
Java 452 Weaknesses in this category occur in behaviors that are used for initialization and breakdown.
Java 459 The product does not properly "clean up" and remove temporary or supporting resources after they have been used.
Java 460 The product does not clean up its state or incorrectly cleans up its state when an exception is thrown, leading to unexpected state or control flow.
Java 461 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
Java 463 The accidental deletion of a data-structure sentinel can cause serious programming logic problems.
Java 465 Weaknesses in this category are related to improper handling of pointers.
Java 470 The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code.
Java 471 The product does not properly protect an assumed-immutable element from being modified by an attacker.
Java 474 The code uses a function that has inconsistent implementations across operating systems and versions.
Java 476 A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.
Java 480 The product accidentally uses the wrong operator, which changes the logic in security-relevant ways.
Java 481 The code uses an operator for assignment when the intention was to perform a comparison.
Java 483 The code does not explicitly delimit a block that is intended to contain 2 or more statements, creating a logic error.
Java 484 The product omits a break statement within a switch or similar construct, causing code associated with multiple conditions to execute. This can cause problems when the programmer only intended to execute code associated with one condition.
Java 485 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that occur when the product does not sufficiently encapsulate critical data or functionality. According to the authors of the Seven Pernicious Kingdoms, "Encapsulation is about drawing strong boundaries. In a web browser that might mean ensuring that your mobile code cannot be abused by other mobile code. On the server it might mean differentiation between validated data and unvalidated data, between one user's data and another's, or between data users are allowed to see and data that they are not."
Java 486 The product compares classes by name, which can cause it to use the wrong class when multiple classes can have the same name.
Java 487 Java packages are not inherently closed; therefore, relying on them for code security is not a good practice.
Java 488 The product does not sufficiently enforce boundaries between the states of different sessions, causing data to be provided to, or used by, the wrong session.
Java 489 The product is deployed to unauthorized actors with debugging code still enabled or active, which can create unintended entry points or expose sensitive information.
Java 490 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
Java 492 Inner classes are translated into classes that are accessible at package scope and may expose code that the programmer intended to keep private to attackers.
Java 493 The product has a critical public variable that is not final, which allows the variable to be modified to contain unexpected values.
Java 494 The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.
Java 495 The product has a method that is declared public, but returns a reference to a private data structure, which could then be modified in unexpected ways.
Java 496 Assigning public data to a private array is equivalent to giving public access to the array.
Java 497 The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does.
Java 498 The code contains a class with sensitive data, but the class is cloneable. The data can then be accessed by cloning the class.
Java 499 The code contains a class with sensitive data, but the class does not explicitly deny serialization. The data can be accessed by serializing the class through another class.
Java 500 An object contains a public static field that is not marked final, which might allow it to be modified in unexpected ways.
Java 501 The product mixes trusted and untrusted data in the same data structure or structured message.
Java 502 The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
Java 505 This category has been deprecated as it was originally used for organizing the Development View (CWE-699), but it introduced unnecessary complexity and depth to the resulting tree.
Java 521 The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts.
Java 522 The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
Java 523 Login pages do not use adequate measures to protect the user name and password while they are in transit from the client to the server.
Java 524 The code uses a cache that contains sensitive information, but the cache can be read by an actor outside of the intended control sphere.
Java 525 The web application does not use an appropriate caching policy that specifies the extent to which each web page and associated form fields should be cached.
Java 526 The product uses an environment variable to store unencrypted sensitive information.
Java 532 Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.
Java 536 A servlet error message indicates that there exists an unhandled exception in your web application code and may provide useful information to an attacker.
Java 537 In many cases, an attacker can leverage the conditions that cause unhandled exception errors in order to gain unauthorized access to the system.
Java 538 The product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the sensitive information.
Java 539 The web application uses persistent cookies, but the cookies contain sensitive information.
Java 540 Source code on a web server or repository often contains sensitive information and should generally not be accessible to users.
Java 543 The product uses the singleton pattern when creating a resource within a multithreaded environment.
Java 548 A directory listing is inappropriately exposed, yielding potentially sensitive information to attackers.
Java 550 Certain conditions, such as network failure, will cause a server error message to be displayed.
Java 552 The product makes files or directories accessible to unauthorized actors, even though they should not be.
Java 557 Weaknesses in this category are related to concurrent use of shared resources.
Java 558 The product uses the getlogin() function in a multithreaded context, potentially causing it to return incorrect values.
Java 559 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
Java 561 The product contains dead code, which can never be executed.
Java 563 The variable's value is assigned but never used, making it a dead store.
Java 566 The product uses a database table that includes records that should not be accessible to an actor, but it executes a SQL statement with a primary key that can be controlled by that actor.
Java 567 The product does not properly synchronize shared data, such as static variables across threads, which can lead to undefined behavior and unpredictable data changes.
Java 568 The product contains a finalize() method that does not call super.finalize().
Java 569 Weaknesses in this category are related to incorrectly written expressions within code.
Java 570 The product contains an expression that will always evaluate to false.
Java 571 The product contains an expression that will always evaluate to true.
Java 572 The product calls a thread's run() method instead of calling start(), which causes the code to run in the thread of the caller instead of the callee.
Java 573 The product does not follow or incorrectly follows the specifications as required by the implementation language, environment, framework, protocol, or platform.
Java 574 The product violates the Enterprise JavaBeans (EJB) specification by using thread synchronization primitives.
Java 575 The product violates the Enterprise JavaBeans (EJB) specification by using AWT/Swing.
Java 576 The product violates the Enterprise JavaBeans (EJB) specification by using the java.io package.
Java 577 The product violates the Enterprise JavaBeans (EJB) specification by using sockets.
Java 579 The product stores a non-serializable object as an HttpSession attribute, which can hurt reliability.
Java 580 The product contains a clone() method that does not call super.clone() to obtain the new object.
Java 581 The product does not maintain equal hashcodes for equal objects.
Java 583 The product violates secure coding principles for mobile code by declaring a finalize() method public.
Java 584 The code has a return statement inside a finally block, which will cause any thrown exception in the try block to be discarded.
Java 585 The product contains an empty synchronized block.
Java 586 The product makes an explicit call to the finalize() method from outside the finalizer.
Java 589 The product uses an API function that does not exist on all versions of the target platform. This could cause portability problems or inconsistencies that allow denial of service or other consequences.
Java 592 This weakness has been deprecated because it covered redundant concepts already described in CWE-287.
Java 594 When the J2EE container attempts to write unserializable objects to disk there is no guarantee that the process will complete successfully.
Java 595 The product compares object references instead of the contents of the objects themselves, preventing it from detecting equivalent objects.
Java 596 This weakness has been deprecated. It was poorly described and difficult to distinguish from other entries. It was also inappropriate to assign a separate ID solely because of domain-specific considerations. Its closest equivalent is CWE-1023.
Java 597 The product uses the wrong operator when comparing a string, such as using "==" when the .equals() method should be used instead.
Java 598 The web application uses the HTTP GET method to process a request and includes sensitive information in the query string of that request.
Java 601 A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.
Java 607 A public or protected static final field references a mutable object, which allows the object to be changed by malicious code, or accidentally from another package.
Java 609 The product uses double-checked locking to access a resource without the overhead of explicit synchronization, but the locking is insufficient.
Java 610 The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.
Java 611 The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
Java 613 According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
Java 614 The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session.
Java 615 While adding general comments is very useful, some programmers tend to leave important data, such as: filenames related to the web application, old links or links which were not meant to be browsed by users, old code fragments, etc.
Java 617 The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.
Java 624 The product uses a regular expression that either (1) contains an executable component with user-controlled inputs, or (2) allows a user to enable execution by inserting pattern modifiers.
Java 625 The product uses a regular expression that does not sufficiently restrict the set of allowed values.
Java 628 The product calls a function, procedure, or routine with arguments that are not correctly specified, leading to always-incorrect behavior and resultant weaknesses.
Java 629 CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2007. This view is considered obsolete as a newer version of the OWASP Top 10 is available.
Java 632 This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE.
Java 633 This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE.
Java 634 This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE.
Java 635 CWE nodes in this view (slice) were used by NIST to categorize vulnerabilities within NVD, from 2008 to 2016. This original version has been used by many other projects.
Java 639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Java 642 The product stores security-critical state information about its users, or the product itself, in a location that is accessible to unauthorized actors.
Java 643 The product uses external input to dynamically construct an XPath expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query.
Java 644 The product does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers, such as Flash.
Java 647 The product defines policy namespaces and makes authorization decisions based on the assumption that a URL is canonical. This can allow a non-canonical URL to bypass the authorization.
Java 650 The server contains a protection mechanism that assumes that any URI that is accessed using HTTP GET will not cause a state change to the associated resource. This might allow attackers to bypass intended access restrictions and conduct resource modification and deletion attacks, since some applications allow GET to modify state.
Java 654 A protection mechanism relies exclusively, or to a large extent, on the evaluation of a single condition or the integrity of a single object or entity in order to make a decision about granting access to restricted resources or functionality.
Java 657 The product violates well-established principles for secure design.
Java 662 The product utilizes multiple threads or processes to allow temporary access to a shared resource that can only be exclusive to one process at a time, but it does not properly synchronize these actions, which might cause simultaneous accesses of this resource by multiple threads or processes.
Java 663 The product calls a non-reentrant function in a concurrent context in which a competing code sequence (e.g. thread or signal handler) may have an opportunity to call the same function or otherwise influence its state.
Java 664 The product does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release.
Java 665 The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.
Java 666 The product performs an operation on a resource at the wrong phase of the resource's lifecycle, which can lead to unexpected behaviors.
Java 667 The product does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors.
Java 668 The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
Java 669 The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource.
Java 670 The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated.
Java 671 The product uses security features in a way that prevents the product's administrator from tailoring security settings to reflect the environment in which the product is being used. This introduces resultant weaknesses or prevents it from operating at a level of security that is desired by the administrator.
Java 672 The product uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked.
Java 674 The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.
Java 676 The product invokes a potentially dangerous function that could introduce a vulnerability if it is used incorrectly, but the function can also be used safely.
Java 681 When converting from one data type to another, such as long to integer, data can be omitted or translated in a way that produces unexpected values. If the resulting values are used in a sensitive context, then dangerous behaviors may occur.
Java 682 The product performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management.
Java 683 The product calls a function, procedure, or routine, but the caller specifies the arguments in an incorrect order, leading to resultant weaknesses.
Java 684 The code does not function according to its published specifications, potentially leading to incorrect usage.
Java 691 The code does not sufficiently manage its control flow during execution, creating conditions in which the control flow can be modified in unexpected ways.
Java 692 The product uses a denylist-based protection mechanism to defend against XSS attacks, but the denylist is incomplete, allowing XSS variants to succeed.
Java 693 The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.
Java 694 The product uses multiple resources that can have the same identifier, in a context in which unique identifiers are required.
Java 695 The product uses low-level functionality that is explicitly prohibited by the framework or specification under which the product is supposed to operate.
Java 696 The product performs multiple related behaviors, but the behaviors are performed in the wrong order in ways which may produce resultant weaknesses.
Java 697 The product compares two entities in a security-relevant context, but the comparison is incorrect, which may lead to resultant weaknesses.
Java 699 This view organizes weaknesses around concepts that are frequently used or encountered in software development. This includes all aspects of the software development lifecycle including both architecture and implementation. Accordingly, this view can align closely with the perspectives of architects, developers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping.
Java 700 This view (graph) organizes weaknesses using a hierarchical structure that is similar to that used by Seven Pernicious Kingdoms.
Java 703 The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product.
Java 704 The product does not correctly convert an object, resource, or structure from one type to a different type.
Java 705 The product does not properly return control flow to the proper location after it has completed a task or detected an unusual condition.
Java 706 The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.
Java 707 The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component.
Java 710 The product does not follow certain coding rules for development, which can lead to resultant weaknesses or increase the severity of the associated vulnerabilities.
Java 711 CWE entries in this view (graph) are associated with the OWASP Top 10, as released in 2004, and as required for compliance with PCI DSS version 1.1. This view is considered obsolete as a newer version of the OWASP Top 10 is available.
Java 712 Weaknesses in this category are related to the A1 category in the OWASP Top 10 2007.
Java 713 Weaknesses in this category are related to the A2 category in the OWASP Top 10 2007.
Java 714 Weaknesses in this category are related to the A3 category in the OWASP Top 10 2007.
Java 715 Weaknesses in this category are related to the A4 category in the OWASP Top 10 2007.
Java 716 Weaknesses in this category are related to the A5 category in the OWASP Top 10 2007.
Java 717 Weaknesses in this category are related to the A6 category in the OWASP Top 10 2007.
Java 718 Weaknesses in this category are related to the A7 category in the OWASP Top 10 2007.
Java 719 Weaknesses in this category are related to the A8 category in the OWASP Top 10 2007.
Java 720 Weaknesses in this category are related to the A9 category in the OWASP Top 10 2007.
Java 721 Weaknesses in this category are related to the A10 category in the OWASP Top 10 2007.
Java 722 Weaknesses in this category are related to the A1 category in the OWASP Top 10 2004.
Java 723 Weaknesses in this category are related to the A2 category in the OWASP Top 10 2004.
Java 724 Weaknesses in this category are related to the A3 category in the OWASP Top 10 2004.
Java 725 Weaknesses in this category are related to the A4 category in the OWASP Top 10 2004.
Java 726 Weaknesses in this category are related to the A5 category in the OWASP Top 10 2004.
Java 727 Weaknesses in this category are related to the A6 category in the OWASP Top 10 2004.
Java 728 Weaknesses in this category are related to the A7 category in the OWASP Top 10 2004.
Java 729 Weaknesses in this category are related to the A8 category in the OWASP Top 10 2004.
Java 730 Weaknesses in this category are related to the A9 category in the OWASP Top 10 2004.
Java 731 Weaknesses in this category are related to the A10 category in the OWASP Top 10 2004.
Java 732 The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.
Java 734 CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT C Secure Coding Standard" published in 2008. This view is considered obsolete, as a newer version of the coding standard is available. This view statically represents the coding rules as they were in 2008.
Java 735 Weaknesses in this category are related to the rules and recommendations in the Preprocessor (PRE) chapter of the CERT C Secure Coding Standard (2008).
Java 736 Weaknesses in this category are related to the rules and recommendations in the Declarations and Initialization (DCL) chapter of the CERT C Secure Coding Standard (2008).
Java 737 Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) chapter of the CERT C Secure Coding Standard (2008).
Java 738 Weaknesses in this category are related to the rules and recommendations in the Integers (INT) chapter of the CERT C Secure Coding Standard (2008).
Java 739 Weaknesses in this category are related to the rules and recommendations in the Floating Point (FLP) chapter of the CERT C Secure Coding Standard (2008).
Java 740 Weaknesses in this category are related to the rules and recommendations in the Arrays (ARR) chapter of the CERT C Secure Coding Standard (2008).
Java 741 Weaknesses in this category are related to the rules and recommendations in the Characters and Strings (STR) chapter of the CERT C Secure Coding Standard (2008).
Java 742 Weaknesses in this category are related to the rules and recommendations in the Memory Management (MEM) chapter of the CERT C Secure Coding Standard (2008).
Java 743 Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) chapter of the CERT C Secure Coding Standard (2008).
Java 744 Weaknesses in this category are related to the rules and recommendations in the Environment (ENV) chapter of the CERT C Secure Coding Standard (2008).
Java 745 Weaknesses in this category are related to the rules and recommendations in the Signals (SIG) chapter of the CERT C Secure Coding Standard (2008).
Java 746 Weaknesses in this category are related to the rules and recommendations in the Error Handling (ERR) chapter of the CERT C Secure Coding Standard (2008).
Java 747 Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) chapter of the CERT C Secure Coding Standard (2008).
Java 748 Weaknesses in this category are related to the rules and recommendations in the POSIX (POS) appendix of the CERT C Secure Coding Standard (2008).
Java 749 The product provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted.
Java 750 CWE entries in this view (graph) are listed in the 2009 CWE/SANS Top 25 Programming Errors. This view is considered obsolete as a newer version of the Top 25 is available.
Java 751 Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2009 CWE/SANS Top 25 Programming Errors.
Java 752 Weaknesses in this category are listed in the "Risky Resource Management" section of the 2009 CWE/SANS Top 25 Programming Errors.
Java 753 Weaknesses in this category are listed in the "Porous Defenses" section of the 2009 CWE/SANS Top 25 Programming Errors.
Java 754 The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.
Java 755 The product does not handle or incorrectly handles an exceptional condition.
Java 757 A protocol or its implementation supports interaction between multiple actors and allows those actors to negotiate which algorithm should be used as a protection mechanism such as encryption or authentication, but it does not select the strongest algorithm that is available to both parties.
Java 758 The product uses an API function, data structure, or other entity in a way that relies on properties that are not always guaranteed to hold for that entity.
Java 759 The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product does not also use a salt as part of the input.
Java 760 The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product uses a predictable salt as part of the input.
Java 766 The product declares a critical variable, field, or member to be public when intended security policy requires it to be private.
Java 772 The product does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.
Java 776 The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.
Java 778 When a security-critical event occurs, the product either does not record the event or omits important details about the event when logging it.
Java 779 The product logs too much information, making log files hard to process and possibly hindering recovery efforts or forensic analysis after an attack.
Java 780 The product uses the RSA algorithm but does not incorporate Optimal Asymmetric Encryption Padding (OAEP), which might weaken the encryption.
Java 783 The product uses an expression in which operator precedence causes incorrect logic to be used.
Java 798 The product contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.
Java 800 CWE entries in this view (graph) are listed in the 2010 CWE/SANS Top 25 Programming Errors. This view is considered obsolete as a newer version of the Top 25 is available.
Java 801 Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2010 CWE/SANS Top 25 Programming Errors.
Java 802 Weaknesses in this category are listed in the "Risky Resource Management" section of the 2010 CWE/SANS Top 25 Programming Errors.
Java 803 Weaknesses in this category are listed in the "Porous Defenses" section of the 2010 CWE/SANS Top 25 Programming Errors.
Java 807 The product uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism.
Java 808 Weaknesses in this category are not part of the general Top 25, but they were part of the original nominee list from which the Top 25 was drawn.
Java 809 CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2010. This view is considered obsolete as a newer version of the OWASP Top 10 is available.
Java 810 Weaknesses in this category are related to the A1 category in the OWASP Top 10 2010.
Java 811 Weaknesses in this category are related to the A2 category in the OWASP Top 10 2010.
Java 812 Weaknesses in this category are related to the A3 category in the OWASP Top 10 2010.
Java 813 Weaknesses in this category are related to the A4 category in the OWASP Top 10 2010.
Java 814 Weaknesses in this category are related to the A5 category in the OWASP Top 10 2010.
Java 815 Weaknesses in this category are related to the A6 category in the OWASP Top 10 2010.
Java 816 Weaknesses in this category are related to the A7 category in the OWASP Top 10 2010.
Java 817 Weaknesses in this category are related to the A8 category in the OWASP Top 10 2010.
Java 818 Weaknesses in this category are related to the A9 category in the OWASP Top 10 2010.
Java 819 Weaknesses in this category are related to the A10 category in the OWASP Top 10 2010.
Java 820 The product utilizes a shared resource in a concurrent manner but does not attempt to synchronize access to the resource.
Java 821 The product utilizes a shared resource in a concurrent manner, but it does not correctly synchronize access to the resource.
Java 827 The product does not restrict a reference to a Document Type Definition (DTD) to the intended control sphere. This might allow attackers to reference arbitrary DTDs, possibly causing the product to expose files, consume excessive system resources, or execute arbitrary http requests on behalf of the attacker.
Java 829 The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.
Java 833 The product contains multiple threads or executable segments that are waiting for each other to release a necessary lock, resulting in deadlock.
Java 834 The product performs an iteration or loop without sufficiently limiting the number of times that the loop is executed.
Java 835 The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.
Java 838 The product uses or specifies an encoding when generating output to a downstream component, but the specified encoding is not the same as the encoding that is expected by the downstream component.
Java 840 Weaknesses in this category identify some of the underlying problems that commonly allow attackers to manipulate the business logic of an application. Errors in business logic can be devastating to an entire application. They can be difficult to find automatically, since they typically involve legitimate use of the application's functionality. However, many business logic errors can exhibit patterns that are similar to well-understood implementation and design weaknesses.
Java 844 CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT Oracle Secure Coding Standard for Java" published in 2011. This view is considered obsolete as a newer version of the coding standard is available.
Java 845 Weaknesses in this category are related to rules in the Input Validation and Data Sanitization (IDS) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
Java 846 Weaknesses in this category are related to rules in the Declarations and Initialization (DCL) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
Java 847 Weaknesses in this category are related to rules in the Expressions (EXP) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
Java 848 Weaknesses in this category are related to rules in the Numeric Types and Operations (NUM) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
Java 849 Weaknesses in this category are related to rules in the Object Orientation (OBJ) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
Java 850 Weaknesses in this category are related to rules in the Methods (MET) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
Java 851 Weaknesses in this category are related to rules in the Exceptional Behavior (ERR) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
Java 852 Weaknesses in this category are related to rules in the Visibility and Atomicity (VNA) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
Java 853 Weaknesses in this category are related to rules in the Locking (LCK) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
Java 854 Weaknesses in this category are related to rules in the Thread APIs (THI) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
Java 855 Weaknesses in this category are related to rules in the Thread Pools (TPS) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
Java 857 Weaknesses in this category are related to rules in the Input Output (FIO) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
Java 858 Weaknesses in this category are related to rules in the Serialization (SER) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
Java 859 Weaknesses in this category are related to rules in the Platform Security (SEC) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
Java 860 Weaknesses in this category are related to rules in the Runtime Environment (ENV) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
Java 861 Weaknesses in this category are related to rules in the Miscellaneous (MSC) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
Java 862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Java 863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.
Java 864 Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.
Java 865 Weaknesses in this category are listed in the "Risky Resource Management" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.
Java 866 Weaknesses in this category are listed in the "Porous Defenses" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.
Java 867 Weaknesses in this category are not part of the general Top 25, but they were part of the original nominee list from which the Top 25 was drawn.
Java 868 CWE entries in this view (graph) are fully or partially eliminated by following the SEI CERT C++ Coding Standard, as published in 2016. This view is no longer being actively maintained, since it statically represents the coding rules as they were in 2016.
Java 871 Weaknesses in this category are related to rules in the Expressions (EXP) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
Java 872 Weaknesses in this category are related to rules in the Integers (INT) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
Java 873 Weaknesses in this category are related to rules in the Floating Point Arithmetic (FLP) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
Java 874 Weaknesses in this category are related to rules in the Arrays and the STL (ARR) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
Java 875 Weaknesses in this category are related to rules in the Characters and Strings (STR) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
Java 876 Weaknesses in this category are related to rules in the Memory Management (MEM) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
Java 877 Weaknesses in this category are related to rules in the Input Output (FIO) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
Java 878 Weaknesses in this category are related to rules in the Environment (ENV) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
Java 879 Weaknesses in this category are related to rules in the Signals (SIG) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
Java 880 Weaknesses in this category are related to rules in the Exceptions and Error Handling (ERR) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
Java 881 Weaknesses in this category are related to rules in the Object Oriented Programming (OOP) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
Java 882 Weaknesses in this category are related to rules in the Concurrency (CON) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
Java 883 Weaknesses in this category are related to rules in the Miscellaneous (MSC) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
Java 884 This view contains a selection of weaknesses that represent the variety of weaknesses that are captured in CWE, at a level of abstraction that is likely to be useful to most audiences. It can be used by researchers to determine how broad their theories, models, or tools are. It will also be used by the CWE content team in 2012 to focus quality improvement efforts for individual CWE entries.
Java 885 This category identifies Software Fault Patterns (SFPs) within the Risky Values cluster (SFP1).
Java 886 This category identifies Software Fault Patterns (SFPs) within the Unused entities cluster (SFP2).
Java 887 This category identifies Software Fault Patterns (SFPs) within the API cluster (SFP3).
Java 888 CWE identifiers in this view are associated with clusters of Software Fault Patterns (SFPs).
Java 889 This category identifies Software Fault Patterns (SFPs) within the Exception Management cluster (SFP4, SFP5, SFP6).
Java 890 This category identifies Software Fault Patterns (SFPs) within the Memory Access cluster (SFP7, SFP8).
Java 892 This category identifies Software Fault Patterns (SFPs) within the Resource Management cluster (SFP37).
Java 893 This category identifies Software Fault Patterns (SFPs) within the Path Resolution cluster (SFP16, SFP17, SFP18).
Java 894 This category identifies Software Fault Patterns (SFPs) within the Synchronization cluster (SFP19, SFP20, SFP21, SFP22).
Java 895 This category identifies Software Fault Patterns (SFPs) within the Information Leak cluster (SFP23).
Java 896 This category identifies Software Fault Patterns (SFPs) within the Tainted Input cluster (SFP24, SFP25, SFP26, SFP27).
Java 897 This category identifies Software Fault Patterns (SFPs) within the Entry Points cluster (SFP28).
Java 898 This category identifies Software Fault Patterns (SFPs) within the Authentication cluster (SFP29, SFP30, SFP31, SFP32, SFP33, SFP34).
Java 899 This category identifies Software Fault Patterns (SFPs) within the Access Control cluster (SFP35).
Java 900 CWE entries in this view (graph) are listed in the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.
Java 901 This category identifies Software Fault Patterns (SFPs) within the Privilege cluster (SFP36).
Java 902 This category identifies Software Fault Patterns (SFPs) within the Channel cluster.
Java 903 This category identifies Software Fault Patterns (SFPs) within the Cryptography cluster.
Java 905 This category identifies Software Fault Patterns (SFPs) within the Predictability cluster.
Java 906 This category identifies Software Fault Patterns (SFPs) within the UI cluster.
Java 907 This category identifies Software Fault Patterns (SFPs) within the Other cluster.
Java 913 The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements.
Java 915 The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.
Java 916 The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive.
Java 917 The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.
Java 918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Java 921 The product stores sensitive information in a file system or device that does not have built-in access control.
Java 922 The product stores sensitive information without properly limiting read or write access by unauthorized actors.
Java 923 The product establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that it is communicating with the correct endpoint.
Java 925 The Android application uses a Broadcast Receiver that receives an Intent but does not properly verify that the Intent came from an authorized source.
Java 926 The Android application exports a component for use by other applications, but does not properly restrict which applications can launch the component or access the data it contains.
Java 927 The Android application uses an implicit intent for transmitting sensitive data to other applications.
Java 928 CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2013. This view is considered obsolete as a newer version of the OWASP Top 10 is available.
Java 929 Weaknesses in this category are related to the A1 category in the OWASP Top 10 2013.
Java 930 Weaknesses in this category are related to the A2 category in the OWASP Top 10 2013.
Java 931 Weaknesses in this category are related to the A3 category in the OWASP Top 10 2013.
Java 932 Weaknesses in this category are related to the A4 category in the OWASP Top 10 2013.
Java 933 Weaknesses in this category are related to the A5 category in the OWASP Top 10 2013.
Java 934 Weaknesses in this category are related to the A6 category in the OWASP Top 10 2013.
Java 935 Weaknesses in this category are related to the A7 category in the OWASP Top 10 2013.
Java 936 Weaknesses in this category are related to the A8 category in the OWASP Top 10 2013.
Java 938 Weaknesses in this category are related to the A10 category in the OWASP Top 10 2013.
Java 942 The product uses a cross-domain policy file that includes domains that should not be trusted.
Java 943 The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query.
Java 944 This category identifies Software Fault Patterns (SFPs) within the Access Management cluster.
Java 945 This category identifies Software Fault Patterns (SFPs) within the Insecure Resource Access cluster (SFP35).
Java 946 This category identifies Software Fault Patterns (SFPs) within the Insecure Resource Permissions cluster.
Java 947 This category identifies Software Fault Patterns (SFPs) within the Authentication Bypass cluster.
Java 948 This category identifies Software Fault Patterns (SFPs) within the Digital Certificate cluster.
Java 949 This category identifies Software Fault Patterns (SFPs) within the Faulty Endpoint Authentication cluster (SFP29).
Java 950 This category identifies Software Fault Patterns (SFPs) within the Hardcoded Sensitive Data cluster (SFP33).
Java 951 This category identifies Software Fault Patterns (SFPs) within the Insecure Authentication Policy cluster.
Java 952 This category identifies Software Fault Patterns (SFPs) within the Missing Authentication cluster.
Java 956 This category identifies Software Fault Patterns (SFPs) within the Channel Attack cluster.
Java 957 This category identifies Software Fault Patterns (SFPs) within the Protocol Error cluster.
Java 958 This category identifies Software Fault Patterns (SFPs) within the Broken Cryptography cluster.
Java 959 This category identifies Software Fault Patterns (SFPs) within the Weak Cryptography cluster.
Java 960 This category identifies Software Fault Patterns (SFPs) within the Ambiguous Exception Type cluster (SFP5).
Java 961 This category identifies Software Fault Patterns (SFPs) within the Incorrect Exception Behavior cluster (SFP6).
Java 962 This category identifies Software Fault Patterns (SFPs) within the Unchecked Status Condition cluster (SFP4).
Java 963 This category identifies Software Fault Patterns (SFPs) within the Exposed Data cluster (SFP23).
Java 965 This category identifies Software Fault Patterns (SFPs) within the Insecure Session Management cluster.
Java 966 This category identifies Software Fault Patterns (SFPs) within the Other Exposures cluster.
Java 970 This category identifies Software Fault Patterns (SFPs) within the Faulty Buffer Access cluster (SFP8).
Java 971 This category identifies Software Fault Patterns (SFPs) within the Faulty Pointer Use cluster (SFP7).
Java 974 This category identifies Software Fault Patterns (SFPs) within the Incorrect Buffer Length Computation cluster (SFP10).
Java 975 This category identifies Software Fault Patterns (SFPs) within the Architecture cluster.
Java 977 This category identifies Software Fault Patterns (SFPs) within the Design cluster.
Java 978 This category identifies Software Fault Patterns (SFPs) within the Implementation cluster.
Java 980 This category identifies Software Fault Patterns (SFPs) within the Link in Resource Name Resolution cluster (SFP18).
Java 981 This category identifies Software Fault Patterns (SFPs) within the Path Traversal cluster (SFP16).
Java 982 This category identifies Software Fault Patterns (SFPs) within the Failure to Release Resource cluster (SFP14).
Java 983 This category identifies Software Fault Patterns (SFPs) within the Faulty Resource Use cluster (SFP15).
Java 984 This category identifies Software Fault Patterns (SFPs) within the Life Cycle cluster.
Java 985 This category identifies Software Fault Patterns (SFPs) within the Unrestricted Consumption cluster (SFP13).
Java 986 This category identifies Software Fault Patterns (SFPs) within the Missing Lock cluster (SFP19).
Java 987 This category identifies Software Fault Patterns (SFPs) within the Multiple Locks/Unlocks cluster (SFP21).
Java 988 This category identifies Software Fault Patterns (SFPs) within the Race Condition Window cluster (SFP20).
Java 990 This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Command cluster (SFP24).
Java 991 This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Environment cluster (SFP27).
Java 992 This category identifies Software Fault Patterns (SFPs) within the Faulty Input Transformation cluster.
Java 993 This category identifies Software Fault Patterns (SFPs) within the Incorrect Input Handling cluster.
Java 994 This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Variable cluster (SFP25).
Java 997 This category identifies Software Fault Patterns (SFPs) within the Information Loss cluster.
Java 998 This category identifies Software Fault Patterns (SFPs) within the Glitch in Computation cluster (SFP1).
Java 1000 This view is intended to facilitate research into weaknesses, including their inter-dependencies, and can be leveraged to systematically identify theoretical gaps within CWE. It is mainly organized according to abstractions of behaviors instead of how they can be detected, where they appear in code, or when they are introduced in the development life cycle. By design, this view is expected to include every weakness within CWE.
Java 1001 This category identifies Software Fault Patterns (SFPs) within the Use of an Improper API cluster (SFP3).
Java 1002 This category identifies Software Fault Patterns (SFPs) within the Unexpected Entry Points cluster.
Java 1003 CWE entries in this view (graph) may be used to categorize potential weaknesses within sources that handle public, third-party vulnerability information, such as the National Vulnerability Database (NVD). By design, this view is incomplete; it is limited to a small number of the most commonly-seen weaknesses, so that it is easier for humans to use. This view uses a shallow hierarchy of two levels in order to simplify the complex, category-oriented navigation of the entire CWE corpus.
Java 1004 The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag.
Java 1005 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that exist when an application does not properly validate or represent input. According to the authors of the Seven Pernicious Kingdoms, "Input validation and representation problems are caused by metacharacters, alternate encodings and numeric representations. Security problems result from trusting input."
Java 1006 Weaknesses in this category are related to coding practices that are deemed unsafe and increase the chances that an exploitable vulnerability will be present in the application. These weaknesses do not directly introduce a vulnerability, but indicate that the product has not been carefully developed or maintained. If a program is complex, difficult to maintain, not portable, or shows evidence of neglect, then there is a higher likelihood that weaknesses are buried in the code.
Java 1008 This view organizes weaknesses according to common architectural security tactics. It is intended to assist architects in identifying potential mistakes that can be made when designing software.
Java 1009 Weaknesses in this category are related to the design and architecture of audit-based components of the system. Frequently these deal with logging user activities in order to identify attackers and modifications to the system. The weaknesses in this category could lead to a degradation of the quality of the audit capability if they are not addressed when designing or implementing a secure architecture.
Java 1010 Weaknesses in this category are related to the design and architecture of authentication components of the system. Frequently these deal with verifying the entity is indeed who it claims to be. The weaknesses in this category could lead to a degradation of the quality of authentication if they are not addressed when designing or implementing a secure architecture.
Java 1011 Weaknesses in this category are related to the design and architecture of a system's authorization components. Frequently these deal with enforcing that agents have the required permissions before performing certain operations, such as modifying data. The weaknesses in this category could lead to a degradation of quality of the authorization capability if they are not addressed when designing or implementing a secure architecture.
Java 1012 Weaknesses in this category are related to the design and architecture of multiple security tactics and how they affect a system. For example, information exposure can impact the Limit Access and Limit Exposure security tactics. The weaknesses in this category could lead to a degradation of the quality of many capabilities if they are not addressed when designing or implementing a secure architecture.
Java 1013 Weaknesses in this category are related to the design and architecture of data confidentiality in a system. Frequently these deal with the use of encryption libraries. The weaknesses in this category could lead to a degradation of the quality data encryption if they are not addressed when designing or implementing a secure architecture.
Java 1014 Weaknesses in this category are related to the design and architecture of a system's identification management components. Frequently these deal with verifying that external agents provide inputs into the system. The weaknesses in this category could lead to a degradation of the quality of identification management if they are not addressed when designing or implementing a secure architecture.
Java 1015 Weaknesses in this category are related to the design and architecture of system resources. Frequently these deal with restricting the amount of resources that are accessed by actors, such as memory, network connections, CPU or access points. The weaknesses in this category could lead to a degradation of the quality of authentication if they are not addressed when designing or implementing a secure architecture.
Java 1016 Weaknesses in this category are related to the design and architecture of the entry points to a system. Frequently these deal with minimizing the attack surface through designing the system with the least needed amount of entry points. The weaknesses in this category could lead to a degradation of a system's defenses if they are not addressed when designing or implementing a secure architecture.
Java 1018 Weaknesses in this category are related to the design and architecture of session management. Frequently these deal with the information or status about each user and their access rights for the duration of multiple requests. The weaknesses in this category could lead to a degradation of the quality of session management if they are not addressed when designing or implementing a secure architecture.
Java 1019 Weaknesses in this category are related to the design and architecture of a system's input validation components. Frequently these deal with sanitizing, neutralizing and validating any externally provided inputs to minimize malformed data from entering the system and preventing code injection in the input data. The weaknesses in this category could lead to a degradation of the quality of data flow in a system if they are not addressed when designing or implementing a secure architecture.
Java 1020 Weaknesses in this category are related to the design and architecture of a system's data integrity components. Frequently these deal with ensuring integrity of data, such as messages, resource files, deployment files, and configuration files. The weaknesses in this category could lead to a degradation of data integrity quality if they are not addressed when designing or implementing a secure architecture.
Java 1023 The product performs a comparison between entities that must consider multiple factors or characteristics of each entity, but the comparison does not include one or more of these factors.
Java 1025 The code performs a comparison between two entities, but the comparison examines the wrong factors or characteristics of the entities, which can lead to incorrect results and resultant weaknesses.
Java 1026 CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2017.
Java 1027 Weaknesses in this category are related to the A1 category in the OWASP Top 10 2017.
Java 1028 Weaknesses in this category are related to the A2 category in the OWASP Top 10 2017.
Java 1029 Weaknesses in this category are related to the A3 category in the OWASP Top 10 2017.
Java 1030 Weaknesses in this category are related to the A4 category in the OWASP Top 10 2017.
Java 1031 Weaknesses in this category are related to the A5 category in the OWASP Top 10 2017.
Java 1032 Weaknesses in this category are related to the A6 category in the OWASP Top 10 2017.
Java 1033 Weaknesses in this category are related to the A7 category in the OWASP Top 10 2017.
Java 1034 Weaknesses in this category are related to the A8 category in the OWASP Top 10 2017.
Java 1036 Weaknesses in this category are related to the A10 category in the OWASP Top 10 2017.
Java 1041 The product has multiple functions, methods, procedures, macros, etc. that contain the same code.
Java 1071 The source code contains a block that does not contain any code, i.e., the block is empty.
Java 1078 The source code does not follow desired style or formatting for indentation, white space, comments, etc.
Java 1104 The product relies on third-party components that are not actively supported or maintained by the original developer or a trusted proxy for the original developer.
Java 1114 The source code contains whitespace that is inconsistent across the code or does not follow expected standards for the product.
Java 1128 This view outlines the most important software quality issues as identified by the Consortium for Information & Software Quality (CISQ) Automated Quality Characteristic Measures, released in 2016. These measures are derived from Object Management Group (OMG) standards.
Java 1129 Weaknesses in this category are related to the CISQ Quality Measures for Reliability, as documented in 2016 with the Automated Source Code CISQ Reliability Measure (ASCRM) Specification 1.0. Presence of these weaknesses could reduce the reliability of the software.
Java 1130 Weaknesses in this category are related to the CISQ Quality Measures for Maintainability, as documented in 2016 with the Automated Source Code Maintainability Measure (ASCMM) Specification 1.0. Presence of these weaknesses could reduce the maintainability of the software.
Java 1131 Weaknesses in this category are related to the CISQ Quality Measures for Security, as documented in 2016 with the Automated Source Code Security Measure (ASCSM) Specification 1.0. Presence of these weaknesses could reduce the security of the software.
Java 1133 CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT Oracle Coding Standard for Java.
Java 1134 Weaknesses in this category are related to the rules and recommendations in the Input Validation and Data Sanitization (IDS) section of the SEI CERT Oracle Secure Coding Standard for Java.
Java 1135 Weaknesses in this category are related to the rules and recommendations in the Declarations and Initialization (DCL) section of the SEI CERT Oracle Secure Coding Standard for Java.
Java 1136 Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) section of the SEI CERT Oracle Secure Coding Standard for Java.
Java 1137 Weaknesses in this category are related to the rules and recommendations in the Numeric Types and Operations (NUM) section of the SEI CERT Oracle Secure Coding Standard for Java.
Java 1138 Weaknesses in this category are related to the rules and recommendations in the Characters and Strings (STR) section of the SEI CERT Oracle Secure Coding Standard for Java.
Java 1139 Weaknesses in this category are related to the rules and recommendations in the Object Orientation (OBJ) section of the SEI CERT Oracle Secure Coding Standard for Java.
Java 1140 Weaknesses in this category are related to the rules and recommendations in the Methods (MET) section of the SEI CERT Oracle Secure Coding Standard for Java.
Java 1141 Weaknesses in this category are related to the rules and recommendations in the Exceptional Behavior (ERR) section of the SEI CERT Oracle Secure Coding Standard for Java.
Java 1142 Weaknesses in this category are related to the rules and recommendations in the Visibility and Atomicity (VNA) section of the SEI CERT Oracle Secure Coding Standard for Java.
Java 1143 Weaknesses in this category are related to the rules and recommendations in the Locking (LCK) section of the SEI CERT Oracle Secure Coding Standard for Java.
Java 1144 Weaknesses in this category are related to the rules and recommendations in the Thread APIs (THI) section of the SEI CERT Oracle Secure Coding Standard for Java.
Java 1145 Weaknesses in this category are related to the rules and recommendations in the Thread Pools (TPS) section of the SEI CERT Oracle Secure Coding Standard for Java.
Java 1146 Weaknesses in this category are related to the rules and recommendations in the Thread-Safety Miscellaneous (TSM) section of the SEI CERT Oracle Secure Coding Standard for Java.
Java 1147 Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) section of the SEI CERT Oracle Secure Coding Standard for Java.
Java 1148 Weaknesses in this category are related to the rules and recommendations in the Serialization (SER) section of the SEI CERT Oracle Secure Coding Standard for Java.
Java 1149 Weaknesses in this category are related to the rules and recommendations in the Platform Security (SEC) section of the SEI CERT Oracle Secure Coding Standard for Java.
Java 1150 Weaknesses in this category are related to the rules and recommendations in the Runtime Environment (ENV) section of the SEI CERT Oracle Secure Coding Standard for Java.
Java 1151 Weaknesses in this category are related to the rules and recommendations in the Java Native Interface (JNI) section of the SEI CERT Oracle Secure Coding Standard for Java.
Java 1152 Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT Oracle Secure Coding Standard for Java.
Java 1154 CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT C Coding Standard.
Java 1157 Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) section of the SEI CERT C Coding Standard.
Java 1158 Weaknesses in this category are related to the rules and recommendations in the Integers (INT) section of the SEI CERT C Coding Standard.
Java 1159 Weaknesses in this category are related to the rules and recommendations in the Floating Point (FLP) section of the SEI CERT C Coding Standard.
Java 1160 Weaknesses in this category are related to the rules and recommendations in the Arrays (ARR) section of the SEI CERT C Coding Standard.
Java 1161 Weaknesses in this category are related to the rules and recommendations in the Characters and Strings (STR) section of the SEI CERT C Coding Standard.
Java 1162 Weaknesses in this category are related to the rules and recommendations in the Memory Management (MEM) section of the SEI CERT C Coding Standard.
Java 1163 Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) section of the SEI CERT C Coding Standard.
Java 1164 The product contains code that is not essential for execution, i.e. makes no state changes and has no side effects that alter data or control flow, such that removal of the code would have no impact to functionality or correctness.
Java 1165 Weaknesses in this category are related to the rules and recommendations in the Environment (ENV) section of the SEI CERT C Coding Standard.
Java 1166 Weaknesses in this category are related to the rules and recommendations in the Signals (SIG) section of the SEI CERT C Coding Standard.
Java 1167 Weaknesses in this category are related to the rules and recommendations in the Error Handling (ERR) section of the SEI CERT C Coding Standard.
Java 1169 Weaknesses in this category are related to the rules and recommendations in the Concurrency (CON) section of the SEI CERT C Coding Standard.
Java 1170 Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT C Coding Standard.
Java 1171 Weaknesses in this category are related to the rules and recommendations in the POSIX (POS) section of the SEI CERT C Coding Standard.
Java 1172 Weaknesses in this category are related to the rules and recommendations in the Microsoft Windows (WIN) section of the SEI CERT C Coding Standard.
Java 1178 CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT Perl Coding Standard.
Java 1179 Weaknesses in this category are related to the rules and recommendations in the Input Validation and Data Sanitization (IDS) section of the SEI CERT Perl Coding Standard.
Java 1180 Weaknesses in this category are related to the rules and recommendations in the Declarations and Initialization (DCL) section of the SEI CERT Perl Coding Standard.
Java 1181 Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) section of the SEI CERT Perl Coding Standard.
Java 1182 Weaknesses in this category are related to the rules and recommendations in the Integers (INT) section of the SEI CERT Perl Coding Standard.
Java 1186 Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT Perl Coding Standard.
Java 1194 This view organizes weaknesses around concepts that are frequently used or encountered in hardware design. Accordingly, this view can align closely with the perspectives of designers, manufacturers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping.
Java 1198 Weaknesses in this category are related to features and mechanisms providing hardware-based isolation and access control (e.g., identity, policy, locking control) of sensitive shared hardware resources such as registers and fuses.
Java 1200 CWE entries in this view are listed in the 2019 CWE Top 25 Most Dangerous Software Errors.
Java 1202 Weaknesses in this category are typically associated with memory (e.g., DRAM, SRAM) and storage technologies (e.g., NAND Flash, OTP, EEPROM, and eMMC).
Java 1207 Weaknesses in this category are related to hardware debug and test interfaces such as JTAG and scan chain.
Java 1208 Weaknesses in this category can arise in multiple areas of hardware design or can apply to a wide cross-section of components.
Java 1210 Weaknesses in this category are related to audit-based components of a software system. Frequently these deal with logging user activities in order to identify undesired access and modifications to the system. The weaknesses in this category could lead to a degradation of the quality of the audit capability if they are not addressed.
Java 1211 Weaknesses in this category are related to authentication components of a system. Frequently these deal with the ability to verify that an entity is indeed who it claims to be. If not addressed when designing or implementing a software system, these weaknesses could lead to a degradation of the quality of the authentication capability.
Java 1212 Weaknesses in this category are related to authorization components of a system. Frequently these deal with the ability to enforce that agents have the required permissions before performing certain operations, such as modifying data. If not addressed when designing or implementing a software system, these weaknesses could lead to a degradation of the quality of the authorization capability.
Java 1213 Weaknesses in this category are related to a software system's random number generation.
Java 1214 Weaknesses in this category are related to a software system's data integrity components. Frequently these deal with the ability to ensure the integrity of data, such as messages, resource files, deployment files, and configuration files. The weaknesses in this category could lead to a degradation of data integrity quality if they are not addressed.
Java 1215 Weaknesses in this category are related to a software system's components for input validation, output validation, or other kinds of validation. Validation is a frequently-used technique for ensuring that data conforms to expectations before it is further processed as input or output. There are many varieties of validation (see CWE-20, which is just for input validation). Validation is distinct from other techniques that attempt to modify data before processing it, although developers may consider all attempts to product "safe" inputs or outputs as some kind of validation. Regardless, validation is a powerful tool that is often used to minimize malformed data from entering the system, or indirectly avoid code injection or other potentially-malicious patterns when generating output. The weaknesses in this category could lead to a degradation of the quality of data flow in a system if they are not addressed.
Java 1217 Weaknesses in this category are related to session management. Frequently these deal with the information or status about each user and their access rights for the duration of multiple requests. The weaknesses in this category could lead to a degradation of the quality of session management if they are not addressed.
Java 1219 Weaknesses in this category are related to the handling of files within a software system. Files, directories, and folders are so central to information technology that many different weaknesses and variants have been discovered.
Java 1228 Weaknesses in this category are related to the use of built-in functions or external APIs.
Java 1238 This category identifies Software Fault Patterns (SFPs) within the Failure to Release Memory cluster (SFP38).
Java 1275 The SameSite attribute for sensitive cookies is not set, or an insecure value is used.
Java 1305 This view outlines the most important software quality issues as identified by the Consortium for Information & Software Quality (CISQ) Automated Quality Characteristic Measures, released in 2020. These measures are derived from Object Management Group (OMG) standards.
Java 1306 Weaknesses in this category are related to the CISQ Quality Measures for Reliability. Presence of these weaknesses could reduce the reliability of the software.
Java 1307 Weaknesses in this category are related to the CISQ Quality Measures for Maintainability. Presence of these weaknesses could reduce the maintainability of the software.
Java 1308 Weaknesses in this category are related to the CISQ Quality Measures for Security. Presence of these weaknesses could reduce the security of the software.
Java 1309 Weaknesses in this category are related to the CISQ Quality Measures for Efficiency. Presence of these weaknesses could reduce the efficiency of the software.
Java 1327 The product assigns the address 0.0.0.0 for a database server, a cloud service/instance, or any computing resource that communicates remotely.
Java 1337 CWE entries in this view are listed in the 2021 CWE Top 25 Most Dangerous Software Weaknesses.
Java 1340 This view outlines the SMM representation of the Automated Source Code Data Protection Measurement specifications, as identified by the Consortium for Information & Software Quality (CISQ) Working Group.
Java 1344 CWE entries in this view (graph) are associated with the OWASP Top 10, as released in 2021.
Java 1345 Weaknesses in this category are related to the A01 category "Broken Access Control" in the OWASP Top 10 2021.
Java 1346 Weaknesses in this category are related to the A02 category "Cryptographic Failures" in the OWASP Top 10 2021.
Java 1347 Weaknesses in this category are related to the A03 category "Injection" in the OWASP Top 10 2021.
Java 1348 Weaknesses in this category are related to the A04 "Insecure Design" category in the OWASP Top 10 2021.
Java 1349 Weaknesses in this category are related to the A05 category "Security Misconfiguration" in the OWASP Top 10 2021.
Java 1350 CWE entries in this view are listed in the 2020 CWE Top 25 Most Dangerous Software Weaknesses.
Java 1352 Weaknesses in this category are related to the A06 category "Vulnerable and Outdated Components" in the OWASP Top 10 2021.
Java 1353 Weaknesses in this category are related to the A07 category "Identification and Authentication Failures" in the OWASP Top 10 2021.
Java 1354 Weaknesses in this category are related to the A08 category "Software and Data Integrity Failures" in the OWASP Top 10 2021.
Java 1355 Weaknesses in this category are related to the A09 category "Security Logging and Monitoring Failures" in the OWASP Top 10 2021.
Java 1356 Weaknesses in this category are related to the A10 category "Server-Side Request Forgery (SSRF)" in the OWASP Top 10 2021.
Java 1358 CWE entries in this view (graph) are associated with the Categories of Security Vulnerabilities in ICS, as published by the Securing Energy Infrastructure Executive Task Force (SEI ETF) in March 2022. Weaknesses and categories in this view are focused on issues that affect ICS (Industrial Control Systems) but have not been traditionally covered by CWE in the past due to its earlier emphasis on enterprise IT software. Note: weaknesses in this view are based on "Nearest IT Neighbor" recommendations and other suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Java 1359 Weaknesses in this category are related to the "ICS Communications" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.
Java 1360 Weaknesses in this category are related to the "ICS Dependencies (& Architecture)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.
Java 1361 Weaknesses in this category are related to the "ICS Supply Chain" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.
Java 1362 Weaknesses in this category are related to the "ICS Engineering (Constructions/Deployment)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.
Java 1363 Weaknesses in this category are related to the "ICS Operations (& Maintenance)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.
Java 1364 Weaknesses in this category are related to the "Zone Boundary Failures" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Within an ICS system, for traffic that crosses through network zone boundaries, vulnerabilities arise when those boundaries were designed for safety or other purposes but are being repurposed for security." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Java 1366 Weaknesses in this category are related to the "Frail Security in Protocols" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Vulnerabilities arise as a result of mis-implementation or incomplete implementation of security in ICS implementations of communication protocols." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Java 1368 Weaknesses in this category are related to the "External Digital Systems" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Due to the highly interconnected technologies in use, an external dependency on another digital system could cause a confidentiality, integrity, or availability incident for the protected system." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Java 1369 Weaknesses in this category are related to the "IT/OT Convergence/Expansion" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "The increased penetration of DER devices and smart loads make emerging ICS networks more like IT networks and thus susceptible to vulnerabilities similar to those of IT networks." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Java 1370 Weaknesses in this category are related to the "Common Mode Frailties" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "At the component level, most ICS systems are assembled from common parts made by other companies. One or more of these common parts might contain a vulnerability that could result in a wide-spread incident." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Java 1371 Weaknesses in this category are related to the "Poorly Documented or Undocumented Features" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Undocumented capabilities and configurations pose a risk by not having a clear understanding of what the device is specifically supposed to do and only do. Therefore possibly opening up the attack surface and vulnerabilities." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Java 1372 Weaknesses in this category are related to the "OT Counterfeit and Malicious Corruption" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "In ICS, when this procurement process results in a vulnerability or component damage, it can have grid impacts or cause physical harm." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Java 1373 Weaknesses in this category are related to the "Trust Model Problems" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Assumptions made about the user during the design or construction phase may result in vulnerabilities after the system is installed if the user operates it using a different security approach or process than what was designed or built." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Java 1375 Weaknesses in this category are related to the "Gaps in Details/Data" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Highly complex systems are often operated by personnel who have years of experience in managing that particular facility or plant. Much of their knowledge is passed along through verbal or hands-on training but may not be fully documented in written practices and procedures." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Java 1376 Weaknesses in this category are related to the "Security Gaps in Commissioning" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "As a large system is brought online components of the system may remain vulnerable until the entire system is operating and functional and security controls are put in place. This creates a window of opportunity for an adversary during the commissioning process." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Java 1382 Weaknesses in this category are related to the "Emerging Energy Technologies" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "With the rapid evolution of the energy system accelerated by the emergence of new technologies such as DERs, electric vehicles, advanced communications (5G+), novel and diverse challenges arise for secure and resilient operation of the system." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Java 1383 Weaknesses in this category are related to the "Compliance/Conformance with Regulatory Requirements" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "The ICS environment faces overlapping regulatory regimes and authorities with multiple focus areas (e.g., operational resiliency, physical safety, interoperability, and security) which can result in cyber security vulnerabilities when implemented as written due to gaps in considerations, outdatedness, or conflicting requirements." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Java 1387 CWE entries in this view are listed in the 2022 CWE Top 25 Most Dangerous Software Weaknesses.
Java 1396 Weaknesses in this category are related to access control.
Java 1397 Weaknesses in this category are related to comparison.
Java 1398 Weaknesses in this category are related to component interaction.
Java 1399 Weaknesses in this category are related to memory safety.
Java 1400 This view organizes weaknesses around categories that are of interest to large-scale software assurance research to support the elimination of weaknesses using tactics such as secure language development. It is also intended to help tracking weakness trends in publicly disclosed vulnerability data. This view is comprehensive in that every weakness must be contained in it, unlike most other views that only use a subset of weaknesses. This view is structured with categories at the top level, with a second level of only weaknesses. Relationships among the weaknesses presented under the research view (CWE-1000) are not shown. Each weakness is added to only one category. All categories are mutually exclusive; that is, no weakness can be a member of more than one category. While weaknesses defy strict categorization along only one characteristic, the forced bucketing into a single category can simplify certain kinds of analysis. Note that the size of each category can vary widely because (1) CWE is not as well fleshed-out in some areas compared to others; (2) abstraction of the CWEs in the grouping might go down to Variant level for some buckets, versus others.
Java 1401 Weaknesses in this category are related to concurrency.
Java 1402 Weaknesses in this category are related to encryption.
Java 1403 Weaknesses in this category are related to exposed resource.
Java 1404 Weaknesses in this category are related to file handling.
Java 1405 Weaknesses in this category are related to improper check or handling of exceptional conditions.
Java 1406 Weaknesses in this category are related to improper input validation.
Java 1407 Weaknesses in this category are related to improper neutralization.
Java 1408 Weaknesses in this category are related to incorrect calculation.
Java 1409 Weaknesses in this category are related to injection.
Java 1410 Weaknesses in this category are related to insufficient control flow management.
Java 1411 Weaknesses in this category are related to insufficient verification of data authenticity.
Java 1412 Weaknesses in this category are related to poor coding practices.
Java 1413 Weaknesses in this category are related to protection mechanism failure.
Java 1414 Weaknesses in this category are related to randomness.
Java 1415 Weaknesses in this category are related to resource control.
Java 1416 Weaknesses in this category are related to resource lifecycle management.
Java 1417 Weaknesses in this category are related to sensitive information exposure.
Java 1418 Weaknesses in this category are related to violation of secure design principles.
JavaScript 2 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that are typically introduced during unexpected environmental conditions. According to the authors of the Seven Pernicious Kingdoms, "This section includes everything that is outside of the source code but is still critical to the security of the product that is being created. Because the issues covered by this kingdom are not directly related to source code, we separated it from the rest of the kingdoms."
JavaScript 4 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
JavaScript 5 Information sent over a network can be compromised while in transit. An attacker may be able to read or modify the contents if the data are sent in plaintext or are weakly encrypted.
JavaScript 16 Weaknesses in this category are typically introduced during the configuration of the software.
JavaScript 17 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
JavaScript 18 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
JavaScript 19 Weaknesses in this category are typically found in functionality that processes data. Data processing is the manipulation of input to retrieve or save information.
JavaScript 20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
JavaScript 21 This category has been deprecated. It was originally used for organizing weaknesses involving file names, which enabled access to files outside of a restricted directory (path traversal) or to perform operations on files that would otherwise be restricted (path equivalence). Consider using either the File Handling Issues category (CWE-1219) or the class Use of Incorrectly-Resolved Name or Reference (CWE-706).
JavaScript 22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
JavaScript 23 The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.
JavaScript 36 The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as "/abs/path" that can resolve to a location that is outside of that directory.
JavaScript 73 The product allows user input to control or influence paths or file names that are used in filesystem operations.
JavaScript 74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
JavaScript 77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
JavaScript 78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
JavaScript 79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
JavaScript 80 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.
JavaScript 82 The web application does not neutralize or incorrectly neutralizes scripting elements within attributes of HTML IMG tags, such as the src attribute.
JavaScript 83 The product does not neutralize or incorrectly neutralizes "javascript:" or other URIs from dangerous attributes within tags, such as onmouseover, onload, onerror, or style.
JavaScript 85 The web application does not filter user-controlled input for executable script disguised using doubling of the involved characters.
JavaScript 86 The product does not neutralize or incorrectly neutralizes invalid characters or byte sequences in the middle of tag names, URI schemes, and other identifiers.
JavaScript 87 The product does not neutralize or incorrectly neutralizes user-controlled input for alternate script syntax.
JavaScript 88 The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.
JavaScript 89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.
JavaScript 93 The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
JavaScript 94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
JavaScript 95 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").
JavaScript 99 The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control.
JavaScript 113 The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.
JavaScript 116 The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
JavaScript 117 The product does not neutralize or incorrectly neutralizes output that is written to logs.
JavaScript 133 Weaknesses in this category are related to the creation and modification of strings.
JavaScript 137 Weaknesses in this category are related to the creation or neutralization of data using an incorrect format.
JavaScript 138 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as control elements or syntactic markers when they are sent to a downstream component.
JavaScript 140 The product does not neutralize or incorrectly neutralizes delimiters.
JavaScript 141 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as parameter or argument delimiters when they are sent to a downstream component.
JavaScript 142 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as value delimiters when they are sent to a downstream component.
JavaScript 143 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as record delimiters when they are sent to a downstream component.
JavaScript 146 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as expression or command delimiters when they are sent to a downstream component.
JavaScript 149 Quotes injected into a product can be used to compromise a system. As data are parsed, an injected/absent/duplicate/malformed use of quotes may cause the process to take unexpected actions.
JavaScript 150 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component.
JavaScript 157 The product does not properly handle the characters that are used to mark the beginning and ending of a group of entities, such as parentheses, brackets, and braces.
JavaScript 171 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. Weaknesses in this category were related to improper handling of data within protection mechanisms that attempt to perform neutralization for untrusted data. These weaknesses can be found in other similar categories.
JavaScript 183 The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is too permissive - that is, it allows an input that is unsafe, leading to resultant weaknesses.
JavaScript 185 The product specifies a regular expression in a way that causes data to be improperly matched or compared.
JavaScript 187 The product performs a comparison that only examines a portion of a factor before determining whether there is a match, such as a substring, leading to resultant weaknesses.
JavaScript 199 Weaknesses in this category are related to improper handling of sensitive information.
JavaScript 200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
JavaScript 201 The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.
JavaScript 209 The product generates an error message that includes sensitive information about its environment, users, or associated data.
JavaScript 210 The product identifies an error condition and creates its own diagnostic or error messages that contain sensitive information.
JavaScript 211 The product performs an operation that triggers an external diagnostic or error message that is not directly generated or controlled by the product, such as an error generated by the programming language interpreter that a software application uses. The error can contain sensitive system information.
JavaScript 215 The product inserts sensitive information into debugging code, which could expose this information if the debugging code is not disabled in production.
JavaScript 221 The product does not record, or improperly records, security-relevant information that leads to an incorrect decision or hampers later analysis.
JavaScript 223 The product does not record or display information that would be important for identifying the source or nature of an attack, or determining if an action is safe.
JavaScript 226 The product releases a resource such as memory or a file so that it can be made available for reuse, but it does not clear or "zeroize" the information contained in the resource before the product performs a critical state transition or makes the resource available for reuse by other entities.
JavaScript 227 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that involve the software using an API in a manner contrary to its intended use. According to the authors of the Seven Pernicious Kingdoms, "An API is a contract between a caller and a callee. The most common forms of API misuse occurs when the caller does not honor its end of this contract. For example, if a program does not call chdir() after calling chroot(), it violates the contract that specifies how to change the active root directory in a secure fashion. Another good example of library abuse is expecting the callee to return trustworthy DNS information to the caller. In this case, the caller misuses the callee API by making certain assumptions about its behavior (that the return value can be used for authentication purposes). One can also violate the caller-callee contract from the other side. For example, if a coder subclasses SecureRandom and returns a non-random value, the contract is violated."
JavaScript 228 The product does not handle or incorrectly handles input that is not syntactically well-formed with respect to the associated specification.
JavaScript 233 The product does not properly handle when the expected number of parameters, fields, or arguments is not provided in input, or if those parameters are undefined.
JavaScript 248 An exception is thrown from a function, but it is not caught.
JavaScript 249 This entry has been deprecated because of name confusion and an accidental combination of multiple weaknesses. Most of its content has been transferred to CWE-785.
JavaScript 254 Software security is not security software. Here we're concerned with topics like authentication, access control, confidentiality, cryptography, and privilege management.
JavaScript 255 Weaknesses in this category are related to the management of credentials.
JavaScript 256 Storing a password in plaintext may result in a system compromise.
JavaScript 257 The storage of passwords in a recoverable format makes them subject to password reuse attacks by malicious users. In fact, it should be noted that recoverable encrypted passwords provide no significant benefit over plaintext passwords since they are subject not only to reuse by malicious attackers but also by malicious insiders. If a system administrator can recover a password directly, or use a brute force search on the available information, the administrator can use the password on other accounts.
JavaScript 258 Using an empty string as a password is insecure.
JavaScript 260 The product stores a password in a configuration file that might be accessible to actors who do not know the password.
JavaScript 263 The product supports password aging, but the expiration period is too long.
JavaScript 264 Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control.
JavaScript 265 Weaknesses in this category occur with improper handling, assignment, or management of privileges. A privilege is a property of an agent, such as a user. It lets the agent do things that are not ordinarily allowed. For example, there are privileges which allow an agent to perform maintenance functions such as restart a computer.
JavaScript 269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
JavaScript 271 The product does not drop privileges before passing control of a resource to an actor that does not have those privileges.
JavaScript 272 The elevated privilege level required to perform operations such as chroot() should be dropped immediately after the operation is performed.
JavaScript 275 Weaknesses in this category are related to improper assignment or handling of permissions.
JavaScript 284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
JavaScript 285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
JavaScript 287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
JavaScript 289 The product performs authentication based on the name of a resource being accessed, or the name of the actor performing the access, but it does not properly check all possible names for that resource or actor.
JavaScript 290 This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.
JavaScript 295 The product does not validate, or incorrectly validates, a certificate.
JavaScript 296 The product does not follow, or incorrectly follows, the chain of trust for a certificate back to a trusted root certificate, resulting in incorrect trust of any resource that is associated with that certificate.
JavaScript 300 The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint.
JavaScript 304 The product implements an authentication technique, but it skips a step that weakens the technique.
JavaScript 305 The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error.
JavaScript 306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
JavaScript 307 The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it more susceptible to brute force attacks.
JavaScript 308 The use of single-factor authentication can lead to unnecessary risk of compromise when compared with the benefits of a dual-factor authentication scheme.
JavaScript 309 The use of password systems as the primary means of authentication may be subject to several flaws or shortcomings, each reducing the effectiveness of the mechanism.
JavaScript 310 Weaknesses in this category are related to the design and implementation of data confidentiality and integrity. Frequently these deal with the use of encoding techniques, encryption libraries, and hashing algorithms. The weaknesses in this category could lead to a degradation of the quality data if they are not addressed.
JavaScript 311 The product does not encrypt sensitive or critical information before storage or transmission.
JavaScript 312 The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
JavaScript 313 The product stores sensitive information in cleartext in a file, or on disk.
JavaScript 314 The product stores sensitive information in cleartext in the registry.
JavaScript 315 The product stores sensitive information in cleartext in a cookie.
JavaScript 317 The product stores sensitive information in cleartext within the GUI.
JavaScript 319 The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.
JavaScript 320 Weaknesses in this category are related to errors in the management of cryptographic keys.
JavaScript 322 The product performs a key exchange with an actor without verifying the identity of that actor.
JavaScript 324 The product uses a cryptographic key or password past its expiration date, which diminishes its safety significantly by increasing the timing window for cracking attacks against that key.
JavaScript 326 The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
JavaScript 327 The product uses a broken or risky cryptographic algorithm or protocol.
JavaScript 328 The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (2nd preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack).
JavaScript 330 The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.
JavaScript 338 The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.
JavaScript 344 The product uses a constant value, name, or reference, but this value can (or should) vary across different environments.
JavaScript 345 The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
JavaScript 346 The product does not properly verify that the source of data or communication is valid.
JavaScript 347 The product does not verify, or incorrectly verifies, the cryptographic signature for data.
JavaScript 352 The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.
JavaScript 353 The product uses a transmission protocol that does not include a mechanism for verifying the integrity of the data during transmission, such as a checksum.
JavaScript 355 Weaknesses in this category are related to or introduced in the User Interface (UI).
JavaScript 358 The product does not implement or incorrectly implements one or more security-relevant checks as specified by the design of a standardized algorithm, protocol, or technique.
JavaScript 359 The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.
JavaScript 361 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses related to the improper management of time and state in an environment that supports simultaneous or near-simultaneous computation by multiple systems, processes, or threads. According to the authors of the Seven Pernicious Kingdoms, "Distributed computation is about time and state. That is, in order for more than one component to communicate, state must be shared, and all that takes time. Most programmers anthropomorphize their work. They think about one thread of control carrying out the entire program in the same way they would if they had to do the job themselves. Modern computers, however, switch between tasks very quickly, and in multi-core, multi-CPU, or distributed systems, two events may take place at exactly the same time. Defects rush to fill the gap between the programmer's model of how a program executes and what happens in reality. These defects are related to unexpected interactions between threads, processes, time, and information. These interactions happen through shared state: semaphores, variables, the file system, and, basically, anything that can store information."
JavaScript 371 Weaknesses in this category are related to improper management of system state.
JavaScript 388 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that occur when an application does not properly handle errors that occur during processing. According to the authors of the Seven Pernicious Kingdoms, "Errors and error handling represent a class of API. Errors related to error handling are so common that they deserve a special kingdom of their own. As with 'API Abuse,' there are two ways to introduce an error-related security vulnerability: the most common one is handling errors poorly (or not at all). The second is producing errors that either give out too much information (to possible attackers) or are difficult to handle."
JavaScript 389 This category includes weaknesses that occur if a function does not generate the correct return/status code, or if the application does not handle all possible return/status codes that could be generated by a function. This type of problem is most often found in conditions that are rarely encountered during the normal operation of the product. Presumably, most bugs related to common conditions are found and eliminated during development and testing. In some cases, the attacker can directly control or influence the environment to trigger the rare conditions.
JavaScript 398 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that do not directly introduce a weakness or vulnerability, but indicate that the product has not been carefully developed or maintained. According to the authors of the Seven Pernicious Kingdoms, "Poor code quality leads to unpredictable behavior. From a user's perspective that often manifests itself as poor usability. For an adversary it provides an opportunity to stress the system in unexpected ways."
JavaScript 399 Weaknesses in this category are related to improper management of system resources.
JavaScript 400 The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.
JavaScript 404 The product does not release or incorrectly releases a resource before it is made available for re-use.
JavaScript 405 The product does not properly control situations in which an adversary can cause the product to consume or produce excessive resources without requiring the adversary to invest equivalent work or otherwise prove authorization, i.e., the adversary's influence is "asymmetric."
JavaScript 409 The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.
JavaScript 417 Weaknesses in this category are related to improper handling of communication channels and access paths. These weaknesses include problems in creating, managing, or removing alternate channels and alternate paths. Some of these can overlap virtual file problems and are commonly used in "bypass" attacks, such as those that exploit authentication errors.
JavaScript 418 This category has been deprecated because it redundant with the grouping provided by CWE-417.
JavaScript 419 The product uses a primary channel for administration or restricted functionality, but it does not properly protect the channel.
JavaScript 435 An interaction error occurs when two entities have correct behavior when running independently of each other, but when they are integrated as components in a larger system or process, they introduce incorrect behaviors that may cause resultant weaknesses.
JavaScript 436 Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.
JavaScript 438 Weaknesses in this category are related to unexpected behaviors from code that an application uses.
JavaScript 441 The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor.
JavaScript 442 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
JavaScript 452 Weaknesses in this category occur in behaviors that are used for initialization and breakdown.
JavaScript 455 The product does not exit or otherwise modify its operation when security-relevant errors occur during initialization, such as when a configuration file has a format error or a hardware security module (HSM) cannot be activated, which can cause the product to execute in a less secure fashion than intended by the administrator.
JavaScript 459 The product does not properly "clean up" and remove temporary or supporting resources after they have been used.
JavaScript 461 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
JavaScript 463 The accidental deletion of a data-structure sentinel can cause serious programming logic problems.
JavaScript 465 Weaknesses in this category are related to improper handling of pointers.
JavaScript 476 A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.
JavaScript 480 The product accidentally uses the wrong operator, which changes the logic in security-relevant ways.
JavaScript 483 The code does not explicitly delimit a block that is intended to contain 2 or more statements, creating a logic error.
JavaScript 484 The product omits a break statement within a switch or similar construct, causing code associated with multiple conditions to execute. This can cause problems when the programmer only intended to execute code associated with one condition.
JavaScript 485 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that occur when the product does not sufficiently encapsulate critical data or functionality. According to the authors of the Seven Pernicious Kingdoms, "Encapsulation is about drawing strong boundaries. In a web browser that might mean ensuring that your mobile code cannot be abused by other mobile code. On the server it might mean differentiation between validated data and unvalidated data, between one user's data and another's, or between data users are allowed to see and data that they are not."
JavaScript 489 The product is deployed to unauthorized actors with debugging code still enabled or active, which can create unintended entry points or expose sensitive information.
JavaScript 497 The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does.
JavaScript 502 The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
JavaScript 505 This category has been deprecated as it was originally used for organizing the Development View (CWE-699), but it introduced unnecessary complexity and depth to the resulting tree.
JavaScript 506 The product contains code that appears to be malicious in nature.
JavaScript 521 The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts.
JavaScript 522 The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
JavaScript 523 Login pages do not use adequate measures to protect the user name and password while they are in transit from the client to the server.
JavaScript 524 The code uses a cache that contains sensitive information, but the cache can be read by an actor outside of the intended control sphere.
JavaScript 525 The web application does not use an appropriate caching policy that specifies the extent to which each web page and associated form fields should be cached.
JavaScript 526 The product uses an environment variable to store unencrypted sensitive information.
JavaScript 530 A backup file is stored in a directory or archive that is made accessible to unauthorized actors.
JavaScript 532 Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.
JavaScript 536 A servlet error message indicates that there exists an unhandled exception in your web application code and may provide useful information to an attacker.
JavaScript 538 The product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the sensitive information.
JavaScript 539 The web application uses persistent cookies, but the cookies contain sensitive information.
JavaScript 548 A directory listing is inappropriately exposed, yielding potentially sensitive information to attackers.
JavaScript 549 The product does not mask passwords during entry, increasing the potential for attackers to observe and capture passwords.
JavaScript 550 Certain conditions, such as network failure, will cause a server error message to be displayed.
JavaScript 552 The product makes files or directories accessible to unauthorized actors, even though they should not be.
JavaScript 559 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
JavaScript 561 The product contains dead code, which can never be executed.
JavaScript 565 The product relies on the existence or values of cookies when performing security-critical operations, but it does not properly ensure that the setting is valid for the associated user.
JavaScript 566 The product uses a database table that includes records that should not be accessible to an actor, but it executes a SQL statement with a primary key that can be controlled by that actor.
JavaScript 569 Weaknesses in this category are related to incorrectly written expressions within code.
JavaScript 573 The product does not follow or incorrectly follows the specifications as required by the implementation language, environment, framework, protocol, or platform.
JavaScript 592 This weakness has been deprecated because it covered redundant concepts already described in CWE-287.
JavaScript 601 A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.
JavaScript 602 The product is composed of a server that relies on the client to implement a mechanism that is intended to protect the server.
JavaScript 610 The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.
JavaScript 611 The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
JavaScript 613 According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
JavaScript 614 The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session.
JavaScript 624 The product uses a regular expression that either (1) contains an executable component with user-controlled inputs, or (2) allows a user to enable execution by inserting pattern modifiers.
JavaScript 625 The product uses a regular expression that does not sufficiently restrict the set of allowed values.
JavaScript 628 The product calls a function, procedure, or routine with arguments that are not correctly specified, leading to always-incorrect behavior and resultant weaknesses.
JavaScript 629 CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2007. This view is considered obsolete as a newer version of the OWASP Top 10 is available.
JavaScript 632 This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE.
JavaScript 633 This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE.
JavaScript 634 This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE.
JavaScript 635 CWE nodes in this view (slice) were used by NIST to categorize vulnerabilities within NVD, from 2008 to 2016. This original version has been used by many other projects.
JavaScript 636 When the product encounters an error condition or failure, its design requires it to fall back to a state that is less secure than other options that are available, such as selecting the weakest encryption algorithm or using the most permissive access control restrictions.
JavaScript 639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
JavaScript 642 The product stores security-critical state information about its users, or the product itself, in a location that is accessible to unauthorized actors.
JavaScript 644 The product does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers, such as Flash.
JavaScript 654 A protection mechanism relies exclusively, or to a large extent, on the evaluation of a single condition or the integrity of a single object or entity in order to make a decision about granting access to restricted resources or functionality.
JavaScript 657 The product violates well-established principles for secure design.
JavaScript 664 The product does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release.
JavaScript 665 The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.
JavaScript 666 The product performs an operation on a resource at the wrong phase of the resource's lifecycle, which can lead to unexpected behaviors.
JavaScript 668 The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
JavaScript 669 The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource.
JavaScript 670 The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated.
JavaScript 671 The product uses security features in a way that prevents the product's administrator from tailoring security settings to reflect the environment in which the product is being used. This introduces resultant weaknesses or prevents it from operating at a level of security that is desired by the administrator.
JavaScript 672 The product uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked.
JavaScript 674 The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.
JavaScript 676 The product invokes a potentially dangerous function that could introduce a vulnerability if it is used incorrectly, but the function can also be used safely.
JavaScript 688 The product calls a function, procedure, or routine, but the caller specifies the wrong variable or reference as one of the arguments, which may lead to undefined behavior and resultant weaknesses.
JavaScript 691 The code does not sufficiently manage its control flow during execution, creating conditions in which the control flow can be modified in unexpected ways.
JavaScript 692 The product uses a denylist-based protection mechanism to defend against XSS attacks, but the denylist is incomplete, allowing XSS variants to succeed.
JavaScript 693 The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.
JavaScript 697 The product compares two entities in a security-relevant context, but the comparison is incorrect, which may lead to resultant weaknesses.
JavaScript 699 This view organizes weaknesses around concepts that are frequently used or encountered in software development. This includes all aspects of the software development lifecycle including both architecture and implementation. Accordingly, this view can align closely with the perspectives of architects, developers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping.
JavaScript 700 This view (graph) organizes weaknesses using a hierarchical structure that is similar to that used by Seven Pernicious Kingdoms.
JavaScript 703 The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product.
JavaScript 705 The product does not properly return control flow to the proper location after it has completed a task or detected an unusual condition.
JavaScript 706 The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.
JavaScript 707 The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component.
JavaScript 710 The product does not follow certain coding rules for development, which can lead to resultant weaknesses or increase the severity of the associated vulnerabilities.
JavaScript 711 CWE entries in this view (graph) are associated with the OWASP Top 10, as released in 2004, and as required for compliance with PCI DSS version 1.1. This view is considered obsolete as a newer version of the OWASP Top 10 is available.
JavaScript 712 Weaknesses in this category are related to the A1 category in the OWASP Top 10 2007.
JavaScript 713 Weaknesses in this category are related to the A2 category in the OWASP Top 10 2007.
JavaScript 714 Weaknesses in this category are related to the A3 category in the OWASP Top 10 2007.
JavaScript 715 Weaknesses in this category are related to the A4 category in the OWASP Top 10 2007.
JavaScript 716 Weaknesses in this category are related to the A5 category in the OWASP Top 10 2007.
JavaScript 717 Weaknesses in this category are related to the A6 category in the OWASP Top 10 2007.
JavaScript 718 Weaknesses in this category are related to the A7 category in the OWASP Top 10 2007.
JavaScript 719 Weaknesses in this category are related to the A8 category in the OWASP Top 10 2007.
JavaScript 720 Weaknesses in this category are related to the A9 category in the OWASP Top 10 2007.
JavaScript 721 Weaknesses in this category are related to the A10 category in the OWASP Top 10 2007.
JavaScript 722 Weaknesses in this category are related to the A1 category in the OWASP Top 10 2004.
JavaScript 723 Weaknesses in this category are related to the A2 category in the OWASP Top 10 2004.
JavaScript 724 Weaknesses in this category are related to the A3 category in the OWASP Top 10 2004.
JavaScript 725 Weaknesses in this category are related to the A4 category in the OWASP Top 10 2004.
JavaScript 727 Weaknesses in this category are related to the A6 category in the OWASP Top 10 2004.
JavaScript 728 Weaknesses in this category are related to the A7 category in the OWASP Top 10 2004.
JavaScript 729 Weaknesses in this category are related to the A8 category in the OWASP Top 10 2004.
JavaScript 730 Weaknesses in this category are related to the A9 category in the OWASP Top 10 2004.
JavaScript 731 Weaknesses in this category are related to the A10 category in the OWASP Top 10 2004.
JavaScript 732 The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.
JavaScript 734 CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT C Secure Coding Standard" published in 2008. This view is considered obsolete, as a newer version of the coding standard is available. This view statically represents the coding rules as they were in 2008.
JavaScript 736 Weaknesses in this category are related to the rules and recommendations in the Declarations and Initialization (DCL) chapter of the CERT C Secure Coding Standard (2008).
JavaScript 737 Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) chapter of the CERT C Secure Coding Standard (2008).
JavaScript 738 Weaknesses in this category are related to the rules and recommendations in the Integers (INT) chapter of the CERT C Secure Coding Standard (2008).
JavaScript 740 Weaknesses in this category are related to the rules and recommendations in the Arrays (ARR) chapter of the CERT C Secure Coding Standard (2008).
JavaScript 741 Weaknesses in this category are related to the rules and recommendations in the Characters and Strings (STR) chapter of the CERT C Secure Coding Standard (2008).
JavaScript 742 Weaknesses in this category are related to the rules and recommendations in the Memory Management (MEM) chapter of the CERT C Secure Coding Standard (2008).
JavaScript 743 Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) chapter of the CERT C Secure Coding Standard (2008).
JavaScript 744 Weaknesses in this category are related to the rules and recommendations in the Environment (ENV) chapter of the CERT C Secure Coding Standard (2008).
JavaScript 746 Weaknesses in this category are related to the rules and recommendations in the Error Handling (ERR) chapter of the CERT C Secure Coding Standard (2008).
JavaScript 747 Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) chapter of the CERT C Secure Coding Standard (2008).
JavaScript 748 Weaknesses in this category are related to the rules and recommendations in the POSIX (POS) appendix of the CERT C Secure Coding Standard (2008).
JavaScript 750 CWE entries in this view (graph) are listed in the 2009 CWE/SANS Top 25 Programming Errors. This view is considered obsolete as a newer version of the Top 25 is available.
JavaScript 751 Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2009 CWE/SANS Top 25 Programming Errors.
JavaScript 752 Weaknesses in this category are listed in the "Risky Resource Management" section of the 2009 CWE/SANS Top 25 Programming Errors.
JavaScript 753 Weaknesses in this category are listed in the "Porous Defenses" section of the 2009 CWE/SANS Top 25 Programming Errors.
JavaScript 755 The product does not handle or incorrectly handles an exceptional condition.
JavaScript 757 A protocol or its implementation supports interaction between multiple actors and allows those actors to negotiate which algorithm should be used as a protection mechanism such as encryption or authentication, but it does not select the strongest algorithm that is available to both parties.
JavaScript 759 The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product does not also use a salt as part of the input.
JavaScript 760 The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product uses a predictable salt as part of the input.
JavaScript 776 The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.
JavaScript 778 When a security-critical event occurs, the product either does not record the event or omits important details about the event when logging it.
JavaScript 779 The product logs too much information, making log files hard to process and possibly hindering recovery efforts or forensic analysis after an attack.
JavaScript 783 The product uses an expression in which operator precedence causes incorrect logic to be used.
JavaScript 798 The product contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.
JavaScript 799 The product does not properly limit the number or frequency of interactions that it has with an actor, such as the number of incoming requests.
JavaScript 800 CWE entries in this view (graph) are listed in the 2010 CWE/SANS Top 25 Programming Errors. This view is considered obsolete as a newer version of the Top 25 is available.
JavaScript 801 Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2010 CWE/SANS Top 25 Programming Errors.
JavaScript 802 Weaknesses in this category are listed in the "Risky Resource Management" section of the 2010 CWE/SANS Top 25 Programming Errors.
JavaScript 803 Weaknesses in this category are listed in the "Porous Defenses" section of the 2010 CWE/SANS Top 25 Programming Errors.
JavaScript 807 The product uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism.
JavaScript 808 Weaknesses in this category are not part of the general Top 25, but they were part of the original nominee list from which the Top 25 was drawn.
JavaScript 809 CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2010. This view is considered obsolete as a newer version of the OWASP Top 10 is available.
JavaScript 810 Weaknesses in this category are related to the A1 category in the OWASP Top 10 2010.
JavaScript 811 Weaknesses in this category are related to the A2 category in the OWASP Top 10 2010.
JavaScript 812 Weaknesses in this category are related to the A3 category in the OWASP Top 10 2010.
JavaScript 813 Weaknesses in this category are related to the A4 category in the OWASP Top 10 2010.
JavaScript 814 Weaknesses in this category are related to the A5 category in the OWASP Top 10 2010.
JavaScript 815 Weaknesses in this category are related to the A6 category in the OWASP Top 10 2010.
JavaScript 816 Weaknesses in this category are related to the A7 category in the OWASP Top 10 2010.
JavaScript 817 Weaknesses in this category are related to the A8 category in the OWASP Top 10 2010.
JavaScript 818 Weaknesses in this category are related to the A9 category in the OWASP Top 10 2010.
JavaScript 819 Weaknesses in this category are related to the A10 category in the OWASP Top 10 2010.
JavaScript 829 The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.
JavaScript 834 The product performs an iteration or loop without sufficiently limiting the number of times that the loop is executed.
JavaScript 840 Weaknesses in this category identify some of the underlying problems that commonly allow attackers to manipulate the business logic of an application. Errors in business logic can be devastating to an entire application. They can be difficult to find automatically, since they typically involve legitimate use of the application's functionality. However, many business logic errors can exhibit patterns that are similar to well-understood implementation and design weaknesses.
JavaScript 844 CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT Oracle Secure Coding Standard for Java" published in 2011. This view is considered obsolete as a newer version of the coding standard is available.
JavaScript 845 Weaknesses in this category are related to rules in the Input Validation and Data Sanitization (IDS) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
JavaScript 846 Weaknesses in this category are related to rules in the Declarations and Initialization (DCL) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
JavaScript 850 Weaknesses in this category are related to rules in the Methods (MET) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
JavaScript 851 Weaknesses in this category are related to rules in the Exceptional Behavior (ERR) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
JavaScript 854 Weaknesses in this category are related to rules in the Thread APIs (THI) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
JavaScript 855 Weaknesses in this category are related to rules in the Thread Pools (TPS) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
JavaScript 857 Weaknesses in this category are related to rules in the Input Output (FIO) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
JavaScript 858 Weaknesses in this category are related to rules in the Serialization (SER) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
JavaScript 859 Weaknesses in this category are related to rules in the Platform Security (SEC) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
JavaScript 860 Weaknesses in this category are related to rules in the Runtime Environment (ENV) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
JavaScript 861 Weaknesses in this category are related to rules in the Miscellaneous (MSC) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
JavaScript 862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
JavaScript 864 Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.
JavaScript 865 Weaknesses in this category are listed in the "Risky Resource Management" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.
JavaScript 866 Weaknesses in this category are listed in the "Porous Defenses" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.
JavaScript 867 Weaknesses in this category are not part of the general Top 25, but they were part of the original nominee list from which the Top 25 was drawn.
JavaScript 868 CWE entries in this view (graph) are fully or partially eliminated by following the SEI CERT C++ Coding Standard, as published in 2016. This view is no longer being actively maintained, since it statically represents the coding rules as they were in 2016.
JavaScript 871 Weaknesses in this category are related to rules in the Expressions (EXP) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
JavaScript 872 Weaknesses in this category are related to rules in the Integers (INT) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
JavaScript 874 Weaknesses in this category are related to rules in the Arrays and the STL (ARR) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
JavaScript 875 Weaknesses in this category are related to rules in the Characters and Strings (STR) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
JavaScript 876 Weaknesses in this category are related to rules in the Memory Management (MEM) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
JavaScript 877 Weaknesses in this category are related to rules in the Input Output (FIO) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
JavaScript 878 Weaknesses in this category are related to rules in the Environment (ENV) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
JavaScript 880 Weaknesses in this category are related to rules in the Exceptions and Error Handling (ERR) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
JavaScript 881 Weaknesses in this category are related to rules in the Object Oriented Programming (OOP) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
JavaScript 882 Weaknesses in this category are related to rules in the Concurrency (CON) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
JavaScript 883 Weaknesses in this category are related to rules in the Miscellaneous (MSC) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
JavaScript 884 This view contains a selection of weaknesses that represent the variety of weaknesses that are captured in CWE, at a level of abstraction that is likely to be useful to most audiences. It can be used by researchers to determine how broad their theories, models, or tools are. It will also be used by the CWE content team in 2012 to focus quality improvement efforts for individual CWE entries.
JavaScript 885 This category identifies Software Fault Patterns (SFPs) within the Risky Values cluster (SFP1).
JavaScript 886 This category identifies Software Fault Patterns (SFPs) within the Unused entities cluster (SFP2).
JavaScript 887 This category identifies Software Fault Patterns (SFPs) within the API cluster (SFP3).
JavaScript 888 CWE identifiers in this view are associated with clusters of Software Fault Patterns (SFPs).
JavaScript 889 This category identifies Software Fault Patterns (SFPs) within the Exception Management cluster (SFP4, SFP5, SFP6).
JavaScript 890 This category identifies Software Fault Patterns (SFPs) within the Memory Access cluster (SFP7, SFP8).
JavaScript 892 This category identifies Software Fault Patterns (SFPs) within the Resource Management cluster (SFP37).
JavaScript 893 This category identifies Software Fault Patterns (SFPs) within the Path Resolution cluster (SFP16, SFP17, SFP18).
JavaScript 895 This category identifies Software Fault Patterns (SFPs) within the Information Leak cluster (SFP23).
JavaScript 896 This category identifies Software Fault Patterns (SFPs) within the Tainted Input cluster (SFP24, SFP25, SFP26, SFP27).
JavaScript 897 This category identifies Software Fault Patterns (SFPs) within the Entry Points cluster (SFP28).
JavaScript 898 This category identifies Software Fault Patterns (SFPs) within the Authentication cluster (SFP29, SFP30, SFP31, SFP32, SFP33, SFP34).
JavaScript 899 This category identifies Software Fault Patterns (SFPs) within the Access Control cluster (SFP35).
JavaScript 900 CWE entries in this view (graph) are listed in the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.
JavaScript 901 This category identifies Software Fault Patterns (SFPs) within the Privilege cluster (SFP36).
JavaScript 902 This category identifies Software Fault Patterns (SFPs) within the Channel cluster.
JavaScript 903 This category identifies Software Fault Patterns (SFPs) within the Cryptography cluster.
JavaScript 904 This category identifies Software Fault Patterns (SFPs) within the Malware cluster.
JavaScript 905 This category identifies Software Fault Patterns (SFPs) within the Predictability cluster.
JavaScript 906 This category identifies Software Fault Patterns (SFPs) within the UI cluster.
JavaScript 907 This category identifies Software Fault Patterns (SFPs) within the Other cluster.
JavaScript 908 The product uses or accesses a resource that has not been initialized.
JavaScript 912 The product contains functionality that is not documented, not part of the specification, and not accessible through an interface or command sequence that is obvious to the product's users or administrators.
JavaScript 913 The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements.
JavaScript 916 The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive.
JavaScript 917 The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.
JavaScript 918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
JavaScript 921 The product stores sensitive information in a file system or device that does not have built-in access control.
JavaScript 922 The product stores sensitive information without properly limiting read or write access by unauthorized actors.
JavaScript 923 The product establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that it is communicating with the correct endpoint.
JavaScript 928 CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2013. This view is considered obsolete as a newer version of the OWASP Top 10 is available.
JavaScript 929 Weaknesses in this category are related to the A1 category in the OWASP Top 10 2013.
JavaScript 930 Weaknesses in this category are related to the A2 category in the OWASP Top 10 2013.
JavaScript 931 Weaknesses in this category are related to the A3 category in the OWASP Top 10 2013.
JavaScript 932 Weaknesses in this category are related to the A4 category in the OWASP Top 10 2013.
JavaScript 933 Weaknesses in this category are related to the A5 category in the OWASP Top 10 2013.
JavaScript 934 Weaknesses in this category are related to the A6 category in the OWASP Top 10 2013.
JavaScript 935 Weaknesses in this category are related to the A7 category in the OWASP Top 10 2013.
JavaScript 936 Weaknesses in this category are related to the A8 category in the OWASP Top 10 2013.
JavaScript 938 Weaknesses in this category are related to the A10 category in the OWASP Top 10 2013.
JavaScript 942 The product uses a cross-domain policy file that includes domains that should not be trusted.
JavaScript 943 The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query.
JavaScript 944 This category identifies Software Fault Patterns (SFPs) within the Access Management cluster.
JavaScript 945 This category identifies Software Fault Patterns (SFPs) within the Insecure Resource Access cluster (SFP35).
JavaScript 946 This category identifies Software Fault Patterns (SFPs) within the Insecure Resource Permissions cluster.
JavaScript 947 This category identifies Software Fault Patterns (SFPs) within the Authentication Bypass cluster.
JavaScript 948 This category identifies Software Fault Patterns (SFPs) within the Digital Certificate cluster.
JavaScript 949 This category identifies Software Fault Patterns (SFPs) within the Faulty Endpoint Authentication cluster (SFP29).
JavaScript 950 This category identifies Software Fault Patterns (SFPs) within the Hardcoded Sensitive Data cluster (SFP33).
JavaScript 951 This category identifies Software Fault Patterns (SFPs) within the Insecure Authentication Policy cluster.
JavaScript 952 This category identifies Software Fault Patterns (SFPs) within the Missing Authentication cluster.
JavaScript 955 This category identifies Software Fault Patterns (SFPs) within the Unrestricted Authentication cluster (SFP34).
JavaScript 956 This category identifies Software Fault Patterns (SFPs) within the Channel Attack cluster.
JavaScript 957 This category identifies Software Fault Patterns (SFPs) within the Protocol Error cluster.
JavaScript 958 This category identifies Software Fault Patterns (SFPs) within the Broken Cryptography cluster.
JavaScript 959 This category identifies Software Fault Patterns (SFPs) within the Weak Cryptography cluster.
JavaScript 961 This category identifies Software Fault Patterns (SFPs) within the Incorrect Exception Behavior cluster (SFP6).
JavaScript 962 This category identifies Software Fault Patterns (SFPs) within the Unchecked Status Condition cluster (SFP4).
JavaScript 963 This category identifies Software Fault Patterns (SFPs) within the Exposed Data cluster (SFP23).
JavaScript 965 This category identifies Software Fault Patterns (SFPs) within the Insecure Session Management cluster.
JavaScript 966 This category identifies Software Fault Patterns (SFPs) within the Other Exposures cluster.
JavaScript 971 This category identifies Software Fault Patterns (SFPs) within the Faulty Pointer Use cluster (SFP7).
JavaScript 975 This category identifies Software Fault Patterns (SFPs) within the Architecture cluster.
JavaScript 977 This category identifies Software Fault Patterns (SFPs) within the Design cluster.
JavaScript 978 This category identifies Software Fault Patterns (SFPs) within the Implementation cluster.
JavaScript 980 This category identifies Software Fault Patterns (SFPs) within the Link in Resource Name Resolution cluster (SFP18).
JavaScript 981 This category identifies Software Fault Patterns (SFPs) within the Path Traversal cluster (SFP16).
JavaScript 982 This category identifies Software Fault Patterns (SFPs) within the Failure to Release Resource cluster (SFP14).
JavaScript 983 This category identifies Software Fault Patterns (SFPs) within the Faulty Resource Use cluster (SFP15).
JavaScript 984 This category identifies Software Fault Patterns (SFPs) within the Life Cycle cluster.
JavaScript 985 This category identifies Software Fault Patterns (SFPs) within the Unrestricted Consumption cluster (SFP13).
JavaScript 990 This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Command cluster (SFP24).
JavaScript 991 This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Environment cluster (SFP27).
JavaScript 992 This category identifies Software Fault Patterns (SFPs) within the Faulty Input Transformation cluster.
JavaScript 993 This category identifies Software Fault Patterns (SFPs) within the Incorrect Input Handling cluster.
JavaScript 994 This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Variable cluster (SFP25).
JavaScript 995 This category identifies Software Fault Patterns (SFPs) within the Feature cluster.
JavaScript 997 This category identifies Software Fault Patterns (SFPs) within the Information Loss cluster.
JavaScript 998 This category identifies Software Fault Patterns (SFPs) within the Glitch in Computation cluster (SFP1).
JavaScript 1000 This view is intended to facilitate research into weaknesses, including their inter-dependencies, and can be leveraged to systematically identify theoretical gaps within CWE. It is mainly organized according to abstractions of behaviors instead of how they can be detected, where they appear in code, or when they are introduced in the development life cycle. By design, this view is expected to include every weakness within CWE.
JavaScript 1001 This category identifies Software Fault Patterns (SFPs) within the Use of an Improper API cluster (SFP3).
JavaScript 1002 This category identifies Software Fault Patterns (SFPs) within the Unexpected Entry Points cluster.
JavaScript 1003 CWE entries in this view (graph) may be used to categorize potential weaknesses within sources that handle public, third-party vulnerability information, such as the National Vulnerability Database (NVD). By design, this view is incomplete; it is limited to a small number of the most commonly-seen weaknesses, so that it is easier for humans to use. This view uses a shallow hierarchy of two levels in order to simplify the complex, category-oriented navigation of the entire CWE corpus.
JavaScript 1004 The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag.
JavaScript 1005 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that exist when an application does not properly validate or represent input. According to the authors of the Seven Pernicious Kingdoms, "Input validation and representation problems are caused by metacharacters, alternate encodings and numeric representations. Security problems result from trusting input."
JavaScript 1006 Weaknesses in this category are related to coding practices that are deemed unsafe and increase the chances that an exploitable vulnerability will be present in the application. These weaknesses do not directly introduce a vulnerability, but indicate that the product has not been carefully developed or maintained. If a program is complex, difficult to maintain, not portable, or shows evidence of neglect, then there is a higher likelihood that weaknesses are buried in the code.
JavaScript 1008 This view organizes weaknesses according to common architectural security tactics. It is intended to assist architects in identifying potential mistakes that can be made when designing software.
JavaScript 1009 Weaknesses in this category are related to the design and architecture of audit-based components of the system. Frequently these deal with logging user activities in order to identify attackers and modifications to the system. The weaknesses in this category could lead to a degradation of the quality of the audit capability if they are not addressed when designing or implementing a secure architecture.
JavaScript 1010 Weaknesses in this category are related to the design and architecture of authentication components of the system. Frequently these deal with verifying the entity is indeed who it claims to be. The weaknesses in this category could lead to a degradation of the quality of authentication if they are not addressed when designing or implementing a secure architecture.
JavaScript 1011 Weaknesses in this category are related to the design and architecture of a system's authorization components. Frequently these deal with enforcing that agents have the required permissions before performing certain operations, such as modifying data. The weaknesses in this category could lead to a degradation of quality of the authorization capability if they are not addressed when designing or implementing a secure architecture.
JavaScript 1012 Weaknesses in this category are related to the design and architecture of multiple security tactics and how they affect a system. For example, information exposure can impact the Limit Access and Limit Exposure security tactics. The weaknesses in this category could lead to a degradation of the quality of many capabilities if they are not addressed when designing or implementing a secure architecture.
JavaScript 1013 Weaknesses in this category are related to the design and architecture of data confidentiality in a system. Frequently these deal with the use of encryption libraries. The weaknesses in this category could lead to a degradation of the quality data encryption if they are not addressed when designing or implementing a secure architecture.
JavaScript 1014 Weaknesses in this category are related to the design and architecture of a system's identification management components. Frequently these deal with verifying that external agents provide inputs into the system. The weaknesses in this category could lead to a degradation of the quality of identification management if they are not addressed when designing or implementing a secure architecture.
JavaScript 1015 Weaknesses in this category are related to the design and architecture of system resources. Frequently these deal with restricting the amount of resources that are accessed by actors, such as memory, network connections, CPU or access points. The weaknesses in this category could lead to a degradation of the quality of authentication if they are not addressed when designing or implementing a secure architecture.
JavaScript 1016 Weaknesses in this category are related to the design and architecture of the entry points to a system. Frequently these deal with minimizing the attack surface through designing the system with the least needed amount of entry points. The weaknesses in this category could lead to a degradation of a system's defenses if they are not addressed when designing or implementing a secure architecture.
JavaScript 1018 Weaknesses in this category are related to the design and architecture of session management. Frequently these deal with the information or status about each user and their access rights for the duration of multiple requests. The weaknesses in this category could lead to a degradation of the quality of session management if they are not addressed when designing or implementing a secure architecture.
JavaScript 1019 Weaknesses in this category are related to the design and architecture of a system's input validation components. Frequently these deal with sanitizing, neutralizing and validating any externally provided inputs to minimize malformed data from entering the system and preventing code injection in the input data. The weaknesses in this category could lead to a degradation of the quality of data flow in a system if they are not addressed when designing or implementing a secure architecture.
JavaScript 1020 Weaknesses in this category are related to the design and architecture of a system's data integrity components. Frequently these deal with ensuring integrity of data, such as messages, resource files, deployment files, and configuration files. The weaknesses in this category could lead to a degradation of data integrity quality if they are not addressed when designing or implementing a secure architecture.
JavaScript 1021 The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with.
JavaScript 1022 The web application produces links to untrusted external sites outside of its sphere of control, but it does not properly prevent the external site from modifying security-critical properties of the window.opener object, such as the location property.
JavaScript 1025 The code performs a comparison between two entities, but the comparison examines the wrong factors or characteristics of the entities, which can lead to incorrect results and resultant weaknesses.
JavaScript 1026 CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2017.
JavaScript 1027 Weaknesses in this category are related to the A1 category in the OWASP Top 10 2017.
JavaScript 1028 Weaknesses in this category are related to the A2 category in the OWASP Top 10 2017.
JavaScript 1029 Weaknesses in this category are related to the A3 category in the OWASP Top 10 2017.
JavaScript 1030 Weaknesses in this category are related to the A4 category in the OWASP Top 10 2017.
JavaScript 1031 Weaknesses in this category are related to the A5 category in the OWASP Top 10 2017.
JavaScript 1032 Weaknesses in this category are related to the A6 category in the OWASP Top 10 2017.
JavaScript 1033 Weaknesses in this category are related to the A7 category in the OWASP Top 10 2017.
JavaScript 1034 Weaknesses in this category are related to the A8 category in the OWASP Top 10 2017.
JavaScript 1036 Weaknesses in this category are related to the A10 category in the OWASP Top 10 2017.
JavaScript 1041 The product has multiple functions, methods, procedures, macros, etc. that contain the same code.
JavaScript 1078 The source code does not follow desired style or formatting for indentation, white space, comments, etc.
JavaScript 1104 The product relies on third-party components that are not actively supported or maintained by the original developer or a trusted proxy for the original developer.
JavaScript 1114 The source code contains whitespace that is inconsistent across the code or does not follow expected standards for the product.
JavaScript 1128 This view outlines the most important software quality issues as identified by the Consortium for Information & Software Quality (CISQ) Automated Quality Characteristic Measures, released in 2016. These measures are derived from Object Management Group (OMG) standards.
JavaScript 1129 Weaknesses in this category are related to the CISQ Quality Measures for Reliability, as documented in 2016 with the Automated Source Code CISQ Reliability Measure (ASCRM) Specification 1.0. Presence of these weaknesses could reduce the reliability of the software.
JavaScript 1130 Weaknesses in this category are related to the CISQ Quality Measures for Maintainability, as documented in 2016 with the Automated Source Code Maintainability Measure (ASCMM) Specification 1.0. Presence of these weaknesses could reduce the maintainability of the software.
JavaScript 1131 Weaknesses in this category are related to the CISQ Quality Measures for Security, as documented in 2016 with the Automated Source Code Security Measure (ASCSM) Specification 1.0. Presence of these weaknesses could reduce the security of the software.
JavaScript 1133 CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT Oracle Coding Standard for Java.
JavaScript 1134 Weaknesses in this category are related to the rules and recommendations in the Input Validation and Data Sanitization (IDS) section of the SEI CERT Oracle Secure Coding Standard for Java.
JavaScript 1135 Weaknesses in this category are related to the rules and recommendations in the Declarations and Initialization (DCL) section of the SEI CERT Oracle Secure Coding Standard for Java.
JavaScript 1136 Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) section of the SEI CERT Oracle Secure Coding Standard for Java.
JavaScript 1140 Weaknesses in this category are related to the rules and recommendations in the Methods (MET) section of the SEI CERT Oracle Secure Coding Standard for Java.
JavaScript 1141 Weaknesses in this category are related to the rules and recommendations in the Exceptional Behavior (ERR) section of the SEI CERT Oracle Secure Coding Standard for Java.
JavaScript 1145 Weaknesses in this category are related to the rules and recommendations in the Thread Pools (TPS) section of the SEI CERT Oracle Secure Coding Standard for Java.
JavaScript 1147 Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) section of the SEI CERT Oracle Secure Coding Standard for Java.
JavaScript 1148 Weaknesses in this category are related to the rules and recommendations in the Serialization (SER) section of the SEI CERT Oracle Secure Coding Standard for Java.
JavaScript 1149 Weaknesses in this category are related to the rules and recommendations in the Platform Security (SEC) section of the SEI CERT Oracle Secure Coding Standard for Java.
JavaScript 1150 Weaknesses in this category are related to the rules and recommendations in the Runtime Environment (ENV) section of the SEI CERT Oracle Secure Coding Standard for Java.
JavaScript 1152 Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT Oracle Secure Coding Standard for Java.
JavaScript 1154 CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT C Coding Standard.
JavaScript 1157 Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) section of the SEI CERT C Coding Standard.
JavaScript 1161 Weaknesses in this category are related to the rules and recommendations in the Characters and Strings (STR) section of the SEI CERT C Coding Standard.
JavaScript 1162 Weaknesses in this category are related to the rules and recommendations in the Memory Management (MEM) section of the SEI CERT C Coding Standard.
JavaScript 1163 Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) section of the SEI CERT C Coding Standard.
JavaScript 1164 The product contains code that is not essential for execution, i.e. makes no state changes and has no side effects that alter data or control flow, such that removal of the code would have no impact to functionality or correctness.
JavaScript 1165 Weaknesses in this category are related to the rules and recommendations in the Environment (ENV) section of the SEI CERT C Coding Standard.
JavaScript 1167 Weaknesses in this category are related to the rules and recommendations in the Error Handling (ERR) section of the SEI CERT C Coding Standard.
JavaScript 1169 Weaknesses in this category are related to the rules and recommendations in the Concurrency (CON) section of the SEI CERT C Coding Standard.
JavaScript 1170 Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT C Coding Standard.
JavaScript 1172 Weaknesses in this category are related to the rules and recommendations in the Microsoft Windows (WIN) section of the SEI CERT C Coding Standard.
JavaScript 1178 CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT Perl Coding Standard.
JavaScript 1179 Weaknesses in this category are related to the rules and recommendations in the Input Validation and Data Sanitization (IDS) section of the SEI CERT Perl Coding Standard.
JavaScript 1180 Weaknesses in this category are related to the rules and recommendations in the Declarations and Initialization (DCL) section of the SEI CERT Perl Coding Standard.
JavaScript 1181 Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) section of the SEI CERT Perl Coding Standard.
JavaScript 1186 Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT Perl Coding Standard.
JavaScript 1187 This entry has been deprecated because it was a duplicate of CWE-908. All content has been transferred to CWE-908.
JavaScript 1194 This view organizes weaknesses around concepts that are frequently used or encountered in hardware design. Accordingly, this view can align closely with the perspectives of designers, manufacturers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping.
JavaScript 1198 Weaknesses in this category are related to features and mechanisms providing hardware-based isolation and access control (e.g., identity, policy, locking control) of sensitive shared hardware resources such as registers and fuses.
JavaScript 1200 CWE entries in this view are listed in the 2019 CWE Top 25 Most Dangerous Software Errors.
JavaScript 1202 Weaknesses in this category are typically associated with memory (e.g., DRAM, SRAM) and storage technologies (e.g., NAND Flash, OTP, EEPROM, and eMMC).
JavaScript 1207 Weaknesses in this category are related to hardware debug and test interfaces such as JTAG and scan chain.
JavaScript 1210 Weaknesses in this category are related to audit-based components of a software system. Frequently these deal with logging user activities in order to identify undesired access and modifications to the system. The weaknesses in this category could lead to a degradation of the quality of the audit capability if they are not addressed.
JavaScript 1211 Weaknesses in this category are related to authentication components of a system. Frequently these deal with the ability to verify that an entity is indeed who it claims to be. If not addressed when designing or implementing a software system, these weaknesses could lead to a degradation of the quality of the authentication capability.
JavaScript 1212 Weaknesses in this category are related to authorization components of a system. Frequently these deal with the ability to enforce that agents have the required permissions before performing certain operations, such as modifying data. If not addressed when designing or implementing a software system, these weaknesses could lead to a degradation of the quality of the authorization capability.
JavaScript 1213 Weaknesses in this category are related to a software system's random number generation.
JavaScript 1214 Weaknesses in this category are related to a software system's data integrity components. Frequently these deal with the ability to ensure the integrity of data, such as messages, resource files, deployment files, and configuration files. The weaknesses in this category could lead to a degradation of data integrity quality if they are not addressed.
JavaScript 1215 Weaknesses in this category are related to a software system's components for input validation, output validation, or other kinds of validation. Validation is a frequently-used technique for ensuring that data conforms to expectations before it is further processed as input or output. There are many varieties of validation (see CWE-20, which is just for input validation). Validation is distinct from other techniques that attempt to modify data before processing it, although developers may consider all attempts to product "safe" inputs or outputs as some kind of validation. Regardless, validation is a powerful tool that is often used to minimize malformed data from entering the system, or indirectly avoid code injection or other potentially-malicious patterns when generating output. The weaknesses in this category could lead to a degradation of the quality of data flow in a system if they are not addressed.
JavaScript 1217 Weaknesses in this category are related to session management. Frequently these deal with the information or status about each user and their access rights for the duration of multiple requests. The weaknesses in this category could lead to a degradation of the quality of session management if they are not addressed.
JavaScript 1219 Weaknesses in this category are related to the handling of files within a software system. Files, directories, and folders are so central to information technology that many different weaknesses and variants have been discovered.
JavaScript 1228 Weaknesses in this category are related to the use of built-in functions or external APIs.
JavaScript 1275 The SameSite attribute for sensitive cookies is not set, or an insecure value is used.
JavaScript 1305 This view outlines the most important software quality issues as identified by the Consortium for Information & Software Quality (CISQ) Automated Quality Characteristic Measures, released in 2020. These measures are derived from Object Management Group (OMG) standards.
JavaScript 1306 Weaknesses in this category are related to the CISQ Quality Measures for Reliability. Presence of these weaknesses could reduce the reliability of the software.
JavaScript 1307 Weaknesses in this category are related to the CISQ Quality Measures for Maintainability. Presence of these weaknesses could reduce the maintainability of the software.
JavaScript 1308 Weaknesses in this category are related to the CISQ Quality Measures for Security. Presence of these weaknesses could reduce the security of the software.
JavaScript 1309 Weaknesses in this category are related to the CISQ Quality Measures for Efficiency. Presence of these weaknesses could reduce the efficiency of the software.
JavaScript 1327 The product assigns the address 0.0.0.0 for a database server, a cloud service/instance, or any computing resource that communicates remotely.
JavaScript 1337 CWE entries in this view are listed in the 2021 CWE Top 25 Most Dangerous Software Weaknesses.
JavaScript 1340 This view outlines the SMM representation of the Automated Source Code Data Protection Measurement specifications, as identified by the Consortium for Information & Software Quality (CISQ) Working Group.
JavaScript 1344 CWE entries in this view (graph) are associated with the OWASP Top 10, as released in 2021.
JavaScript 1345 Weaknesses in this category are related to the A01 category "Broken Access Control" in the OWASP Top 10 2021.
JavaScript 1346 Weaknesses in this category are related to the A02 category "Cryptographic Failures" in the OWASP Top 10 2021.
JavaScript 1347 Weaknesses in this category are related to the A03 category "Injection" in the OWASP Top 10 2021.
JavaScript 1348 Weaknesses in this category are related to the A04 "Insecure Design" category in the OWASP Top 10 2021.
JavaScript 1349 Weaknesses in this category are related to the A05 category "Security Misconfiguration" in the OWASP Top 10 2021.
JavaScript 1350 CWE entries in this view are listed in the 2020 CWE Top 25 Most Dangerous Software Weaknesses.
JavaScript 1352 Weaknesses in this category are related to the A06 category "Vulnerable and Outdated Components" in the OWASP Top 10 2021.
JavaScript 1353 Weaknesses in this category are related to the A07 category "Identification and Authentication Failures" in the OWASP Top 10 2021.
JavaScript 1354 Weaknesses in this category are related to the A08 category "Software and Data Integrity Failures" in the OWASP Top 10 2021.
JavaScript 1355 Weaknesses in this category are related to the A09 category "Security Logging and Monitoring Failures" in the OWASP Top 10 2021.
JavaScript 1356 Weaknesses in this category are related to the A10 category "Server-Side Request Forgery (SSRF)" in the OWASP Top 10 2021.
JavaScript 1358 CWE entries in this view (graph) are associated with the Categories of Security Vulnerabilities in ICS, as published by the Securing Energy Infrastructure Executive Task Force (SEI ETF) in March 2022. Weaknesses and categories in this view are focused on issues that affect ICS (Industrial Control Systems) but have not been traditionally covered by CWE in the past due to its earlier emphasis on enterprise IT software. Note: weaknesses in this view are based on "Nearest IT Neighbor" recommendations and other suggestions by the CWE team. These relationships are likely to change in future CWE versions.
JavaScript 1359 Weaknesses in this category are related to the "ICS Communications" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.
JavaScript 1360 Weaknesses in this category are related to the "ICS Dependencies (& Architecture)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.
JavaScript 1361 Weaknesses in this category are related to the "ICS Supply Chain" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.
JavaScript 1362 Weaknesses in this category are related to the "ICS Engineering (Constructions/Deployment)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.
JavaScript 1363 Weaknesses in this category are related to the "ICS Operations (& Maintenance)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.
JavaScript 1364 Weaknesses in this category are related to the "Zone Boundary Failures" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Within an ICS system, for traffic that crosses through network zone boundaries, vulnerabilities arise when those boundaries were designed for safety or other purposes but are being repurposed for security." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
JavaScript 1366 Weaknesses in this category are related to the "Frail Security in Protocols" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Vulnerabilities arise as a result of mis-implementation or incomplete implementation of security in ICS implementations of communication protocols." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
JavaScript 1368 Weaknesses in this category are related to the "External Digital Systems" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Due to the highly interconnected technologies in use, an external dependency on another digital system could cause a confidentiality, integrity, or availability incident for the protected system." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
JavaScript 1369 Weaknesses in this category are related to the "IT/OT Convergence/Expansion" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "The increased penetration of DER devices and smart loads make emerging ICS networks more like IT networks and thus susceptible to vulnerabilities similar to those of IT networks." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
JavaScript 1370 Weaknesses in this category are related to the "Common Mode Frailties" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "At the component level, most ICS systems are assembled from common parts made by other companies. One or more of these common parts might contain a vulnerability that could result in a wide-spread incident." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
JavaScript 1371 Weaknesses in this category are related to the "Poorly Documented or Undocumented Features" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Undocumented capabilities and configurations pose a risk by not having a clear understanding of what the device is specifically supposed to do and only do. Therefore possibly opening up the attack surface and vulnerabilities." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
JavaScript 1372 Weaknesses in this category are related to the "OT Counterfeit and Malicious Corruption" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "In ICS, when this procurement process results in a vulnerability or component damage, it can have grid impacts or cause physical harm." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
JavaScript 1373 Weaknesses in this category are related to the "Trust Model Problems" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Assumptions made about the user during the design or construction phase may result in vulnerabilities after the system is installed if the user operates it using a different security approach or process than what was designed or built." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
JavaScript 1375 Weaknesses in this category are related to the "Gaps in Details/Data" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Highly complex systems are often operated by personnel who have years of experience in managing that particular facility or plant. Much of their knowledge is passed along through verbal or hands-on training but may not be fully documented in written practices and procedures." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
JavaScript 1382 Weaknesses in this category are related to the "Emerging Energy Technologies" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "With the rapid evolution of the energy system accelerated by the emergence of new technologies such as DERs, electric vehicles, advanced communications (5G+), novel and diverse challenges arise for secure and resilient operation of the system." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
JavaScript 1383 Weaknesses in this category are related to the "Compliance/Conformance with Regulatory Requirements" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "The ICS environment faces overlapping regulatory regimes and authorities with multiple focus areas (e.g., operational resiliency, physical safety, interoperability, and security) which can result in cyber security vulnerabilities when implemented as written due to gaps in considerations, outdatedness, or conflicting requirements." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
JavaScript 1387 CWE entries in this view are listed in the 2022 CWE Top 25 Most Dangerous Software Weaknesses.
JavaScript 1396 Weaknesses in this category are related to access control.
JavaScript 1397 Weaknesses in this category are related to comparison.
JavaScript 1398 Weaknesses in this category are related to component interaction.
JavaScript 1400 This view organizes weaknesses around categories that are of interest to large-scale software assurance research to support the elimination of weaknesses using tactics such as secure language development. It is also intended to help tracking weakness trends in publicly disclosed vulnerability data. This view is comprehensive in that every weakness must be contained in it, unlike most other views that only use a subset of weaknesses. This view is structured with categories at the top level, with a second level of only weaknesses. Relationships among the weaknesses presented under the research view (CWE-1000) are not shown. Each weakness is added to only one category. All categories are mutually exclusive; that is, no weakness can be a member of more than one category. While weaknesses defy strict categorization along only one characteristic, the forced bucketing into a single category can simplify certain kinds of analysis. Note that the size of each category can vary widely because (1) CWE is not as well fleshed-out in some areas compared to others; (2) abstraction of the CWEs in the grouping might go down to Variant level for some buckets, versus others.
JavaScript 1402 Weaknesses in this category are related to encryption.
JavaScript 1403 Weaknesses in this category are related to exposed resource.
JavaScript 1404 Weaknesses in this category are related to file handling.
JavaScript 1405 Weaknesses in this category are related to improper check or handling of exceptional conditions.
JavaScript 1406 Weaknesses in this category are related to improper input validation.
JavaScript 1407 Weaknesses in this category are related to improper neutralization.
JavaScript 1409 Weaknesses in this category are related to injection.
JavaScript 1410 Weaknesses in this category are related to insufficient control flow management.
JavaScript 1411 Weaknesses in this category are related to insufficient verification of data authenticity.
JavaScript 1412 Weaknesses in this category are related to poor coding practices.
JavaScript 1413 Weaknesses in this category are related to protection mechanism failure.
JavaScript 1414 Weaknesses in this category are related to randomness.
JavaScript 1415 Weaknesses in this category are related to resource control.
JavaScript 1416 Weaknesses in this category are related to resource lifecycle management.
JavaScript 1417 Weaknesses in this category are related to sensitive information exposure.
JavaScript 1418 Weaknesses in this category are related to violation of secure design principles.
Kotlin 2 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that are typically introduced during unexpected environmental conditions. According to the authors of the Seven Pernicious Kingdoms, "This section includes everything that is outside of the source code but is still critical to the security of the product that is being created. Because the issues covered by this kingdom are not directly related to source code, we separated it from the rest of the kingdoms."
Kotlin 4 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
Kotlin 5 Information sent over a network can be compromised while in transit. An attacker may be able to read or modify the contents if the data are sent in plaintext or are weakly encrypted.
Kotlin 16 Weaknesses in this category are typically introduced during the configuration of the software.
Kotlin 17 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
Kotlin 18 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
Kotlin 19 Weaknesses in this category are typically found in functionality that processes data. Data processing is the manipulation of input to retrieve or save information.
Kotlin 20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Kotlin 21 This category has been deprecated. It was originally used for organizing weaknesses involving file names, which enabled access to files outside of a restricted directory (path traversal) or to perform operations on files that would otherwise be restricted (path equivalence). Consider using either the File Handling Issues category (CWE-1219) or the class Use of Incorrectly-Resolved Name or Reference (CWE-706).
Kotlin 22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Kotlin 23 The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.
Kotlin 36 The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as "/abs/path" that can resolve to a location that is outside of that directory.
Kotlin 74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Kotlin 77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Kotlin 78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Kotlin 88 The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.
Kotlin 89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.
Kotlin 91 The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.
Kotlin 94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Kotlin 95 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").
Kotlin 116 The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
Kotlin 117 The product does not neutralize or incorrectly neutralizes output that is written to logs.
Kotlin 118 The product does not restrict or incorrectly restricts operations within the boundaries of a resource that is accessed using an index or pointer, such as memory or files.
Kotlin 119 The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.
Kotlin 133 Weaknesses in this category are related to the creation and modification of strings.
Kotlin 137 Weaknesses in this category are related to the creation or neutralization of data using an incorrect format.
Kotlin 138 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as control elements or syntactic markers when they are sent to a downstream component.
Kotlin 140 The product does not neutralize or incorrectly neutralizes delimiters.
Kotlin 141 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as parameter or argument delimiters when they are sent to a downstream component.
Kotlin 142 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as value delimiters when they are sent to a downstream component.
Kotlin 143 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as record delimiters when they are sent to a downstream component.
Kotlin 146 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as expression or command delimiters when they are sent to a downstream component.
Kotlin 149 Quotes injected into a product can be used to compromise a system. As data are parsed, an injected/absent/duplicate/malformed use of quotes may cause the process to take unexpected actions.
Kotlin 150 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component.
Kotlin 157 The product does not properly handle the characters that are used to mark the beginning and ending of a group of entities, such as parentheses, brackets, and braces.
Kotlin 171 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. Weaknesses in this category were related to improper handling of data within protection mechanisms that attempt to perform neutralization for untrusted data. These weaknesses can be found in other similar categories.
Kotlin 185 The product specifies a regular expression in a way that causes data to be improperly matched or compared.
Kotlin 189 Weaknesses in this category are related to improper calculation or conversion of numbers.
Kotlin 190 The product performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control.
Kotlin 199 Weaknesses in this category are related to improper handling of sensitive information.
Kotlin 200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Kotlin 201 The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.
Kotlin 209 The product generates an error message that includes sensitive information about its environment, users, or associated data.
Kotlin 210 The product identifies an error condition and creates its own diagnostic or error messages that contain sensitive information.
Kotlin 211 The product performs an operation that triggers an external diagnostic or error message that is not directly generated or controlled by the product, such as an error generated by the programming language interpreter that a software application uses. The error can contain sensitive system information.
Kotlin 221 The product does not record, or improperly records, security-relevant information that leads to an incorrect decision or hampers later analysis.
Kotlin 223 The product does not record or display information that would be important for identifying the source or nature of an attack, or determining if an action is safe.
Kotlin 226 The product releases a resource such as memory or a file so that it can be made available for reuse, but it does not clear or "zeroize" the information contained in the resource before the product performs a critical state transition or makes the resource available for reuse by other entities.
Kotlin 227 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that involve the software using an API in a manner contrary to its intended use. According to the authors of the Seven Pernicious Kingdoms, "An API is a contract between a caller and a callee. The most common forms of API misuse occurs when the caller does not honor its end of this contract. For example, if a program does not call chdir() after calling chroot(), it violates the contract that specifies how to change the active root directory in a secure fashion. Another good example of library abuse is expecting the callee to return trustworthy DNS information to the caller. In this case, the caller misuses the callee API by making certain assumptions about its behavior (that the return value can be used for authentication purposes). One can also violate the caller-callee contract from the other side. For example, if a coder subclasses SecureRandom and returns a non-random value, the contract is violated."
Kotlin 242 The product calls a function that can never be guaranteed to work safely.
Kotlin 249 This entry has been deprecated because of name confusion and an accidental combination of multiple weaknesses. Most of its content has been transferred to CWE-785.
Kotlin 252 The product does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions.
Kotlin 253 The product incorrectly checks a return value from a function, which prevents it from detecting errors or exceptional conditions.
Kotlin 254 Software security is not security software. Here we're concerned with topics like authentication, access control, confidentiality, cryptography, and privilege management.
Kotlin 255 Weaknesses in this category are related to the management of credentials.
Kotlin 256 Storing a password in plaintext may result in a system compromise.
Kotlin 257 The storage of passwords in a recoverable format makes them subject to password reuse attacks by malicious users. In fact, it should be noted that recoverable encrypted passwords provide no significant benefit over plaintext passwords since they are subject not only to reuse by malicious attackers but also by malicious insiders. If a system administrator can recover a password directly, or use a brute force search on the available information, the administrator can use the password on other accounts.
Kotlin 259 The product contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components.
Kotlin 264 Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control.
Kotlin 265 Weaknesses in this category occur with improper handling, assignment, or management of privileges. A privilege is a property of an agent, such as a user. It lets the agent do things that are not ordinarily allowed. For example, there are privileges which allow an agent to perform maintenance functions such as restart a computer.
Kotlin 284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Kotlin 285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
Kotlin 287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Kotlin 295 The product does not validate, or incorrectly validates, a certificate.
Kotlin 296 The product does not follow, or incorrectly follows, the chain of trust for a certificate back to a trusted root certificate, resulting in incorrect trust of any resource that is associated with that certificate.
Kotlin 297 The product communicates with a host that provides a certificate, but the product does not properly ensure that the certificate is actually associated with that host.
Kotlin 299 The product does not check or incorrectly checks the revocation status of a certificate, which may cause it to use a certificate that has been compromised.
Kotlin 300 The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint.
Kotlin 310 Weaknesses in this category are related to the design and implementation of data confidentiality and integrity. Frequently these deal with the use of encoding techniques, encryption libraries, and hashing algorithms. The weaknesses in this category could lead to a degradation of the quality data if they are not addressed.
Kotlin 311 The product does not encrypt sensitive or critical information before storage or transmission.
Kotlin 312 The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
Kotlin 313 The product stores sensitive information in cleartext in a file, or on disk.
Kotlin 314 The product stores sensitive information in cleartext in the registry.
Kotlin 315 The product stores sensitive information in cleartext in a cookie.
Kotlin 317 The product stores sensitive information in cleartext within the GUI.
Kotlin 318 The product stores sensitive information in cleartext in an executable.
Kotlin 319 The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.
Kotlin 320 Weaknesses in this category are related to errors in the management of cryptographic keys.
Kotlin 321 The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.
Kotlin 326 The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
Kotlin 327 The product uses a broken or risky cryptographic algorithm or protocol.
Kotlin 328 The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (2nd preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack).
Kotlin 330 The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.
Kotlin 335 The product uses a Pseudo-Random Number Generator (PRNG) but does not correctly manage seeds.
Kotlin 336 A Pseudo-Random Number Generator (PRNG) uses the same seed each time the product is initialized.
Kotlin 337 A Pseudo-Random Number Generator (PRNG) is initialized from a predictable seed, such as the process ID or system time.
Kotlin 338 The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.
Kotlin 344 The product uses a constant value, name, or reference, but this value can (or should) vary across different environments.
Kotlin 345 The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
Kotlin 353 The product uses a transmission protocol that does not include a mechanism for verifying the integrity of the data during transmission, such as a checksum.
Kotlin 355 Weaknesses in this category are related to or introduced in the User Interface (UI).
Kotlin 359 The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.
Kotlin 361 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses related to the improper management of time and state in an environment that supports simultaneous or near-simultaneous computation by multiple systems, processes, or threads. According to the authors of the Seven Pernicious Kingdoms, "Distributed computation is about time and state. That is, in order for more than one component to communicate, state must be shared, and all that takes time. Most programmers anthropomorphize their work. They think about one thread of control carrying out the entire program in the same way they would if they had to do the job themselves. Modern computers, however, switch between tasks very quickly, and in multi-core, multi-CPU, or distributed systems, two events may take place at exactly the same time. Defects rush to fill the gap between the programmer's model of how a program executes and what happens in reality. These defects are related to unexpected interactions between threads, processes, time, and information. These interactions happen through shared state: semaphores, variables, the file system, and, basically, anything that can store information."
Kotlin 362 The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.
Kotlin 366 If two threads of execution use a resource simultaneously, there exists the possibility that resources may be used while invalid, in turn making the state of execution undefined.
Kotlin 369 The product divides a value by zero.
Kotlin 380 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
Kotlin 381 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
Kotlin 388 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that occur when an application does not properly handle errors that occur during processing. According to the authors of the Seven Pernicious Kingdoms, "Errors and error handling represent a class of API. Errors related to error handling are so common that they deserve a special kingdom of their own. As with 'API Abuse,' there are two ways to introduce an error-related security vulnerability: the most common one is handling errors poorly (or not at all). The second is producing errors that either give out too much information (to possible attackers) or are difficult to handle."
Kotlin 389 This category includes weaknesses that occur if a function does not generate the correct return/status code, or if the application does not handle all possible return/status codes that could be generated by a function. This type of problem is most often found in conditions that are rarely encountered during the normal operation of the product. Presumably, most bugs related to common conditions are found and eliminated during development and testing. In some cases, the attacker can directly control or influence the environment to trigger the rare conditions.
Kotlin 390 The product detects a specific error, but takes no actions to handle the error.
Kotlin 398 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that do not directly introduce a weakness or vulnerability, but indicate that the product has not been carefully developed or maintained. According to the authors of the Seven Pernicious Kingdoms, "Poor code quality leads to unpredictable behavior. From a user's perspective that often manifests itself as poor usability. For an adversary it provides an opportunity to stress the system in unexpected ways."
Kotlin 399 Weaknesses in this category are related to improper management of system resources.
Kotlin 402 The product makes resources available to untrusted parties when those resources are only intended to be accessed by the product.
Kotlin 403 A process does not close sensitive file descriptors before invoking a child process, which allows the child to perform unauthorized I/O operations using those descriptors.
Kotlin 404 The product does not release or incorrectly releases a resource before it is made available for re-use.
Kotlin 405 The product does not properly control situations in which an adversary can cause the product to consume or produce excessive resources without requiring the adversary to invest equivalent work or otherwise prove authorization, i.e., the adversary's influence is "asymmetric."
Kotlin 409 The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.
Kotlin 411 Weaknesses in this category are related to improper handling of locks that are used to control access to resources.
Kotlin 417 Weaknesses in this category are related to improper handling of communication channels and access paths. These weaknesses include problems in creating, managing, or removing alternate channels and alternate paths. Some of these can overlap virtual file problems and are commonly used in "bypass" attacks, such as those that exploit authentication errors.
Kotlin 427 The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.
Kotlin 438 Weaknesses in this category are related to unexpected behaviors from code that an application uses.
Kotlin 441 The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor.
Kotlin 442 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
Kotlin 452 Weaknesses in this category occur in behaviors that are used for initialization and breakdown.
Kotlin 459 The product does not properly "clean up" and remove temporary or supporting resources after they have been used.
Kotlin 465 Weaknesses in this category are related to improper handling of pointers.
Kotlin 470 The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code.
Kotlin 476 A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.
Kotlin 480 The product accidentally uses the wrong operator, which changes the logic in security-relevant ways.
Kotlin 483 The code does not explicitly delimit a block that is intended to contain 2 or more statements, creating a logic error.
Kotlin 485 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that occur when the product does not sufficiently encapsulate critical data or functionality. According to the authors of the Seven Pernicious Kingdoms, "Encapsulation is about drawing strong boundaries. In a web browser that might mean ensuring that your mobile code cannot be abused by other mobile code. On the server it might mean differentiation between validated data and unvalidated data, between one user's data and another's, or between data users are allowed to see and data that they are not."
Kotlin 489 The product is deployed to unauthorized actors with debugging code still enabled or active, which can create unintended entry points or expose sensitive information.
Kotlin 497 The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does.
Kotlin 502 The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
Kotlin 505 This category has been deprecated as it was originally used for organizing the Development View (CWE-699), but it introduced unnecessary complexity and depth to the resulting tree.
Kotlin 522 The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
Kotlin 523 Login pages do not use adequate measures to protect the user name and password while they are in transit from the client to the server.
Kotlin 524 The code uses a cache that contains sensitive information, but the cache can be read by an actor outside of the intended control sphere.
Kotlin 525 The web application does not use an appropriate caching policy that specifies the extent to which each web page and associated form fields should be cached.
Kotlin 526 The product uses an environment variable to store unencrypted sensitive information.
Kotlin 532 Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.
Kotlin 536 A servlet error message indicates that there exists an unhandled exception in your web application code and may provide useful information to an attacker.
Kotlin 538 The product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the sensitive information.
Kotlin 539 The web application uses persistent cookies, but the cookies contain sensitive information.
Kotlin 543 The product uses the singleton pattern when creating a resource within a multithreaded environment.
Kotlin 550 Certain conditions, such as network failure, will cause a server error message to be displayed.
Kotlin 552 The product makes files or directories accessible to unauthorized actors, even though they should not be.
Kotlin 557 Weaknesses in this category are related to concurrent use of shared resources.
Kotlin 559 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
Kotlin 561 The product contains dead code, which can never be executed.
Kotlin 563 The variable's value is assigned but never used, making it a dead store.
Kotlin 566 The product uses a database table that includes records that should not be accessible to an actor, but it executes a SQL statement with a primary key that can be controlled by that actor.
Kotlin 567 The product does not properly synchronize shared data, such as static variables across threads, which can lead to undefined behavior and unpredictable data changes.
Kotlin 569 Weaknesses in this category are related to incorrectly written expressions within code.
Kotlin 573 The product does not follow or incorrectly follows the specifications as required by the implementation language, environment, framework, protocol, or platform.
Kotlin 596 This weakness has been deprecated. It was poorly described and difficult to distinguish from other entries. It was also inappropriate to assign a separate ID solely because of domain-specific considerations. Its closest equivalent is CWE-1023.
Kotlin 610 The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.
Kotlin 611 The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
Kotlin 624 The product uses a regular expression that either (1) contains an executable component with user-controlled inputs, or (2) allows a user to enable execution by inserting pattern modifiers.
Kotlin 628 The product calls a function, procedure, or routine with arguments that are not correctly specified, leading to always-incorrect behavior and resultant weaknesses.
Kotlin 629 CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2007. This view is considered obsolete as a newer version of the OWASP Top 10 is available.
Kotlin 632 This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE.
Kotlin 633 This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE.
Kotlin 634 This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE.
Kotlin 635 CWE nodes in this view (slice) were used by NIST to categorize vulnerabilities within NVD, from 2008 to 2016. This original version has been used by many other projects.
Kotlin 639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Kotlin 643 The product uses external input to dynamically construct an XPath expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query.
Kotlin 644 The product does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers, such as Flash.
Kotlin 657 The product violates well-established principles for secure design.
Kotlin 662 The product utilizes multiple threads or processes to allow temporary access to a shared resource that can only be exclusive to one process at a time, but it does not properly synchronize these actions, which might cause simultaneous accesses of this resource by multiple threads or processes.
Kotlin 664 The product does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release.
Kotlin 667 The product does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors.
Kotlin 668 The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
Kotlin 669 The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource.
Kotlin 670 The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated.
Kotlin 671 The product uses security features in a way that prevents the product's administrator from tailoring security settings to reflect the environment in which the product is being used. This introduces resultant weaknesses or prevents it from operating at a level of security that is desired by the administrator.
Kotlin 674 The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.
Kotlin 682 The product performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management.
Kotlin 683 The product calls a function, procedure, or routine, but the caller specifies the arguments in an incorrect order, leading to resultant weaknesses.
Kotlin 691 The code does not sufficiently manage its control flow during execution, creating conditions in which the control flow can be modified in unexpected ways.
Kotlin 693 The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.
Kotlin 697 The product compares two entities in a security-relevant context, but the comparison is incorrect, which may lead to resultant weaknesses.
Kotlin 699 This view organizes weaknesses around concepts that are frequently used or encountered in software development. This includes all aspects of the software development lifecycle including both architecture and implementation. Accordingly, this view can align closely with the perspectives of architects, developers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping.
Kotlin 700 This view (graph) organizes weaknesses using a hierarchical structure that is similar to that used by Seven Pernicious Kingdoms.
Kotlin 703 The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product.
Kotlin 706 The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.
Kotlin 707 The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component.
Kotlin 710 The product does not follow certain coding rules for development, which can lead to resultant weaknesses or increase the severity of the associated vulnerabilities.
Kotlin 711 CWE entries in this view (graph) are associated with the OWASP Top 10, as released in 2004, and as required for compliance with PCI DSS version 1.1. This view is considered obsolete as a newer version of the OWASP Top 10 is available.
Kotlin 713 Weaknesses in this category are related to the A2 category in the OWASP Top 10 2007.
Kotlin 714 Weaknesses in this category are related to the A3 category in the OWASP Top 10 2007.
Kotlin 715 Weaknesses in this category are related to the A4 category in the OWASP Top 10 2007.
Kotlin 717 Weaknesses in this category are related to the A6 category in the OWASP Top 10 2007.
Kotlin 718 Weaknesses in this category are related to the A7 category in the OWASP Top 10 2007.
Kotlin 719 Weaknesses in this category are related to the A8 category in the OWASP Top 10 2007.
Kotlin 720 Weaknesses in this category are related to the A9 category in the OWASP Top 10 2007.
Kotlin 721 Weaknesses in this category are related to the A10 category in the OWASP Top 10 2007.
Kotlin 722 Weaknesses in this category are related to the A1 category in the OWASP Top 10 2004.
Kotlin 723 Weaknesses in this category are related to the A2 category in the OWASP Top 10 2004.
Kotlin 724 Weaknesses in this category are related to the A3 category in the OWASP Top 10 2004.
Kotlin 725 Weaknesses in this category are related to the A4 category in the OWASP Top 10 2004.
Kotlin 726 Weaknesses in this category are related to the A5 category in the OWASP Top 10 2004.
Kotlin 727 Weaknesses in this category are related to the A6 category in the OWASP Top 10 2004.
Kotlin 728 Weaknesses in this category are related to the A7 category in the OWASP Top 10 2004.
Kotlin 729 Weaknesses in this category are related to the A8 category in the OWASP Top 10 2004.
Kotlin 730 Weaknesses in this category are related to the A9 category in the OWASP Top 10 2004.
Kotlin 731 Weaknesses in this category are related to the A10 category in the OWASP Top 10 2004.
Kotlin 734 CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT C Secure Coding Standard" published in 2008. This view is considered obsolete, as a newer version of the coding standard is available. This view statically represents the coding rules as they were in 2008.
Kotlin 736 Weaknesses in this category are related to the rules and recommendations in the Declarations and Initialization (DCL) chapter of the CERT C Secure Coding Standard (2008).
Kotlin 737 Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) chapter of the CERT C Secure Coding Standard (2008).
Kotlin 738 Weaknesses in this category are related to the rules and recommendations in the Integers (INT) chapter of the CERT C Secure Coding Standard (2008).
Kotlin 739 Weaknesses in this category are related to the rules and recommendations in the Floating Point (FLP) chapter of the CERT C Secure Coding Standard (2008).
Kotlin 740 Weaknesses in this category are related to the rules and recommendations in the Arrays (ARR) chapter of the CERT C Secure Coding Standard (2008).
Kotlin 741 Weaknesses in this category are related to the rules and recommendations in the Characters and Strings (STR) chapter of the CERT C Secure Coding Standard (2008).
Kotlin 742 Weaknesses in this category are related to the rules and recommendations in the Memory Management (MEM) chapter of the CERT C Secure Coding Standard (2008).
Kotlin 743 Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) chapter of the CERT C Secure Coding Standard (2008).
Kotlin 744 Weaknesses in this category are related to the rules and recommendations in the Environment (ENV) chapter of the CERT C Secure Coding Standard (2008).
Kotlin 745 Weaknesses in this category are related to the rules and recommendations in the Signals (SIG) chapter of the CERT C Secure Coding Standard (2008).
Kotlin 746 Weaknesses in this category are related to the rules and recommendations in the Error Handling (ERR) chapter of the CERT C Secure Coding Standard (2008).
Kotlin 747 Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) chapter of the CERT C Secure Coding Standard (2008).
Kotlin 748 Weaknesses in this category are related to the rules and recommendations in the POSIX (POS) appendix of the CERT C Secure Coding Standard (2008).
Kotlin 750 CWE entries in this view (graph) are listed in the 2009 CWE/SANS Top 25 Programming Errors. This view is considered obsolete as a newer version of the Top 25 is available.
Kotlin 751 Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2009 CWE/SANS Top 25 Programming Errors.
Kotlin 752 Weaknesses in this category are listed in the "Risky Resource Management" section of the 2009 CWE/SANS Top 25 Programming Errors.
Kotlin 753 Weaknesses in this category are listed in the "Porous Defenses" section of the 2009 CWE/SANS Top 25 Programming Errors.
Kotlin 754 The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.
Kotlin 755 The product does not handle or incorrectly handles an exceptional condition.
Kotlin 759 The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product does not also use a salt as part of the input.
Kotlin 760 The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product uses a predictable salt as part of the input.
Kotlin 776 The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.
Kotlin 778 When a security-critical event occurs, the product either does not record the event or omits important details about the event when logging it.
Kotlin 783 The product uses an expression in which operator precedence causes incorrect logic to be used.
Kotlin 798 The product contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.
Kotlin 800 CWE entries in this view (graph) are listed in the 2010 CWE/SANS Top 25 Programming Errors. This view is considered obsolete as a newer version of the Top 25 is available.
Kotlin 801 Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2010 CWE/SANS Top 25 Programming Errors.
Kotlin 802 Weaknesses in this category are listed in the "Risky Resource Management" section of the 2010 CWE/SANS Top 25 Programming Errors.
Kotlin 803 Weaknesses in this category are listed in the "Porous Defenses" section of the 2010 CWE/SANS Top 25 Programming Errors.
Kotlin 808 Weaknesses in this category are not part of the general Top 25, but they were part of the original nominee list from which the Top 25 was drawn.
Kotlin 809 CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2010. This view is considered obsolete as a newer version of the OWASP Top 10 is available.
Kotlin 810 Weaknesses in this category are related to the A1 category in the OWASP Top 10 2010.
Kotlin 812 Weaknesses in this category are related to the A3 category in the OWASP Top 10 2010.
Kotlin 813 Weaknesses in this category are related to the A4 category in the OWASP Top 10 2010.
Kotlin 815 Weaknesses in this category are related to the A6 category in the OWASP Top 10 2010.
Kotlin 816 Weaknesses in this category are related to the A7 category in the OWASP Top 10 2010.
Kotlin 817 Weaknesses in this category are related to the A8 category in the OWASP Top 10 2010.
Kotlin 818 Weaknesses in this category are related to the A9 category in the OWASP Top 10 2010.
Kotlin 820 The product utilizes a shared resource in a concurrent manner but does not attempt to synchronize access to the resource.
Kotlin 827 The product does not restrict a reference to a Document Type Definition (DTD) to the intended control sphere. This might allow attackers to reference arbitrary DTDs, possibly causing the product to expose files, consume excessive system resources, or execute arbitrary http requests on behalf of the attacker.
Kotlin 829 The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.
Kotlin 833 The product contains multiple threads or executable segments that are waiting for each other to release a necessary lock, resulting in deadlock.
Kotlin 834 The product performs an iteration or loop without sufficiently limiting the number of times that the loop is executed.
Kotlin 835 The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.
Kotlin 840 Weaknesses in this category identify some of the underlying problems that commonly allow attackers to manipulate the business logic of an application. Errors in business logic can be devastating to an entire application. They can be difficult to find automatically, since they typically involve legitimate use of the application's functionality. However, many business logic errors can exhibit patterns that are similar to well-understood implementation and design weaknesses.
Kotlin 844 CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT Oracle Secure Coding Standard for Java" published in 2011. This view is considered obsolete as a newer version of the coding standard is available.
Kotlin 845 Weaknesses in this category are related to rules in the Input Validation and Data Sanitization (IDS) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
Kotlin 847 Weaknesses in this category are related to rules in the Expressions (EXP) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
Kotlin 848 Weaknesses in this category are related to rules in the Numeric Types and Operations (NUM) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
Kotlin 850 Weaknesses in this category are related to rules in the Methods (MET) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
Kotlin 851 Weaknesses in this category are related to rules in the Exceptional Behavior (ERR) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
Kotlin 852 Weaknesses in this category are related to rules in the Visibility and Atomicity (VNA) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
Kotlin 853 Weaknesses in this category are related to rules in the Locking (LCK) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
Kotlin 855 Weaknesses in this category are related to rules in the Thread Pools (TPS) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
Kotlin 857 Weaknesses in this category are related to rules in the Input Output (FIO) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
Kotlin 858 Weaknesses in this category are related to rules in the Serialization (SER) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
Kotlin 859 Weaknesses in this category are related to rules in the Platform Security (SEC) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
Kotlin 861 Weaknesses in this category are related to rules in the Miscellaneous (MSC) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
Kotlin 862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Kotlin 864 Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.
Kotlin 865 Weaknesses in this category are listed in the "Risky Resource Management" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.
Kotlin 866 Weaknesses in this category are listed in the "Porous Defenses" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.
Kotlin 867 Weaknesses in this category are not part of the general Top 25, but they were part of the original nominee list from which the Top 25 was drawn.
Kotlin 868 CWE entries in this view (graph) are fully or partially eliminated by following the SEI CERT C++ Coding Standard, as published in 2016. This view is no longer being actively maintained, since it statically represents the coding rules as they were in 2016.
Kotlin 871 Weaknesses in this category are related to rules in the Expressions (EXP) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
Kotlin 872 Weaknesses in this category are related to rules in the Integers (INT) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
Kotlin 873 Weaknesses in this category are related to rules in the Floating Point Arithmetic (FLP) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
Kotlin 874 Weaknesses in this category are related to rules in the Arrays and the STL (ARR) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
Kotlin 875 Weaknesses in this category are related to rules in the Characters and Strings (STR) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
Kotlin 876 Weaknesses in this category are related to rules in the Memory Management (MEM) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
Kotlin 877 Weaknesses in this category are related to rules in the Input Output (FIO) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
Kotlin 878 Weaknesses in this category are related to rules in the Environment (ENV) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
Kotlin 879 Weaknesses in this category are related to rules in the Signals (SIG) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
Kotlin 880 Weaknesses in this category are related to rules in the Exceptions and Error Handling (ERR) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
Kotlin 881 Weaknesses in this category are related to rules in the Object Oriented Programming (OOP) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
Kotlin 882 Weaknesses in this category are related to rules in the Concurrency (CON) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
Kotlin 883 Weaknesses in this category are related to rules in the Miscellaneous (MSC) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
Kotlin 884 This view contains a selection of weaknesses that represent the variety of weaknesses that are captured in CWE, at a level of abstraction that is likely to be useful to most audiences. It can be used by researchers to determine how broad their theories, models, or tools are. It will also be used by the CWE content team in 2012 to focus quality improvement efforts for individual CWE entries.
Kotlin 885 This category identifies Software Fault Patterns (SFPs) within the Risky Values cluster (SFP1).
Kotlin 886 This category identifies Software Fault Patterns (SFPs) within the Unused entities cluster (SFP2).
Kotlin 887 This category identifies Software Fault Patterns (SFPs) within the API cluster (SFP3).
Kotlin 888 CWE identifiers in this view are associated with clusters of Software Fault Patterns (SFPs).
Kotlin 889 This category identifies Software Fault Patterns (SFPs) within the Exception Management cluster (SFP4, SFP5, SFP6).
Kotlin 890 This category identifies Software Fault Patterns (SFPs) within the Memory Access cluster (SFP7, SFP8).
Kotlin 892 This category identifies Software Fault Patterns (SFPs) within the Resource Management cluster (SFP37).
Kotlin 893 This category identifies Software Fault Patterns (SFPs) within the Path Resolution cluster (SFP16, SFP17, SFP18).
Kotlin 894 This category identifies Software Fault Patterns (SFPs) within the Synchronization cluster (SFP19, SFP20, SFP21, SFP22).
Kotlin 895 This category identifies Software Fault Patterns (SFPs) within the Information Leak cluster (SFP23).
Kotlin 896 This category identifies Software Fault Patterns (SFPs) within the Tainted Input cluster (SFP24, SFP25, SFP26, SFP27).
Kotlin 897 This category identifies Software Fault Patterns (SFPs) within the Entry Points cluster (SFP28).
Kotlin 898 This category identifies Software Fault Patterns (SFPs) within the Authentication cluster (SFP29, SFP30, SFP31, SFP32, SFP33, SFP34).
Kotlin 899 This category identifies Software Fault Patterns (SFPs) within the Access Control cluster (SFP35).
Kotlin 900 CWE entries in this view (graph) are listed in the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.
Kotlin 902 This category identifies Software Fault Patterns (SFPs) within the Channel cluster.
Kotlin 903 This category identifies Software Fault Patterns (SFPs) within the Cryptography cluster.
Kotlin 905 This category identifies Software Fault Patterns (SFPs) within the Predictability cluster.
Kotlin 906 This category identifies Software Fault Patterns (SFPs) within the UI cluster.
Kotlin 907 This category identifies Software Fault Patterns (SFPs) within the Other cluster.
Kotlin 913 The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements.
Kotlin 916 The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive.
Kotlin 918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Kotlin 921 The product stores sensitive information in a file system or device that does not have built-in access control.
Kotlin 922 The product stores sensitive information without properly limiting read or write access by unauthorized actors.
Kotlin 923 The product establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that it is communicating with the correct endpoint.
Kotlin 925 The Android application uses a Broadcast Receiver that receives an Intent but does not properly verify that the Intent came from an authorized source.
Kotlin 926 The Android application exports a component for use by other applications, but does not properly restrict which applications can launch the component or access the data it contains.
Kotlin 927 The Android application uses an implicit intent for transmitting sensitive data to other applications.
Kotlin 928 CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2013. This view is considered obsolete as a newer version of the OWASP Top 10 is available.
Kotlin 929 Weaknesses in this category are related to the A1 category in the OWASP Top 10 2013.
Kotlin 930 Weaknesses in this category are related to the A2 category in the OWASP Top 10 2013.
Kotlin 932 Weaknesses in this category are related to the A4 category in the OWASP Top 10 2013.
Kotlin 933 Weaknesses in this category are related to the A5 category in the OWASP Top 10 2013.
Kotlin 934 Weaknesses in this category are related to the A6 category in the OWASP Top 10 2013.
Kotlin 935 Weaknesses in this category are related to the A7 category in the OWASP Top 10 2013.
Kotlin 943 The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query.
Kotlin 944 This category identifies Software Fault Patterns (SFPs) within the Access Management cluster.
Kotlin 945 This category identifies Software Fault Patterns (SFPs) within the Insecure Resource Access cluster (SFP35).
Kotlin 947 This category identifies Software Fault Patterns (SFPs) within the Authentication Bypass cluster.
Kotlin 948 This category identifies Software Fault Patterns (SFPs) within the Digital Certificate cluster.
Kotlin 949 This category identifies Software Fault Patterns (SFPs) within the Faulty Endpoint Authentication cluster (SFP29).
Kotlin 950 This category identifies Software Fault Patterns (SFPs) within the Hardcoded Sensitive Data cluster (SFP33).
Kotlin 956 This category identifies Software Fault Patterns (SFPs) within the Channel Attack cluster.
Kotlin 957 This category identifies Software Fault Patterns (SFPs) within the Protocol Error cluster.
Kotlin 958 This category identifies Software Fault Patterns (SFPs) within the Broken Cryptography cluster.
Kotlin 959 This category identifies Software Fault Patterns (SFPs) within the Weak Cryptography cluster.
Kotlin 961 This category identifies Software Fault Patterns (SFPs) within the Incorrect Exception Behavior cluster (SFP6).
Kotlin 962 This category identifies Software Fault Patterns (SFPs) within the Unchecked Status Condition cluster (SFP4).
Kotlin 963 This category identifies Software Fault Patterns (SFPs) within the Exposed Data cluster (SFP23).
Kotlin 965 This category identifies Software Fault Patterns (SFPs) within the Insecure Session Management cluster.
Kotlin 966 This category identifies Software Fault Patterns (SFPs) within the Other Exposures cluster.
Kotlin 970 This category identifies Software Fault Patterns (SFPs) within the Faulty Buffer Access cluster (SFP8).
Kotlin 971 This category identifies Software Fault Patterns (SFPs) within the Faulty Pointer Use cluster (SFP7).
Kotlin 975 This category identifies Software Fault Patterns (SFPs) within the Architecture cluster.
Kotlin 977 This category identifies Software Fault Patterns (SFPs) within the Design cluster.
Kotlin 978 This category identifies Software Fault Patterns (SFPs) within the Implementation cluster.
Kotlin 980 This category identifies Software Fault Patterns (SFPs) within the Link in Resource Name Resolution cluster (SFP18).
Kotlin 981 This category identifies Software Fault Patterns (SFPs) within the Path Traversal cluster (SFP16).
Kotlin 982 This category identifies Software Fault Patterns (SFPs) within the Failure to Release Resource cluster (SFP14).
Kotlin 984 This category identifies Software Fault Patterns (SFPs) within the Life Cycle cluster.
Kotlin 985 This category identifies Software Fault Patterns (SFPs) within the Unrestricted Consumption cluster (SFP13).
Kotlin 986 This category identifies Software Fault Patterns (SFPs) within the Missing Lock cluster (SFP19).
Kotlin 988 This category identifies Software Fault Patterns (SFPs) within the Race Condition Window cluster (SFP20).
Kotlin 990 This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Command cluster (SFP24).
Kotlin 991 This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Environment cluster (SFP27).
Kotlin 992 This category identifies Software Fault Patterns (SFPs) within the Faulty Input Transformation cluster.
Kotlin 994 This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Variable cluster (SFP25).
Kotlin 997 This category identifies Software Fault Patterns (SFPs) within the Information Loss cluster.
Kotlin 998 This category identifies Software Fault Patterns (SFPs) within the Glitch in Computation cluster (SFP1).
Kotlin 1000 This view is intended to facilitate research into weaknesses, including their inter-dependencies, and can be leveraged to systematically identify theoretical gaps within CWE. It is mainly organized according to abstractions of behaviors instead of how they can be detected, where they appear in code, or when they are introduced in the development life cycle. By design, this view is expected to include every weakness within CWE.
Kotlin 1001 This category identifies Software Fault Patterns (SFPs) within the Use of an Improper API cluster (SFP3).
Kotlin 1002 This category identifies Software Fault Patterns (SFPs) within the Unexpected Entry Points cluster.
Kotlin 1003 CWE entries in this view (graph) may be used to categorize potential weaknesses within sources that handle public, third-party vulnerability information, such as the National Vulnerability Database (NVD). By design, this view is incomplete; it is limited to a small number of the most commonly-seen weaknesses, so that it is easier for humans to use. This view uses a shallow hierarchy of two levels in order to simplify the complex, category-oriented navigation of the entire CWE corpus.
Kotlin 1005 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that exist when an application does not properly validate or represent input. According to the authors of the Seven Pernicious Kingdoms, "Input validation and representation problems are caused by metacharacters, alternate encodings and numeric representations. Security problems result from trusting input."
Kotlin 1006 Weaknesses in this category are related to coding practices that are deemed unsafe and increase the chances that an exploitable vulnerability will be present in the application. These weaknesses do not directly introduce a vulnerability, but indicate that the product has not been carefully developed or maintained. If a program is complex, difficult to maintain, not portable, or shows evidence of neglect, then there is a higher likelihood that weaknesses are buried in the code.
Kotlin 1008 This view organizes weaknesses according to common architectural security tactics. It is intended to assist architects in identifying potential mistakes that can be made when designing software.
Kotlin 1009 Weaknesses in this category are related to the design and architecture of audit-based components of the system. Frequently these deal with logging user activities in order to identify attackers and modifications to the system. The weaknesses in this category could lead to a degradation of the quality of the audit capability if they are not addressed when designing or implementing a secure architecture.
Kotlin 1010 Weaknesses in this category are related to the design and architecture of authentication components of the system. Frequently these deal with verifying the entity is indeed who it claims to be. The weaknesses in this category could lead to a degradation of the quality of authentication if they are not addressed when designing or implementing a secure architecture.
Kotlin 1011 Weaknesses in this category are related to the design and architecture of a system's authorization components. Frequently these deal with enforcing that agents have the required permissions before performing certain operations, such as modifying data. The weaknesses in this category could lead to a degradation of quality of the authorization capability if they are not addressed when designing or implementing a secure architecture.
Kotlin 1012 Weaknesses in this category are related to the design and architecture of multiple security tactics and how they affect a system. For example, information exposure can impact the Limit Access and Limit Exposure security tactics. The weaknesses in this category could lead to a degradation of the quality of many capabilities if they are not addressed when designing or implementing a secure architecture.
Kotlin 1013 Weaknesses in this category are related to the design and architecture of data confidentiality in a system. Frequently these deal with the use of encryption libraries. The weaknesses in this category could lead to a degradation of the quality data encryption if they are not addressed when designing or implementing a secure architecture.
Kotlin 1014 Weaknesses in this category are related to the design and architecture of a system's identification management components. Frequently these deal with verifying that external agents provide inputs into the system. The weaknesses in this category could lead to a degradation of the quality of identification management if they are not addressed when designing or implementing a secure architecture.
Kotlin 1015 Weaknesses in this category are related to the design and architecture of system resources. Frequently these deal with restricting the amount of resources that are accessed by actors, such as memory, network connections, CPU or access points. The weaknesses in this category could lead to a degradation of the quality of authentication if they are not addressed when designing or implementing a secure architecture.
Kotlin 1016 Weaknesses in this category are related to the design and architecture of the entry points to a system. Frequently these deal with minimizing the attack surface through designing the system with the least needed amount of entry points. The weaknesses in this category could lead to a degradation of a system's defenses if they are not addressed when designing or implementing a secure architecture.
Kotlin 1019 Weaknesses in this category are related to the design and architecture of a system's input validation components. Frequently these deal with sanitizing, neutralizing and validating any externally provided inputs to minimize malformed data from entering the system and preventing code injection in the input data. The weaknesses in this category could lead to a degradation of the quality of data flow in a system if they are not addressed when designing or implementing a secure architecture.
Kotlin 1020 Weaknesses in this category are related to the design and architecture of a system's data integrity components. Frequently these deal with ensuring integrity of data, such as messages, resource files, deployment files, and configuration files. The weaknesses in this category could lead to a degradation of data integrity quality if they are not addressed when designing or implementing a secure architecture.
Kotlin 1023 The product performs a comparison between entities that must consider multiple factors or characteristics of each entity, but the comparison does not include one or more of these factors.
Kotlin 1025 The code performs a comparison between two entities, but the comparison examines the wrong factors or characteristics of the entities, which can lead to incorrect results and resultant weaknesses.
Kotlin 1026 CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2017.
Kotlin 1027 Weaknesses in this category are related to the A1 category in the OWASP Top 10 2017.
Kotlin 1028 Weaknesses in this category are related to the A2 category in the OWASP Top 10 2017.
Kotlin 1029 Weaknesses in this category are related to the A3 category in the OWASP Top 10 2017.
Kotlin 1030 Weaknesses in this category are related to the A4 category in the OWASP Top 10 2017.
Kotlin 1031 Weaknesses in this category are related to the A5 category in the OWASP Top 10 2017.
Kotlin 1032 Weaknesses in this category are related to the A6 category in the OWASP Top 10 2017.
Kotlin 1034 Weaknesses in this category are related to the A8 category in the OWASP Top 10 2017.
Kotlin 1036 Weaknesses in this category are related to the A10 category in the OWASP Top 10 2017.
Kotlin 1041 The product has multiple functions, methods, procedures, macros, etc. that contain the same code.
Kotlin 1078 The source code does not follow desired style or formatting for indentation, white space, comments, etc.
Kotlin 1114 The source code contains whitespace that is inconsistent across the code or does not follow expected standards for the product.
Kotlin 1128 This view outlines the most important software quality issues as identified by the Consortium for Information & Software Quality (CISQ) Automated Quality Characteristic Measures, released in 2016. These measures are derived from Object Management Group (OMG) standards.
Kotlin 1129 Weaknesses in this category are related to the CISQ Quality Measures for Reliability, as documented in 2016 with the Automated Source Code CISQ Reliability Measure (ASCRM) Specification 1.0. Presence of these weaknesses could reduce the reliability of the software.
Kotlin 1130 Weaknesses in this category are related to the CISQ Quality Measures for Maintainability, as documented in 2016 with the Automated Source Code Maintainability Measure (ASCMM) Specification 1.0. Presence of these weaknesses could reduce the maintainability of the software.
Kotlin 1131 Weaknesses in this category are related to the CISQ Quality Measures for Security, as documented in 2016 with the Automated Source Code Security Measure (ASCSM) Specification 1.0. Presence of these weaknesses could reduce the security of the software.
Kotlin 1133 CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT Oracle Coding Standard for Java.
Kotlin 1134 Weaknesses in this category are related to the rules and recommendations in the Input Validation and Data Sanitization (IDS) section of the SEI CERT Oracle Secure Coding Standard for Java.
Kotlin 1136 Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) section of the SEI CERT Oracle Secure Coding Standard for Java.
Kotlin 1137 Weaknesses in this category are related to the rules and recommendations in the Numeric Types and Operations (NUM) section of the SEI CERT Oracle Secure Coding Standard for Java.
Kotlin 1140 Weaknesses in this category are related to the rules and recommendations in the Methods (MET) section of the SEI CERT Oracle Secure Coding Standard for Java.
Kotlin 1141 Weaknesses in this category are related to the rules and recommendations in the Exceptional Behavior (ERR) section of the SEI CERT Oracle Secure Coding Standard for Java.
Kotlin 1142 Weaknesses in this category are related to the rules and recommendations in the Visibility and Atomicity (VNA) section of the SEI CERT Oracle Secure Coding Standard for Java.
Kotlin 1143 Weaknesses in this category are related to the rules and recommendations in the Locking (LCK) section of the SEI CERT Oracle Secure Coding Standard for Java.
Kotlin 1145 Weaknesses in this category are related to the rules and recommendations in the Thread Pools (TPS) section of the SEI CERT Oracle Secure Coding Standard for Java.
Kotlin 1147 Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) section of the SEI CERT Oracle Secure Coding Standard for Java.
Kotlin 1148 Weaknesses in this category are related to the rules and recommendations in the Serialization (SER) section of the SEI CERT Oracle Secure Coding Standard for Java.
Kotlin 1152 Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT Oracle Secure Coding Standard for Java.
Kotlin 1154 CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT C Coding Standard.
Kotlin 1157 Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) section of the SEI CERT C Coding Standard.
Kotlin 1158 Weaknesses in this category are related to the rules and recommendations in the Integers (INT) section of the SEI CERT C Coding Standard.
Kotlin 1159 Weaknesses in this category are related to the rules and recommendations in the Floating Point (FLP) section of the SEI CERT C Coding Standard.
Kotlin 1160 Weaknesses in this category are related to the rules and recommendations in the Arrays (ARR) section of the SEI CERT C Coding Standard.
Kotlin 1161 Weaknesses in this category are related to the rules and recommendations in the Characters and Strings (STR) section of the SEI CERT C Coding Standard.
Kotlin 1162 Weaknesses in this category are related to the rules and recommendations in the Memory Management (MEM) section of the SEI CERT C Coding Standard.
Kotlin 1163 Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) section of the SEI CERT C Coding Standard.
Kotlin 1164 The product contains code that is not essential for execution, i.e. makes no state changes and has no side effects that alter data or control flow, such that removal of the code would have no impact to functionality or correctness.
Kotlin 1165 Weaknesses in this category are related to the rules and recommendations in the Environment (ENV) section of the SEI CERT C Coding Standard.
Kotlin 1166 Weaknesses in this category are related to the rules and recommendations in the Signals (SIG) section of the SEI CERT C Coding Standard.
Kotlin 1167 Weaknesses in this category are related to the rules and recommendations in the Error Handling (ERR) section of the SEI CERT C Coding Standard.
Kotlin 1169 Weaknesses in this category are related to the rules and recommendations in the Concurrency (CON) section of the SEI CERT C Coding Standard.
Kotlin 1170 Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT C Coding Standard.
Kotlin 1171 Weaknesses in this category are related to the rules and recommendations in the POSIX (POS) section of the SEI CERT C Coding Standard.
Kotlin 1172 Weaknesses in this category are related to the rules and recommendations in the Microsoft Windows (WIN) section of the SEI CERT C Coding Standard.
Kotlin 1178 CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT Perl Coding Standard.
Kotlin 1179 Weaknesses in this category are related to the rules and recommendations in the Input Validation and Data Sanitization (IDS) section of the SEI CERT Perl Coding Standard.
Kotlin 1180 Weaknesses in this category are related to the rules and recommendations in the Declarations and Initialization (DCL) section of the SEI CERT Perl Coding Standard.
Kotlin 1181 Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) section of the SEI CERT Perl Coding Standard.
Kotlin 1182 Weaknesses in this category are related to the rules and recommendations in the Integers (INT) section of the SEI CERT Perl Coding Standard.
Kotlin 1186 Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT Perl Coding Standard.
Kotlin 1194 This view organizes weaknesses around concepts that are frequently used or encountered in hardware design. Accordingly, this view can align closely with the perspectives of designers, manufacturers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping.
Kotlin 1198 Weaknesses in this category are related to features and mechanisms providing hardware-based isolation and access control (e.g., identity, policy, locking control) of sensitive shared hardware resources such as registers and fuses.
Kotlin 1200 CWE entries in this view are listed in the 2019 CWE Top 25 Most Dangerous Software Errors.
Kotlin 1202 Weaknesses in this category are typically associated with memory (e.g., DRAM, SRAM) and storage technologies (e.g., NAND Flash, OTP, EEPROM, and eMMC).
Kotlin 1207 Weaknesses in this category are related to hardware debug and test interfaces such as JTAG and scan chain.
Kotlin 1210 Weaknesses in this category are related to audit-based components of a software system. Frequently these deal with logging user activities in order to identify undesired access and modifications to the system. The weaknesses in this category could lead to a degradation of the quality of the audit capability if they are not addressed.
Kotlin 1211 Weaknesses in this category are related to authentication components of a system. Frequently these deal with the ability to verify that an entity is indeed who it claims to be. If not addressed when designing or implementing a software system, these weaknesses could lead to a degradation of the quality of the authentication capability.
Kotlin 1212 Weaknesses in this category are related to authorization components of a system. Frequently these deal with the ability to enforce that agents have the required permissions before performing certain operations, such as modifying data. If not addressed when designing or implementing a software system, these weaknesses could lead to a degradation of the quality of the authorization capability.
Kotlin 1213 Weaknesses in this category are related to a software system's random number generation.
Kotlin 1214 Weaknesses in this category are related to a software system's data integrity components. Frequently these deal with the ability to ensure the integrity of data, such as messages, resource files, deployment files, and configuration files. The weaknesses in this category could lead to a degradation of data integrity quality if they are not addressed.
Kotlin 1219 Weaknesses in this category are related to the handling of files within a software system. Files, directories, and folders are so central to information technology that many different weaknesses and variants have been discovered.
Kotlin 1228 Weaknesses in this category are related to the use of built-in functions or external APIs.
Kotlin 1305 This view outlines the most important software quality issues as identified by the Consortium for Information & Software Quality (CISQ) Automated Quality Characteristic Measures, released in 2020. These measures are derived from Object Management Group (OMG) standards.
Kotlin 1306 Weaknesses in this category are related to the CISQ Quality Measures for Reliability. Presence of these weaknesses could reduce the reliability of the software.
Kotlin 1307 Weaknesses in this category are related to the CISQ Quality Measures for Maintainability. Presence of these weaknesses could reduce the maintainability of the software.
Kotlin 1308 Weaknesses in this category are related to the CISQ Quality Measures for Security. Presence of these weaknesses could reduce the security of the software.
Kotlin 1309 Weaknesses in this category are related to the CISQ Quality Measures for Efficiency. Presence of these weaknesses could reduce the efficiency of the software.
Kotlin 1337 CWE entries in this view are listed in the 2021 CWE Top 25 Most Dangerous Software Weaknesses.
Kotlin 1340 This view outlines the SMM representation of the Automated Source Code Data Protection Measurement specifications, as identified by the Consortium for Information & Software Quality (CISQ) Working Group.
Kotlin 1344 CWE entries in this view (graph) are associated with the OWASP Top 10, as released in 2021.
Kotlin 1345 Weaknesses in this category are related to the A01 category "Broken Access Control" in the OWASP Top 10 2021.
Kotlin 1346 Weaknesses in this category are related to the A02 category "Cryptographic Failures" in the OWASP Top 10 2021.
Kotlin 1347 Weaknesses in this category are related to the A03 category "Injection" in the OWASP Top 10 2021.
Kotlin 1348 Weaknesses in this category are related to the A04 "Insecure Design" category in the OWASP Top 10 2021.
Kotlin 1349 Weaknesses in this category are related to the A05 category "Security Misconfiguration" in the OWASP Top 10 2021.
Kotlin 1350 CWE entries in this view are listed in the 2020 CWE Top 25 Most Dangerous Software Weaknesses.
Kotlin 1353 Weaknesses in this category are related to the A07 category "Identification and Authentication Failures" in the OWASP Top 10 2021.
Kotlin 1354 Weaknesses in this category are related to the A08 category "Software and Data Integrity Failures" in the OWASP Top 10 2021.
Kotlin 1355 Weaknesses in this category are related to the A09 category "Security Logging and Monitoring Failures" in the OWASP Top 10 2021.
Kotlin 1356 Weaknesses in this category are related to the A10 category "Server-Side Request Forgery (SSRF)" in the OWASP Top 10 2021.
Kotlin 1358 CWE entries in this view (graph) are associated with the Categories of Security Vulnerabilities in ICS, as published by the Securing Energy Infrastructure Executive Task Force (SEI ETF) in March 2022. Weaknesses and categories in this view are focused on issues that affect ICS (Industrial Control Systems) but have not been traditionally covered by CWE in the past due to its earlier emphasis on enterprise IT software. Note: weaknesses in this view are based on "Nearest IT Neighbor" recommendations and other suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Kotlin 1359 Weaknesses in this category are related to the "ICS Communications" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.
Kotlin 1360 Weaknesses in this category are related to the "ICS Dependencies (& Architecture)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.
Kotlin 1361 Weaknesses in this category are related to the "ICS Supply Chain" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.
Kotlin 1362 Weaknesses in this category are related to the "ICS Engineering (Constructions/Deployment)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.
Kotlin 1363 Weaknesses in this category are related to the "ICS Operations (& Maintenance)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.
Kotlin 1364 Weaknesses in this category are related to the "Zone Boundary Failures" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Within an ICS system, for traffic that crosses through network zone boundaries, vulnerabilities arise when those boundaries were designed for safety or other purposes but are being repurposed for security." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Kotlin 1366 Weaknesses in this category are related to the "Frail Security in Protocols" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Vulnerabilities arise as a result of mis-implementation or incomplete implementation of security in ICS implementations of communication protocols." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Kotlin 1368 Weaknesses in this category are related to the "External Digital Systems" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Due to the highly interconnected technologies in use, an external dependency on another digital system could cause a confidentiality, integrity, or availability incident for the protected system." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Kotlin 1369 Weaknesses in this category are related to the "IT/OT Convergence/Expansion" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "The increased penetration of DER devices and smart loads make emerging ICS networks more like IT networks and thus susceptible to vulnerabilities similar to those of IT networks." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Kotlin 1370 Weaknesses in this category are related to the "Common Mode Frailties" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "At the component level, most ICS systems are assembled from common parts made by other companies. One or more of these common parts might contain a vulnerability that could result in a wide-spread incident." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Kotlin 1371 Weaknesses in this category are related to the "Poorly Documented or Undocumented Features" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Undocumented capabilities and configurations pose a risk by not having a clear understanding of what the device is specifically supposed to do and only do. Therefore possibly opening up the attack surface and vulnerabilities." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Kotlin 1372 Weaknesses in this category are related to the "OT Counterfeit and Malicious Corruption" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "In ICS, when this procurement process results in a vulnerability or component damage, it can have grid impacts or cause physical harm." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Kotlin 1375 Weaknesses in this category are related to the "Gaps in Details/Data" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Highly complex systems are often operated by personnel who have years of experience in managing that particular facility or plant. Much of their knowledge is passed along through verbal or hands-on training but may not be fully documented in written practices and procedures." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Kotlin 1376 Weaknesses in this category are related to the "Security Gaps in Commissioning" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "As a large system is brought online components of the system may remain vulnerable until the entire system is operating and functional and security controls are put in place. This creates a window of opportunity for an adversary during the commissioning process." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Kotlin 1382 Weaknesses in this category are related to the "Emerging Energy Technologies" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "With the rapid evolution of the energy system accelerated by the emergence of new technologies such as DERs, electric vehicles, advanced communications (5G+), novel and diverse challenges arise for secure and resilient operation of the system." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Kotlin 1383 Weaknesses in this category are related to the "Compliance/Conformance with Regulatory Requirements" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "The ICS environment faces overlapping regulatory regimes and authorities with multiple focus areas (e.g., operational resiliency, physical safety, interoperability, and security) which can result in cyber security vulnerabilities when implemented as written due to gaps in considerations, outdatedness, or conflicting requirements." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Kotlin 1387 CWE entries in this view are listed in the 2022 CWE Top 25 Most Dangerous Software Weaknesses.
Kotlin 1396 Weaknesses in this category are related to access control.
Kotlin 1397 Weaknesses in this category are related to comparison.
Kotlin 1399 Weaknesses in this category are related to memory safety.
Kotlin 1400 This view organizes weaknesses around categories that are of interest to large-scale software assurance research to support the elimination of weaknesses using tactics such as secure language development. It is also intended to help tracking weakness trends in publicly disclosed vulnerability data. This view is comprehensive in that every weakness must be contained in it, unlike most other views that only use a subset of weaknesses. This view is structured with categories at the top level, with a second level of only weaknesses. Relationships among the weaknesses presented under the research view (CWE-1000) are not shown. Each weakness is added to only one category. All categories are mutually exclusive; that is, no weakness can be a member of more than one category. While weaknesses defy strict categorization along only one characteristic, the forced bucketing into a single category can simplify certain kinds of analysis. Note that the size of each category can vary widely because (1) CWE is not as well fleshed-out in some areas compared to others; (2) abstraction of the CWEs in the grouping might go down to Variant level for some buckets, versus others.
Kotlin 1401 Weaknesses in this category are related to concurrency.
Kotlin 1402 Weaknesses in this category are related to encryption.
Kotlin 1403 Weaknesses in this category are related to exposed resource.
Kotlin 1404 Weaknesses in this category are related to file handling.
Kotlin 1405 Weaknesses in this category are related to improper check or handling of exceptional conditions.
Kotlin 1406 Weaknesses in this category are related to improper input validation.
Kotlin 1407 Weaknesses in this category are related to improper neutralization.
Kotlin 1408 Weaknesses in this category are related to incorrect calculation.
Kotlin 1409 Weaknesses in this category are related to injection.
Kotlin 1410 Weaknesses in this category are related to insufficient control flow management.
Kotlin 1411 Weaknesses in this category are related to insufficient verification of data authenticity.
Kotlin 1412 Weaknesses in this category are related to poor coding practices.
Kotlin 1413 Weaknesses in this category are related to protection mechanism failure.
Kotlin 1414 Weaknesses in this category are related to randomness.
Kotlin 1415 Weaknesses in this category are related to resource control.
Kotlin 1416 Weaknesses in this category are related to resource lifecycle management.
Kotlin 1417 Weaknesses in this category are related to sensitive information exposure.
Kotlin 1418 Weaknesses in this category are related to violation of secure design principles.
PHP 2 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that are typically introduced during unexpected environmental conditions. According to the authors of the Seven Pernicious Kingdoms, "This section includes everything that is outside of the source code but is still critical to the security of the product that is being created. Because the issues covered by this kingdom are not directly related to source code, we separated it from the rest of the kingdoms."
PHP 17 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
PHP 18 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
PHP 19 Weaknesses in this category are typically found in functionality that processes data. Data processing is the manipulation of input to retrieve or save information.
PHP 20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
PHP 21 This category has been deprecated. It was originally used for organizing weaknesses involving file names, which enabled access to files outside of a restricted directory (path traversal) or to perform operations on files that would otherwise be restricted (path equivalence). Consider using either the File Handling Issues category (CWE-1219) or the class Use of Incorrectly-Resolved Name or Reference (CWE-706).
PHP 22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
PHP 74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
PHP 77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
PHP 78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
PHP 89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.
PHP 94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
PHP 95 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").
PHP 99 The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control.
PHP 115 The product misinterprets an input, whether from an attacker or another product, in a security-relevant fashion.
PHP 116 The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
PHP 137 Weaknesses in this category are related to the creation or neutralization of data using an incorrect format.
PHP 171 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. Weaknesses in this category were related to improper handling of data within protection mechanisms that attempt to perform neutralization for untrusted data. These weaknesses can be found in other similar categories.
PHP 183 The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is too permissive - that is, it allows an input that is unsafe, leading to resultant weaknesses.
PHP 199 Weaknesses in this category are related to improper handling of sensitive information.
PHP 200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
PHP 209 The product generates an error message that includes sensitive information about its environment, users, or associated data.
PHP 254 Software security is not security software. Here we're concerned with topics like authentication, access control, confidentiality, cryptography, and privilege management.
PHP 255 Weaknesses in this category are related to the management of credentials.
PHP 261 Obscuring a password with a trivial encoding does not protect the password.
PHP 264 Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control.
PHP 265 Weaknesses in this category occur with improper handling, assignment, or management of privileges. A privilege is a property of an agent, such as a user. It lets the agent do things that are not ordinarily allowed. For example, there are privileges which allow an agent to perform maintenance functions such as restart a computer.
PHP 275 Weaknesses in this category are related to improper assignment or handling of permissions.
PHP 284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
PHP 285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
PHP 287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
PHP 295 The product does not validate, or incorrectly validates, a certificate.
PHP 306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
PHP 310 Weaknesses in this category are related to the design and implementation of data confidentiality and integrity. Frequently these deal with the use of encoding techniques, encryption libraries, and hashing algorithms. The weaknesses in this category could lead to a degradation of the quality data if they are not addressed.
PHP 311 The product does not encrypt sensitive or critical information before storage or transmission.
PHP 319 The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.
PHP 320 Weaknesses in this category are related to errors in the management of cryptographic keys.
PHP 326 The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
PHP 327 The product uses a broken or risky cryptographic algorithm or protocol.
PHP 330 The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.
PHP 338 The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.
PHP 344 The product uses a constant value, name, or reference, but this value can (or should) vary across different environments.
PHP 345 The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
PHP 346 The product does not properly verify that the source of data or communication is valid.
PHP 353 The product uses a transmission protocol that does not include a mechanism for verifying the integrity of the data during transmission, such as a checksum.
PHP 355 Weaknesses in this category are related to or introduced in the User Interface (UI).
PHP 361 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses related to the improper management of time and state in an environment that supports simultaneous or near-simultaneous computation by multiple systems, processes, or threads. According to the authors of the Seven Pernicious Kingdoms, "Distributed computation is about time and state. That is, in order for more than one component to communicate, state must be shared, and all that takes time. Most programmers anthropomorphize their work. They think about one thread of control carrying out the entire program in the same way they would if they had to do the job themselves. Modern computers, however, switch between tasks very quickly, and in multi-core, multi-CPU, or distributed systems, two events may take place at exactly the same time. Defects rush to fill the gap between the programmer's model of how a program executes and what happens in reality. These defects are related to unexpected interactions between threads, processes, time, and information. These interactions happen through shared state: semaphores, variables, the file system, and, basically, anything that can store information."
PHP 384 Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.
PHP 388 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that occur when an application does not properly handle errors that occur during processing. According to the authors of the Seven Pernicious Kingdoms, "Errors and error handling represent a class of API. Errors related to error handling are so common that they deserve a special kingdom of their own. As with 'API Abuse,' there are two ways to introduce an error-related security vulnerability: the most common one is handling errors poorly (or not at all). The second is producing errors that either give out too much information (to possible attackers) or are difficult to handle."
PHP 389 This category includes weaknesses that occur if a function does not generate the correct return/status code, or if the application does not handle all possible return/status codes that could be generated by a function. This type of problem is most often found in conditions that are rarely encountered during the normal operation of the product. Presumably, most bugs related to common conditions are found and eliminated during development and testing. In some cases, the attacker can directly control or influence the environment to trigger the rare conditions.
PHP 398 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that do not directly introduce a weakness or vulnerability, but indicate that the product has not been carefully developed or maintained. According to the authors of the Seven Pernicious Kingdoms, "Poor code quality leads to unpredictable behavior. From a user's perspective that often manifests itself as poor usability. For an adversary it provides an opportunity to stress the system in unexpected ways."
PHP 399 Weaknesses in this category are related to improper management of system resources.
PHP 400 The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.
PHP 417 Weaknesses in this category are related to improper handling of communication channels and access paths. These weaknesses include problems in creating, managing, or removing alternate channels and alternate paths. Some of these can overlap virtual file problems and are commonly used in "bypass" attacks, such as those that exploit authentication errors.
PHP 435 An interaction error occurs when two entities have correct behavior when running independently of each other, but when they are integrated as components in a larger system or process, they introduce incorrect behaviors that may cause resultant weaknesses.
PHP 436 Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.
PHP 438 Weaknesses in this category are related to unexpected behaviors from code that an application uses.
PHP 441 The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor.
PHP 442 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
PHP 452 Weaknesses in this category occur in behaviors that are used for initialization and breakdown.
PHP 470 The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code.
PHP 485 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that occur when the product does not sufficiently encapsulate critical data or functionality. According to the authors of the Seven Pernicious Kingdoms, "Encapsulation is about drawing strong boundaries. In a web browser that might mean ensuring that your mobile code cannot be abused by other mobile code. On the server it might mean differentiation between validated data and unvalidated data, between one user's data and another's, or between data users are allowed to see and data that they are not."
PHP 489 The product is deployed to unauthorized actors with debugging code still enabled or active, which can create unintended entry points or expose sensitive information.
PHP 497 The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does.
PHP 505 This category has been deprecated as it was originally used for organizing the Development View (CWE-699), but it introduced unnecessary complexity and depth to the resulting tree.
PHP 521 The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts.
PHP 522 The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
PHP 523 Login pages do not use adequate measures to protect the user name and password while they are in transit from the client to the server.
PHP 524 The code uses a cache that contains sensitive information, but the cache can be read by an actor outside of the intended control sphere.
PHP 525 The web application does not use an appropriate caching policy that specifies the extent to which each web page and associated form fields should be cached.
PHP 538 The product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the sensitive information.
PHP 539 The web application uses persistent cookies, but the cookies contain sensitive information.
PHP 610 The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.
PHP 613 According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
PHP 614 The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session.
PHP 621 The product uses external input to determine the names of variables into which information is extracted, without verifying that the names of the specified variables are valid. This could cause the program to overwrite unintended variables.
PHP 629 CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2007. This view is considered obsolete as a newer version of the OWASP Top 10 is available.
PHP 632 This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE.
PHP 634 This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE.
PHP 635 CWE nodes in this view (slice) were used by NIST to categorize vulnerabilities within NVD, from 2008 to 2016. This original version has been used by many other projects.
PHP 657 The product violates well-established principles for secure design.
PHP 664 The product does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release.
PHP 665 The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.
PHP 666 The product performs an operation on a resource at the wrong phase of the resource's lifecycle, which can lead to unexpected behaviors.
PHP 668 The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
PHP 669 The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource.
PHP 671 The product uses security features in a way that prevents the product's administrator from tailoring security settings to reflect the environment in which the product is being used. This introduces resultant weaknesses or prevents it from operating at a level of security that is desired by the administrator.
PHP 672 The product uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked.
PHP 691 The code does not sufficiently manage its control flow during execution, creating conditions in which the control flow can be modified in unexpected ways.
PHP 693 The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.
PHP 697 The product compares two entities in a security-relevant context, but the comparison is incorrect, which may lead to resultant weaknesses.
PHP 699 This view organizes weaknesses around concepts that are frequently used or encountered in software development. This includes all aspects of the software development lifecycle including both architecture and implementation. Accordingly, this view can align closely with the perspectives of architects, developers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping.
PHP 700 This view (graph) organizes weaknesses using a hierarchical structure that is similar to that used by Seven Pernicious Kingdoms.
PHP 703 The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product.
PHP 706 The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.
PHP 707 The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component.
PHP 710 The product does not follow certain coding rules for development, which can lead to resultant weaknesses or increase the severity of the associated vulnerabilities.
PHP 711 CWE entries in this view (graph) are associated with the OWASP Top 10, as released in 2004, and as required for compliance with PCI DSS version 1.1. This view is considered obsolete as a newer version of the OWASP Top 10 is available.
PHP 713 Weaknesses in this category are related to the A2 category in the OWASP Top 10 2007.
PHP 714 Weaknesses in this category are related to the A3 category in the OWASP Top 10 2007.
PHP 715 Weaknesses in this category are related to the A4 category in the OWASP Top 10 2007.
PHP 717 Weaknesses in this category are related to the A6 category in the OWASP Top 10 2007.
PHP 718 Weaknesses in this category are related to the A7 category in the OWASP Top 10 2007.
PHP 719 Weaknesses in this category are related to the A8 category in the OWASP Top 10 2007.
PHP 720 Weaknesses in this category are related to the A9 category in the OWASP Top 10 2007.
PHP 721 Weaknesses in this category are related to the A10 category in the OWASP Top 10 2007.
PHP 722 Weaknesses in this category are related to the A1 category in the OWASP Top 10 2004.
PHP 723 Weaknesses in this category are related to the A2 category in the OWASP Top 10 2004.
PHP 724 Weaknesses in this category are related to the A3 category in the OWASP Top 10 2004.
PHP 727 Weaknesses in this category are related to the A6 category in the OWASP Top 10 2004.
PHP 728 Weaknesses in this category are related to the A7 category in the OWASP Top 10 2004.
PHP 729 Weaknesses in this category are related to the A8 category in the OWASP Top 10 2004.
PHP 730 Weaknesses in this category are related to the A9 category in the OWASP Top 10 2004.
PHP 731 Weaknesses in this category are related to the A10 category in the OWASP Top 10 2004.
PHP 732 The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.
PHP 734 CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT C Secure Coding Standard" published in 2008. This view is considered obsolete, as a newer version of the coding standard is available. This view statically represents the coding rules as they were in 2008.
PHP 738 Weaknesses in this category are related to the rules and recommendations in the Integers (INT) chapter of the CERT C Secure Coding Standard (2008).
PHP 740 Weaknesses in this category are related to the rules and recommendations in the Arrays (ARR) chapter of the CERT C Secure Coding Standard (2008).
PHP 741 Weaknesses in this category are related to the rules and recommendations in the Characters and Strings (STR) chapter of the CERT C Secure Coding Standard (2008).
PHP 742 Weaknesses in this category are related to the rules and recommendations in the Memory Management (MEM) chapter of the CERT C Secure Coding Standard (2008).
PHP 743 Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) chapter of the CERT C Secure Coding Standard (2008).
PHP 744 Weaknesses in this category are related to the rules and recommendations in the Environment (ENV) chapter of the CERT C Secure Coding Standard (2008).
PHP 746 Weaknesses in this category are related to the rules and recommendations in the Error Handling (ERR) chapter of the CERT C Secure Coding Standard (2008).
PHP 747 Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) chapter of the CERT C Secure Coding Standard (2008).
PHP 750 CWE entries in this view (graph) are listed in the 2009 CWE/SANS Top 25 Programming Errors. This view is considered obsolete as a newer version of the Top 25 is available.
PHP 751 Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2009 CWE/SANS Top 25 Programming Errors.
PHP 752 Weaknesses in this category are listed in the "Risky Resource Management" section of the 2009 CWE/SANS Top 25 Programming Errors.
PHP 753 Weaknesses in this category are listed in the "Porous Defenses" section of the 2009 CWE/SANS Top 25 Programming Errors.
PHP 755 The product does not handle or incorrectly handles an exceptional condition.
PHP 770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.
PHP 779 The product logs too much information, making log files hard to process and possibly hindering recovery efforts or forensic analysis after an attack.
PHP 780 The product uses the RSA algorithm but does not incorporate Optimal Asymmetric Encryption Padding (OAEP), which might weaken the encryption.
PHP 789 The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated.
PHP 798 The product contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.
PHP 800 CWE entries in this view (graph) are listed in the 2010 CWE/SANS Top 25 Programming Errors. This view is considered obsolete as a newer version of the Top 25 is available.
PHP 801 Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2010 CWE/SANS Top 25 Programming Errors.
PHP 802 Weaknesses in this category are listed in the "Risky Resource Management" section of the 2010 CWE/SANS Top 25 Programming Errors.
PHP 803 Weaknesses in this category are listed in the "Porous Defenses" section of the 2010 CWE/SANS Top 25 Programming Errors.
PHP 808 Weaknesses in this category are not part of the general Top 25, but they were part of the original nominee list from which the Top 25 was drawn.
PHP 809 CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2010. This view is considered obsolete as a newer version of the OWASP Top 10 is available.
PHP 810 Weaknesses in this category are related to the A1 category in the OWASP Top 10 2010.
PHP 812 Weaknesses in this category are related to the A3 category in the OWASP Top 10 2010.
PHP 813 Weaknesses in this category are related to the A4 category in the OWASP Top 10 2010.
PHP 815 Weaknesses in this category are related to the A6 category in the OWASP Top 10 2010.
PHP 816 Weaknesses in this category are related to the A7 category in the OWASP Top 10 2010.
PHP 817 Weaknesses in this category are related to the A8 category in the OWASP Top 10 2010.
PHP 818 Weaknesses in this category are related to the A9 category in the OWASP Top 10 2010.
PHP 829 The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.
PHP 840 Weaknesses in this category identify some of the underlying problems that commonly allow attackers to manipulate the business logic of an application. Errors in business logic can be devastating to an entire application. They can be difficult to find automatically, since they typically involve legitimate use of the application's functionality. However, many business logic errors can exhibit patterns that are similar to well-understood implementation and design weaknesses.
PHP 844 CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT Oracle Secure Coding Standard for Java" published in 2011. This view is considered obsolete as a newer version of the coding standard is available.
PHP 845 Weaknesses in this category are related to rules in the Input Validation and Data Sanitization (IDS) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
PHP 846 Weaknesses in this category are related to rules in the Declarations and Initialization (DCL) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
PHP 851 Weaknesses in this category are related to rules in the Exceptional Behavior (ERR) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
PHP 857 Weaknesses in this category are related to rules in the Input Output (FIO) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
PHP 858 Weaknesses in this category are related to rules in the Serialization (SER) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
PHP 859 Weaknesses in this category are related to rules in the Platform Security (SEC) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
PHP 860 Weaknesses in this category are related to rules in the Runtime Environment (ENV) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
PHP 861 Weaknesses in this category are related to rules in the Miscellaneous (MSC) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
PHP 862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
PHP 864 Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.
PHP 865 Weaknesses in this category are listed in the "Risky Resource Management" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.
PHP 866 Weaknesses in this category are listed in the "Porous Defenses" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.
PHP 867 Weaknesses in this category are not part of the general Top 25, but they were part of the original nominee list from which the Top 25 was drawn.
PHP 868 CWE entries in this view (graph) are fully or partially eliminated by following the SEI CERT C++ Coding Standard, as published in 2016. This view is no longer being actively maintained, since it statically represents the coding rules as they were in 2016.
PHP 872 Weaknesses in this category are related to rules in the Integers (INT) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
PHP 874 Weaknesses in this category are related to rules in the Arrays and the STL (ARR) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
PHP 875 Weaknesses in this category are related to rules in the Characters and Strings (STR) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
PHP 876 Weaknesses in this category are related to rules in the Memory Management (MEM) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
PHP 877 Weaknesses in this category are related to rules in the Input Output (FIO) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
PHP 878 Weaknesses in this category are related to rules in the Environment (ENV) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
PHP 880 Weaknesses in this category are related to rules in the Exceptions and Error Handling (ERR) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
PHP 881 Weaknesses in this category are related to rules in the Object Oriented Programming (OOP) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
PHP 883 Weaknesses in this category are related to rules in the Miscellaneous (MSC) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
PHP 884 This view contains a selection of weaknesses that represent the variety of weaknesses that are captured in CWE, at a level of abstraction that is likely to be useful to most audiences. It can be used by researchers to determine how broad their theories, models, or tools are. It will also be used by the CWE content team in 2012 to focus quality improvement efforts for individual CWE entries.
PHP 888 CWE identifiers in this view are associated with clusters of Software Fault Patterns (SFPs).
PHP 889 This category identifies Software Fault Patterns (SFPs) within the Exception Management cluster (SFP4, SFP5, SFP6).
PHP 892 This category identifies Software Fault Patterns (SFPs) within the Resource Management cluster (SFP37).
PHP 893 This category identifies Software Fault Patterns (SFPs) within the Path Resolution cluster (SFP16, SFP17, SFP18).
PHP 895 This category identifies Software Fault Patterns (SFPs) within the Information Leak cluster (SFP23).
PHP 896 This category identifies Software Fault Patterns (SFPs) within the Tainted Input cluster (SFP24, SFP25, SFP26, SFP27).
PHP 897 This category identifies Software Fault Patterns (SFPs) within the Entry Points cluster (SFP28).
PHP 898 This category identifies Software Fault Patterns (SFPs) within the Authentication cluster (SFP29, SFP30, SFP31, SFP32, SFP33, SFP34).
PHP 899 This category identifies Software Fault Patterns (SFPs) within the Access Control cluster (SFP35).
PHP 900 CWE entries in this view (graph) are listed in the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.
PHP 902 This category identifies Software Fault Patterns (SFPs) within the Channel cluster.
PHP 903 This category identifies Software Fault Patterns (SFPs) within the Cryptography cluster.
PHP 905 This category identifies Software Fault Patterns (SFPs) within the Predictability cluster.
PHP 907 This category identifies Software Fault Patterns (SFPs) within the Other cluster.
PHP 913 The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements.
PHP 914 The product does not properly restrict reading from or writing to dynamically-identified variables.
PHP 916 The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive.
PHP 917 The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.
PHP 918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
PHP 928 CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2013. This view is considered obsolete as a newer version of the OWASP Top 10 is available.
PHP 929 Weaknesses in this category are related to the A1 category in the OWASP Top 10 2013.
PHP 930 Weaknesses in this category are related to the A2 category in the OWASP Top 10 2013.
PHP 932 Weaknesses in this category are related to the A4 category in the OWASP Top 10 2013.
PHP 933 Weaknesses in this category are related to the A5 category in the OWASP Top 10 2013.
PHP 934 Weaknesses in this category are related to the A6 category in the OWASP Top 10 2013.
PHP 935 Weaknesses in this category are related to the A7 category in the OWASP Top 10 2013.
PHP 942 The product uses a cross-domain policy file that includes domains that should not be trusted.
PHP 943 The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query.
PHP 944 This category identifies Software Fault Patterns (SFPs) within the Access Management cluster.
PHP 945 This category identifies Software Fault Patterns (SFPs) within the Insecure Resource Access cluster (SFP35).
PHP 946 This category identifies Software Fault Patterns (SFPs) within the Insecure Resource Permissions cluster.
PHP 947 This category identifies Software Fault Patterns (SFPs) within the Authentication Bypass cluster.
PHP 949 This category identifies Software Fault Patterns (SFPs) within the Faulty Endpoint Authentication cluster (SFP29).
PHP 951 This category identifies Software Fault Patterns (SFPs) within the Insecure Authentication Policy cluster.
PHP 952 This category identifies Software Fault Patterns (SFPs) within the Missing Authentication cluster.
PHP 956 This category identifies Software Fault Patterns (SFPs) within the Channel Attack cluster.
PHP 957 This category identifies Software Fault Patterns (SFPs) within the Protocol Error cluster.
PHP 958 This category identifies Software Fault Patterns (SFPs) within the Broken Cryptography cluster.
PHP 959 This category identifies Software Fault Patterns (SFPs) within the Weak Cryptography cluster.
PHP 961 This category identifies Software Fault Patterns (SFPs) within the Incorrect Exception Behavior cluster (SFP6).
PHP 962 This category identifies Software Fault Patterns (SFPs) within the Unchecked Status Condition cluster (SFP4).
PHP 963 This category identifies Software Fault Patterns (SFPs) within the Exposed Data cluster (SFP23).
PHP 965 This category identifies Software Fault Patterns (SFPs) within the Insecure Session Management cluster.
PHP 966 This category identifies Software Fault Patterns (SFPs) within the Other Exposures cluster.
PHP 975 This category identifies Software Fault Patterns (SFPs) within the Architecture cluster.
PHP 977 This category identifies Software Fault Patterns (SFPs) within the Design cluster.
PHP 978 This category identifies Software Fault Patterns (SFPs) within the Implementation cluster.
PHP 980 This category identifies Software Fault Patterns (SFPs) within the Link in Resource Name Resolution cluster (SFP18).
PHP 981 This category identifies Software Fault Patterns (SFPs) within the Path Traversal cluster (SFP16).
PHP 983 This category identifies Software Fault Patterns (SFPs) within the Faulty Resource Use cluster (SFP15).
PHP 984 This category identifies Software Fault Patterns (SFPs) within the Life Cycle cluster.
PHP 985 This category identifies Software Fault Patterns (SFPs) within the Unrestricted Consumption cluster (SFP13).
PHP 990 This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Command cluster (SFP24).
PHP 991 This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Environment cluster (SFP27).
PHP 992 This category identifies Software Fault Patterns (SFPs) within the Faulty Input Transformation cluster.
PHP 994 This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Variable cluster (SFP25).
PHP 1000 This view is intended to facilitate research into weaknesses, including their inter-dependencies, and can be leveraged to systematically identify theoretical gaps within CWE. It is mainly organized according to abstractions of behaviors instead of how they can be detected, where they appear in code, or when they are introduced in the development life cycle. By design, this view is expected to include every weakness within CWE.
PHP 1002 This category identifies Software Fault Patterns (SFPs) within the Unexpected Entry Points cluster.
PHP 1003 CWE entries in this view (graph) may be used to categorize potential weaknesses within sources that handle public, third-party vulnerability information, such as the National Vulnerability Database (NVD). By design, this view is incomplete; it is limited to a small number of the most commonly-seen weaknesses, so that it is easier for humans to use. This view uses a shallow hierarchy of two levels in order to simplify the complex, category-oriented navigation of the entire CWE corpus.
PHP 1004 The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag.
PHP 1005 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that exist when an application does not properly validate or represent input. According to the authors of the Seven Pernicious Kingdoms, "Input validation and representation problems are caused by metacharacters, alternate encodings and numeric representations. Security problems result from trusting input."
PHP 1006 Weaknesses in this category are related to coding practices that are deemed unsafe and increase the chances that an exploitable vulnerability will be present in the application. These weaknesses do not directly introduce a vulnerability, but indicate that the product has not been carefully developed or maintained. If a program is complex, difficult to maintain, not portable, or shows evidence of neglect, then there is a higher likelihood that weaknesses are buried in the code.
PHP 1008 This view organizes weaknesses according to common architectural security tactics. It is intended to assist architects in identifying potential mistakes that can be made when designing software.
PHP 1009 Weaknesses in this category are related to the design and architecture of audit-based components of the system. Frequently these deal with logging user activities in order to identify attackers and modifications to the system. The weaknesses in this category could lead to a degradation of the quality of the audit capability if they are not addressed when designing or implementing a secure architecture.
PHP 1010 Weaknesses in this category are related to the design and architecture of authentication components of the system. Frequently these deal with verifying the entity is indeed who it claims to be. The weaknesses in this category could lead to a degradation of the quality of authentication if they are not addressed when designing or implementing a secure architecture.
PHP 1011 Weaknesses in this category are related to the design and architecture of a system's authorization components. Frequently these deal with enforcing that agents have the required permissions before performing certain operations, such as modifying data. The weaknesses in this category could lead to a degradation of quality of the authorization capability if they are not addressed when designing or implementing a secure architecture.
PHP 1012 Weaknesses in this category are related to the design and architecture of multiple security tactics and how they affect a system. For example, information exposure can impact the Limit Access and Limit Exposure security tactics. The weaknesses in this category could lead to a degradation of the quality of many capabilities if they are not addressed when designing or implementing a secure architecture.
PHP 1013 Weaknesses in this category are related to the design and architecture of data confidentiality in a system. Frequently these deal with the use of encryption libraries. The weaknesses in this category could lead to a degradation of the quality data encryption if they are not addressed when designing or implementing a secure architecture.
PHP 1014 Weaknesses in this category are related to the design and architecture of a system's identification management components. Frequently these deal with verifying that external agents provide inputs into the system. The weaknesses in this category could lead to a degradation of the quality of identification management if they are not addressed when designing or implementing a secure architecture.
PHP 1015 Weaknesses in this category are related to the design and architecture of system resources. Frequently these deal with restricting the amount of resources that are accessed by actors, such as memory, network connections, CPU or access points. The weaknesses in this category could lead to a degradation of the quality of authentication if they are not addressed when designing or implementing a secure architecture.
PHP 1016 Weaknesses in this category are related to the design and architecture of the entry points to a system. Frequently these deal with minimizing the attack surface through designing the system with the least needed amount of entry points. The weaknesses in this category could lead to a degradation of a system's defenses if they are not addressed when designing or implementing a secure architecture.
PHP 1018 Weaknesses in this category are related to the design and architecture of session management. Frequently these deal with the information or status about each user and their access rights for the duration of multiple requests. The weaknesses in this category could lead to a degradation of the quality of session management if they are not addressed when designing or implementing a secure architecture.
PHP 1019 Weaknesses in this category are related to the design and architecture of a system's input validation components. Frequently these deal with sanitizing, neutralizing and validating any externally provided inputs to minimize malformed data from entering the system and preventing code injection in the input data. The weaknesses in this category could lead to a degradation of the quality of data flow in a system if they are not addressed when designing or implementing a secure architecture.
PHP 1020 Weaknesses in this category are related to the design and architecture of a system's data integrity components. Frequently these deal with ensuring integrity of data, such as messages, resource files, deployment files, and configuration files. The weaknesses in this category could lead to a degradation of data integrity quality if they are not addressed when designing or implementing a secure architecture.
PHP 1021 The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with.
PHP 1026 CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2017.
PHP 1027 Weaknesses in this category are related to the A1 category in the OWASP Top 10 2017.
PHP 1028 Weaknesses in this category are related to the A2 category in the OWASP Top 10 2017.
PHP 1029 Weaknesses in this category are related to the A3 category in the OWASP Top 10 2017.
PHP 1031 Weaknesses in this category are related to the A5 category in the OWASP Top 10 2017.
PHP 1032 Weaknesses in this category are related to the A6 category in the OWASP Top 10 2017.
PHP 1104 The product relies on third-party components that are not actively supported or maintained by the original developer or a trusted proxy for the original developer.
PHP 1128 This view outlines the most important software quality issues as identified by the Consortium for Information & Software Quality (CISQ) Automated Quality Characteristic Measures, released in 2016. These measures are derived from Object Management Group (OMG) standards.
PHP 1131 Weaknesses in this category are related to the CISQ Quality Measures for Security, as documented in 2016 with the Automated Source Code Security Measure (ASCSM) Specification 1.0. Presence of these weaknesses could reduce the security of the software.
PHP 1133 CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT Oracle Coding Standard for Java.
PHP 1134 Weaknesses in this category are related to the rules and recommendations in the Input Validation and Data Sanitization (IDS) section of the SEI CERT Oracle Secure Coding Standard for Java.
PHP 1135 Weaknesses in this category are related to the rules and recommendations in the Declarations and Initialization (DCL) section of the SEI CERT Oracle Secure Coding Standard for Java.
PHP 1140 Weaknesses in this category are related to the rules and recommendations in the Methods (MET) section of the SEI CERT Oracle Secure Coding Standard for Java.
PHP 1141 Weaknesses in this category are related to the rules and recommendations in the Exceptional Behavior (ERR) section of the SEI CERT Oracle Secure Coding Standard for Java.
PHP 1147 Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) section of the SEI CERT Oracle Secure Coding Standard for Java.
PHP 1148 Weaknesses in this category are related to the rules and recommendations in the Serialization (SER) section of the SEI CERT Oracle Secure Coding Standard for Java.
PHP 1149 Weaknesses in this category are related to the rules and recommendations in the Platform Security (SEC) section of the SEI CERT Oracle Secure Coding Standard for Java.
PHP 1150 Weaknesses in this category are related to the rules and recommendations in the Runtime Environment (ENV) section of the SEI CERT Oracle Secure Coding Standard for Java.
PHP 1152 Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT Oracle Secure Coding Standard for Java.
PHP 1154 CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT C Coding Standard.
PHP 1162 Weaknesses in this category are related to the rules and recommendations in the Memory Management (MEM) section of the SEI CERT C Coding Standard.
PHP 1163 Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) section of the SEI CERT C Coding Standard.
PHP 1165 Weaknesses in this category are related to the rules and recommendations in the Environment (ENV) section of the SEI CERT C Coding Standard.
PHP 1169 Weaknesses in this category are related to the rules and recommendations in the Concurrency (CON) section of the SEI CERT C Coding Standard.
PHP 1170 Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT C Coding Standard.
PHP 1178 CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT Perl Coding Standard.
PHP 1179 Weaknesses in this category are related to the rules and recommendations in the Input Validation and Data Sanitization (IDS) section of the SEI CERT Perl Coding Standard.
PHP 1194 This view organizes weaknesses around concepts that are frequently used or encountered in hardware design. Accordingly, this view can align closely with the perspectives of designers, manufacturers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping.
PHP 1198 Weaknesses in this category are related to features and mechanisms providing hardware-based isolation and access control (e.g., identity, policy, locking control) of sensitive shared hardware resources such as registers and fuses.
PHP 1200 CWE entries in this view are listed in the 2019 CWE Top 25 Most Dangerous Software Errors.
PHP 1204 The product uses a cryptographic primitive that uses an Initialization Vector (IV), but the product does not generate IVs that are sufficiently unpredictable or unique according to the expected cryptographic requirements for that primitive.
PHP 1207 Weaknesses in this category are related to hardware debug and test interfaces such as JTAG and scan chain.
PHP 1210 Weaknesses in this category are related to audit-based components of a software system. Frequently these deal with logging user activities in order to identify undesired access and modifications to the system. The weaknesses in this category could lead to a degradation of the quality of the audit capability if they are not addressed.
PHP 1211 Weaknesses in this category are related to authentication components of a system. Frequently these deal with the ability to verify that an entity is indeed who it claims to be. If not addressed when designing or implementing a software system, these weaknesses could lead to a degradation of the quality of the authentication capability.
PHP 1213 Weaknesses in this category are related to a software system's random number generation.
PHP 1214 Weaknesses in this category are related to a software system's data integrity components. Frequently these deal with the ability to ensure the integrity of data, such as messages, resource files, deployment files, and configuration files. The weaknesses in this category could lead to a degradation of data integrity quality if they are not addressed.
PHP 1215 Weaknesses in this category are related to a software system's components for input validation, output validation, or other kinds of validation. Validation is a frequently-used technique for ensuring that data conforms to expectations before it is further processed as input or output. There are many varieties of validation (see CWE-20, which is just for input validation). Validation is distinct from other techniques that attempt to modify data before processing it, although developers may consider all attempts to product "safe" inputs or outputs as some kind of validation. Regardless, validation is a powerful tool that is often used to minimize malformed data from entering the system, or indirectly avoid code injection or other potentially-malicious patterns when generating output. The weaknesses in this category could lead to a degradation of the quality of data flow in a system if they are not addressed.
PHP 1217 Weaknesses in this category are related to session management. Frequently these deal with the information or status about each user and their access rights for the duration of multiple requests. The weaknesses in this category could lead to a degradation of the quality of session management if they are not addressed.
PHP 1219 Weaknesses in this category are related to the handling of files within a software system. Files, directories, and folders are so central to information technology that many different weaknesses and variants have been discovered.
PHP 1275 The SameSite attribute for sensitive cookies is not set, or an insecure value is used.
PHP 1305 This view outlines the most important software quality issues as identified by the Consortium for Information & Software Quality (CISQ) Automated Quality Characteristic Measures, released in 2020. These measures are derived from Object Management Group (OMG) standards.
PHP 1306 Weaknesses in this category are related to the CISQ Quality Measures for Reliability. Presence of these weaknesses could reduce the reliability of the software.
PHP 1308 Weaknesses in this category are related to the CISQ Quality Measures for Security. Presence of these weaknesses could reduce the security of the software.
PHP 1337 CWE entries in this view are listed in the 2021 CWE Top 25 Most Dangerous Software Weaknesses.
PHP 1340 This view outlines the SMM representation of the Automated Source Code Data Protection Measurement specifications, as identified by the Consortium for Information & Software Quality (CISQ) Working Group.
PHP 1344 CWE entries in this view (graph) are associated with the OWASP Top 10, as released in 2021.
PHP 1345 Weaknesses in this category are related to the A01 category "Broken Access Control" in the OWASP Top 10 2021.
PHP 1346 Weaknesses in this category are related to the A02 category "Cryptographic Failures" in the OWASP Top 10 2021.
PHP 1347 Weaknesses in this category are related to the A03 category "Injection" in the OWASP Top 10 2021.
PHP 1348 Weaknesses in this category are related to the A04 "Insecure Design" category in the OWASP Top 10 2021.
PHP 1349 Weaknesses in this category are related to the A05 category "Security Misconfiguration" in the OWASP Top 10 2021.
PHP 1350 CWE entries in this view are listed in the 2020 CWE Top 25 Most Dangerous Software Weaknesses.
PHP 1352 Weaknesses in this category are related to the A06 category "Vulnerable and Outdated Components" in the OWASP Top 10 2021.
PHP 1353 Weaknesses in this category are related to the A07 category "Identification and Authentication Failures" in the OWASP Top 10 2021.
PHP 1354 Weaknesses in this category are related to the A08 category "Software and Data Integrity Failures" in the OWASP Top 10 2021.
PHP 1356 Weaknesses in this category are related to the A10 category "Server-Side Request Forgery (SSRF)" in the OWASP Top 10 2021.
PHP 1358 CWE entries in this view (graph) are associated with the Categories of Security Vulnerabilities in ICS, as published by the Securing Energy Infrastructure Executive Task Force (SEI ETF) in March 2022. Weaknesses and categories in this view are focused on issues that affect ICS (Industrial Control Systems) but have not been traditionally covered by CWE in the past due to its earlier emphasis on enterprise IT software. Note: weaknesses in this view are based on "Nearest IT Neighbor" recommendations and other suggestions by the CWE team. These relationships are likely to change in future CWE versions.
PHP 1359 Weaknesses in this category are related to the "ICS Communications" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.
PHP 1360 Weaknesses in this category are related to the "ICS Dependencies (& Architecture)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.
PHP 1361 Weaknesses in this category are related to the "ICS Supply Chain" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.
PHP 1362 Weaknesses in this category are related to the "ICS Engineering (Constructions/Deployment)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.
PHP 1363 Weaknesses in this category are related to the "ICS Operations (& Maintenance)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.
PHP 1364 Weaknesses in this category are related to the "Zone Boundary Failures" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Within an ICS system, for traffic that crosses through network zone boundaries, vulnerabilities arise when those boundaries were designed for safety or other purposes but are being repurposed for security." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
PHP 1366 Weaknesses in this category are related to the "Frail Security in Protocols" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Vulnerabilities arise as a result of mis-implementation or incomplete implementation of security in ICS implementations of communication protocols." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
PHP 1368 Weaknesses in this category are related to the "External Digital Systems" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Due to the highly interconnected technologies in use, an external dependency on another digital system could cause a confidentiality, integrity, or availability incident for the protected system." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
PHP 1369 Weaknesses in this category are related to the "IT/OT Convergence/Expansion" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "The increased penetration of DER devices and smart loads make emerging ICS networks more like IT networks and thus susceptible to vulnerabilities similar to those of IT networks." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
PHP 1370 Weaknesses in this category are related to the "Common Mode Frailties" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "At the component level, most ICS systems are assembled from common parts made by other companies. One or more of these common parts might contain a vulnerability that could result in a wide-spread incident." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
PHP 1371 Weaknesses in this category are related to the "Poorly Documented or Undocumented Features" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Undocumented capabilities and configurations pose a risk by not having a clear understanding of what the device is specifically supposed to do and only do. Therefore possibly opening up the attack surface and vulnerabilities." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
PHP 1372 Weaknesses in this category are related to the "OT Counterfeit and Malicious Corruption" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "In ICS, when this procurement process results in a vulnerability or component damage, it can have grid impacts or cause physical harm." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
PHP 1375 Weaknesses in this category are related to the "Gaps in Details/Data" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Highly complex systems are often operated by personnel who have years of experience in managing that particular facility or plant. Much of their knowledge is passed along through verbal or hands-on training but may not be fully documented in written practices and procedures." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
PHP 1382 Weaknesses in this category are related to the "Emerging Energy Technologies" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "With the rapid evolution of the energy system accelerated by the emergence of new technologies such as DERs, electric vehicles, advanced communications (5G+), novel and diverse challenges arise for secure and resilient operation of the system." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
PHP 1383 Weaknesses in this category are related to the "Compliance/Conformance with Regulatory Requirements" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "The ICS environment faces overlapping regulatory regimes and authorities with multiple focus areas (e.g., operational resiliency, physical safety, interoperability, and security) which can result in cyber security vulnerabilities when implemented as written due to gaps in considerations, outdatedness, or conflicting requirements." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
PHP 1387 CWE entries in this view are listed in the 2022 CWE Top 25 Most Dangerous Software Weaknesses.
PHP 1396 Weaknesses in this category are related to access control.
PHP 1397 Weaknesses in this category are related to comparison.
PHP 1398 Weaknesses in this category are related to component interaction.
PHP 1399 Weaknesses in this category are related to memory safety.
PHP 1400 This view organizes weaknesses around categories that are of interest to large-scale software assurance research to support the elimination of weaknesses using tactics such as secure language development. It is also intended to help tracking weakness trends in publicly disclosed vulnerability data. This view is comprehensive in that every weakness must be contained in it, unlike most other views that only use a subset of weaknesses. This view is structured with categories at the top level, with a second level of only weaknesses. Relationships among the weaknesses presented under the research view (CWE-1000) are not shown. Each weakness is added to only one category. All categories are mutually exclusive; that is, no weakness can be a member of more than one category. While weaknesses defy strict categorization along only one characteristic, the forced bucketing into a single category can simplify certain kinds of analysis. Note that the size of each category can vary widely because (1) CWE is not as well fleshed-out in some areas compared to others; (2) abstraction of the CWEs in the grouping might go down to Variant level for some buckets, versus others.
PHP 1402 Weaknesses in this category are related to encryption.
PHP 1403 Weaknesses in this category are related to exposed resource.
PHP 1404 Weaknesses in this category are related to file handling.
PHP 1405 Weaknesses in this category are related to improper check or handling of exceptional conditions.
PHP 1406 Weaknesses in this category are related to improper input validation.
PHP 1407 Weaknesses in this category are related to improper neutralization.
PHP 1409 Weaknesses in this category are related to injection.
PHP 1410 Weaknesses in this category are related to insufficient control flow management.
PHP 1411 Weaknesses in this category are related to insufficient verification of data authenticity.
PHP 1412 Weaknesses in this category are related to poor coding practices.
PHP 1413 Weaknesses in this category are related to protection mechanism failure.
PHP 1414 Weaknesses in this category are related to randomness.
PHP 1415 Weaknesses in this category are related to resource control.
PHP 1416 Weaknesses in this category are related to resource lifecycle management.
PHP 1417 Weaknesses in this category are related to sensitive information exposure.
PHP 1418 Weaknesses in this category are related to violation of secure design principles.
Python 2 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that are typically introduced during unexpected environmental conditions. According to the authors of the Seven Pernicious Kingdoms, "This section includes everything that is outside of the source code but is still critical to the security of the product that is being created. Because the issues covered by this kingdom are not directly related to source code, we separated it from the rest of the kingdoms."
Python 4 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
Python 5 Information sent over a network can be compromised while in transit. An attacker may be able to read or modify the contents if the data are sent in plaintext or are weakly encrypted.
Python 16 Weaknesses in this category are typically introduced during the configuration of the software.
Python 17 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
Python 18 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
Python 19 Weaknesses in this category are typically found in functionality that processes data. Data processing is the manipulation of input to retrieve or save information.
Python 20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Python 21 This category has been deprecated. It was originally used for organizing weaknesses involving file names, which enabled access to files outside of a restricted directory (path traversal) or to perform operations on files that would otherwise be restricted (path equivalence). Consider using either the File Handling Issues category (CWE-1219) or the class Use of Incorrectly-Resolved Name or Reference (CWE-706).
Python 22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Python 23 The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.
Python 36 The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as "/abs/path" that can resolve to a location that is outside of that directory.
Python 74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Python 77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Python 78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Python 79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Python 80 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.
Python 82 The web application does not neutralize or incorrectly neutralizes scripting elements within attributes of HTML IMG tags, such as the src attribute.
Python 83 The product does not neutralize or incorrectly neutralizes "javascript:" or other URIs from dangerous attributes within tags, such as onmouseover, onload, onerror, or style.
Python 85 The web application does not filter user-controlled input for executable script disguised using doubling of the involved characters.
Python 86 The product does not neutralize or incorrectly neutralizes invalid characters or byte sequences in the middle of tag names, URI schemes, and other identifiers.
Python 87 The product does not neutralize or incorrectly neutralizes user-controlled input for alternate script syntax.
Python 88 The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.
Python 89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.
Python 91 The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.
Python 94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Python 95 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").
Python 115 The product misinterprets an input, whether from an attacker or another product, in a security-relevant fashion.
Python 116 The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
Python 117 The product does not neutralize or incorrectly neutralizes output that is written to logs.
Python 133 Weaknesses in this category are related to the creation and modification of strings.
Python 137 Weaknesses in this category are related to the creation or neutralization of data using an incorrect format.
Python 138 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as control elements or syntactic markers when they are sent to a downstream component.
Python 140 The product does not neutralize or incorrectly neutralizes delimiters.
Python 141 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as parameter or argument delimiters when they are sent to a downstream component.
Python 142 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as value delimiters when they are sent to a downstream component.
Python 143 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as record delimiters when they are sent to a downstream component.
Python 146 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as expression or command delimiters when they are sent to a downstream component.
Python 149 Quotes injected into a product can be used to compromise a system. As data are parsed, an injected/absent/duplicate/malformed use of quotes may cause the process to take unexpected actions.
Python 150 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component.
Python 157 The product does not properly handle the characters that are used to mark the beginning and ending of a group of entities, such as parentheses, brackets, and braces.
Python 171 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. Weaknesses in this category were related to improper handling of data within protection mechanisms that attempt to perform neutralization for untrusted data. These weaknesses can be found in other similar categories.
Python 183 The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is too permissive - that is, it allows an input that is unsafe, leading to resultant weaknesses.
Python 185 The product specifies a regular expression in a way that causes data to be improperly matched or compared.
Python 187 The product performs a comparison that only examines a portion of a factor before determining whether there is a match, such as a substring, leading to resultant weaknesses.
Python 199 Weaknesses in this category are related to improper handling of sensitive information.
Python 200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Python 201 The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.
Python 209 The product generates an error message that includes sensitive information about its environment, users, or associated data.
Python 210 The product identifies an error condition and creates its own diagnostic or error messages that contain sensitive information.
Python 211 The product performs an operation that triggers an external diagnostic or error message that is not directly generated or controlled by the product, such as an error generated by the programming language interpreter that a software application uses. The error can contain sensitive system information.
Python 221 The product does not record, or improperly records, security-relevant information that leads to an incorrect decision or hampers later analysis.
Python 223 The product does not record or display information that would be important for identifying the source or nature of an attack, or determining if an action is safe.
Python 226 The product releases a resource such as memory or a file so that it can be made available for reuse, but it does not clear or "zeroize" the information contained in the resource before the product performs a critical state transition or makes the resource available for reuse by other entities.
Python 227 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that involve the software using an API in a manner contrary to its intended use. According to the authors of the Seven Pernicious Kingdoms, "An API is a contract between a caller and a callee. The most common forms of API misuse occurs when the caller does not honor its end of this contract. For example, if a program does not call chdir() after calling chroot(), it violates the contract that specifies how to change the active root directory in a secure fashion. Another good example of library abuse is expecting the callee to return trustworthy DNS information to the caller. In this case, the caller misuses the callee API by making certain assumptions about its behavior (that the return value can be used for authentication purposes). One can also violate the caller-callee contract from the other side. For example, if a coder subclasses SecureRandom and returns a non-random value, the contract is violated."
Python 249 This entry has been deprecated because of name confusion and an accidental combination of multiple weaknesses. Most of its content has been transferred to CWE-785.
Python 254 Software security is not security software. Here we're concerned with topics like authentication, access control, confidentiality, cryptography, and privilege management.
Python 255 Weaknesses in this category are related to the management of credentials.
Python 256 Storing a password in plaintext may result in a system compromise.
Python 257 The storage of passwords in a recoverable format makes them subject to password reuse attacks by malicious users. In fact, it should be noted that recoverable encrypted passwords provide no significant benefit over plaintext passwords since they are subject not only to reuse by malicious attackers but also by malicious insiders. If a system administrator can recover a password directly, or use a brute force search on the available information, the administrator can use the password on other accounts.
Python 258 Using an empty string as a password is insecure.
Python 260 The product stores a password in a configuration file that might be accessible to actors who do not know the password.
Python 261 Obscuring a password with a trivial encoding does not protect the password.
Python 264 Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control.
Python 265 Weaknesses in this category occur with improper handling, assignment, or management of privileges. A privilege is a property of an agent, such as a user. It lets the agent do things that are not ordinarily allowed. For example, there are privileges which allow an agent to perform maintenance functions such as restart a computer.
Python 275 Weaknesses in this category are related to improper assignment or handling of permissions.
Python 284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Python 285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
Python 287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Python 290 This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.
Python 295 The product does not validate, or incorrectly validates, a certificate.
Python 300 The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint.
Python 304 The product implements an authentication technique, but it skips a step that weakens the technique.
Python 306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Python 310 Weaknesses in this category are related to the design and implementation of data confidentiality and integrity. Frequently these deal with the use of encoding techniques, encryption libraries, and hashing algorithms. The weaknesses in this category could lead to a degradation of the quality data if they are not addressed.
Python 311 The product does not encrypt sensitive or critical information before storage or transmission.
Python 312 The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
Python 313 The product stores sensitive information in cleartext in a file, or on disk.
Python 314 The product stores sensitive information in cleartext in the registry.
Python 315 The product stores sensitive information in cleartext in a cookie.
Python 317 The product stores sensitive information in cleartext within the GUI.
Python 319 The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.
Python 320 Weaknesses in this category are related to errors in the management of cryptographic keys.
Python 326 The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
Python 327 The product uses a broken or risky cryptographic algorithm or protocol.
Python 330 The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.
Python 338 The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.
Python 344 The product uses a constant value, name, or reference, but this value can (or should) vary across different environments.
Python 345 The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
Python 346 The product does not properly verify that the source of data or communication is valid.
Python 352 The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.
Python 353 The product uses a transmission protocol that does not include a mechanism for verifying the integrity of the data during transmission, such as a checksum.
Python 355 Weaknesses in this category are related to or introduced in the User Interface (UI).
Python 359 The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.
Python 361 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses related to the improper management of time and state in an environment that supports simultaneous or near-simultaneous computation by multiple systems, processes, or threads. According to the authors of the Seven Pernicious Kingdoms, "Distributed computation is about time and state. That is, in order for more than one component to communicate, state must be shared, and all that takes time. Most programmers anthropomorphize their work. They think about one thread of control carrying out the entire program in the same way they would if they had to do the job themselves. Modern computers, however, switch between tasks very quickly, and in multi-core, multi-CPU, or distributed systems, two events may take place at exactly the same time. Defects rush to fill the gap between the programmer's model of how a program executes and what happens in reality. These defects are related to unexpected interactions between threads, processes, time, and information. These interactions happen through shared state: semaphores, variables, the file system, and, basically, anything that can store information."
Python 376 This category has been deprecated. It was originally used for organizing the Development View (CWE-699), but it introduced unnecessary complexity and depth to the resulting tree. Consider using the File Handling Issues category (CWE-1219).
Python 377 Creating and using insecure temporary files can leave application and system data vulnerable to attack.
Python 388 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that occur when an application does not properly handle errors that occur during processing. According to the authors of the Seven Pernicious Kingdoms, "Errors and error handling represent a class of API. Errors related to error handling are so common that they deserve a special kingdom of their own. As with 'API Abuse,' there are two ways to introduce an error-related security vulnerability: the most common one is handling errors poorly (or not at all). The second is producing errors that either give out too much information (to possible attackers) or are difficult to handle."
Python 389 This category includes weaknesses that occur if a function does not generate the correct return/status code, or if the application does not handle all possible return/status codes that could be generated by a function. This type of problem is most often found in conditions that are rarely encountered during the normal operation of the product. Presumably, most bugs related to common conditions are found and eliminated during development and testing. In some cases, the attacker can directly control or influence the environment to trigger the rare conditions.
Python 398 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that do not directly introduce a weakness or vulnerability, but indicate that the product has not been carefully developed or maintained. According to the authors of the Seven Pernicious Kingdoms, "Poor code quality leads to unpredictable behavior. From a user's perspective that often manifests itself as poor usability. For an adversary it provides an opportunity to stress the system in unexpected ways."
Python 399 Weaknesses in this category are related to improper management of system resources.
Python 400 The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.
Python 404 The product does not release or incorrectly releases a resource before it is made available for re-use.
Python 417 Weaknesses in this category are related to improper handling of communication channels and access paths. These weaknesses include problems in creating, managing, or removing alternate channels and alternate paths. Some of these can overlap virtual file problems and are commonly used in "bypass" attacks, such as those that exploit authentication errors.
Python 435 An interaction error occurs when two entities have correct behavior when running independently of each other, but when they are integrated as components in a larger system or process, they introduce incorrect behaviors that may cause resultant weaknesses.
Python 436 Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.
Python 438 Weaknesses in this category are related to unexpected behaviors from code that an application uses.
Python 441 The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor.
Python 442 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
Python 452 Weaknesses in this category occur in behaviors that are used for initialization and breakdown.
Python 459 The product does not properly "clean up" and remove temporary or supporting resources after they have been used.
Python 465 Weaknesses in this category are related to improper handling of pointers.
Python 476 A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.
Python 480 The product accidentally uses the wrong operator, which changes the logic in security-relevant ways.
Python 485 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that occur when the product does not sufficiently encapsulate critical data or functionality. According to the authors of the Seven Pernicious Kingdoms, "Encapsulation is about drawing strong boundaries. In a web browser that might mean ensuring that your mobile code cannot be abused by other mobile code. On the server it might mean differentiation between validated data and unvalidated data, between one user's data and another's, or between data users are allowed to see and data that they are not."
Python 489 The product is deployed to unauthorized actors with debugging code still enabled or active, which can create unintended entry points or expose sensitive information.
Python 497 The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does.
Python 502 The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
Python 505 This category has been deprecated as it was originally used for organizing the Development View (CWE-699), but it introduced unnecessary complexity and depth to the resulting tree.
Python 521 The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts.
Python 522 The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
Python 523 Login pages do not use adequate measures to protect the user name and password while they are in transit from the client to the server.
Python 526 The product uses an environment variable to store unencrypted sensitive information.
Python 532 Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.
Python 536 A servlet error message indicates that there exists an unhandled exception in your web application code and may provide useful information to an attacker.
Python 538 The product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the sensitive information.
Python 539 The web application uses persistent cookies, but the cookies contain sensitive information.
Python 550 Certain conditions, such as network failure, will cause a server error message to be displayed.
Python 552 The product makes files or directories accessible to unauthorized actors, even though they should not be.
Python 559 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
Python 561 The product contains dead code, which can never be executed.
Python 566 The product uses a database table that includes records that should not be accessible to an actor, but it executes a SQL statement with a primary key that can be controlled by that actor.
Python 569 Weaknesses in this category are related to incorrectly written expressions within code.
Python 573 The product does not follow or incorrectly follows the specifications as required by the implementation language, environment, framework, protocol, or platform.
Python 592 This weakness has been deprecated because it covered redundant concepts already described in CWE-287.
Python 601 A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.
Python 610 The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.
Python 611 The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
Python 614 The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session.
Python 624 The product uses a regular expression that either (1) contains an executable component with user-controlled inputs, or (2) allows a user to enable execution by inserting pattern modifiers.
Python 625 The product uses a regular expression that does not sufficiently restrict the set of allowed values.
Python 628 The product calls a function, procedure, or routine with arguments that are not correctly specified, leading to always-incorrect behavior and resultant weaknesses.
Python 629 CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2007. This view is considered obsolete as a newer version of the OWASP Top 10 is available.
Python 632 This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE.
Python 633 This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE.
Python 634 This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE.
Python 635 CWE nodes in this view (slice) were used by NIST to categorize vulnerabilities within NVD, from 2008 to 2016. This original version has been used by many other projects.
Python 639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Python 644 The product does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers, such as Flash.
Python 657 The product violates well-established principles for secure design.
Python 664 The product does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release.
Python 668 The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
Python 670 The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated.
Python 671 The product uses security features in a way that prevents the product's administrator from tailoring security settings to reflect the environment in which the product is being used. This introduces resultant weaknesses or prevents it from operating at a level of security that is desired by the administrator.
Python 676 The product invokes a potentially dangerous function that could introduce a vulnerability if it is used incorrectly, but the function can also be used safely.
Python 688 The product calls a function, procedure, or routine, but the caller specifies the wrong variable or reference as one of the arguments, which may lead to undefined behavior and resultant weaknesses.
Python 691 The code does not sufficiently manage its control flow during execution, creating conditions in which the control flow can be modified in unexpected ways.
Python 692 The product uses a denylist-based protection mechanism to defend against XSS attacks, but the denylist is incomplete, allowing XSS variants to succeed.
Python 693 The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.
Python 697 The product compares two entities in a security-relevant context, but the comparison is incorrect, which may lead to resultant weaknesses.
Python 699 This view organizes weaknesses around concepts that are frequently used or encountered in software development. This includes all aspects of the software development lifecycle including both architecture and implementation. Accordingly, this view can align closely with the perspectives of architects, developers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping.
Python 700 This view (graph) organizes weaknesses using a hierarchical structure that is similar to that used by Seven Pernicious Kingdoms.
Python 703 The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product.
Python 706 The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.
Python 707 The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component.
Python 710 The product does not follow certain coding rules for development, which can lead to resultant weaknesses or increase the severity of the associated vulnerabilities.
Python 711 CWE entries in this view (graph) are associated with the OWASP Top 10, as released in 2004, and as required for compliance with PCI DSS version 1.1. This view is considered obsolete as a newer version of the OWASP Top 10 is available.
Python 712 Weaknesses in this category are related to the A1 category in the OWASP Top 10 2007.
Python 713 Weaknesses in this category are related to the A2 category in the OWASP Top 10 2007.
Python 714 Weaknesses in this category are related to the A3 category in the OWASP Top 10 2007.
Python 715 Weaknesses in this category are related to the A4 category in the OWASP Top 10 2007.
Python 716 Weaknesses in this category are related to the A5 category in the OWASP Top 10 2007.
Python 717 Weaknesses in this category are related to the A6 category in the OWASP Top 10 2007.
Python 718 Weaknesses in this category are related to the A7 category in the OWASP Top 10 2007.
Python 719 Weaknesses in this category are related to the A8 category in the OWASP Top 10 2007.
Python 720 Weaknesses in this category are related to the A9 category in the OWASP Top 10 2007.
Python 721 Weaknesses in this category are related to the A10 category in the OWASP Top 10 2007.
Python 722 Weaknesses in this category are related to the A1 category in the OWASP Top 10 2004.
Python 723 Weaknesses in this category are related to the A2 category in the OWASP Top 10 2004.
Python 724 Weaknesses in this category are related to the A3 category in the OWASP Top 10 2004.
Python 725 Weaknesses in this category are related to the A4 category in the OWASP Top 10 2004.
Python 727 Weaknesses in this category are related to the A6 category in the OWASP Top 10 2004.
Python 728 Weaknesses in this category are related to the A7 category in the OWASP Top 10 2004.
Python 729 Weaknesses in this category are related to the A8 category in the OWASP Top 10 2004.
Python 730 Weaknesses in this category are related to the A9 category in the OWASP Top 10 2004.
Python 731 Weaknesses in this category are related to the A10 category in the OWASP Top 10 2004.
Python 732 The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.
Python 734 CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT C Secure Coding Standard" published in 2008. This view is considered obsolete, as a newer version of the coding standard is available. This view statically represents the coding rules as they were in 2008.
Python 736 Weaknesses in this category are related to the rules and recommendations in the Declarations and Initialization (DCL) chapter of the CERT C Secure Coding Standard (2008).
Python 737 Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) chapter of the CERT C Secure Coding Standard (2008).
Python 738 Weaknesses in this category are related to the rules and recommendations in the Integers (INT) chapter of the CERT C Secure Coding Standard (2008).
Python 741 Weaknesses in this category are related to the rules and recommendations in the Characters and Strings (STR) chapter of the CERT C Secure Coding Standard (2008).
Python 742 Weaknesses in this category are related to the rules and recommendations in the Memory Management (MEM) chapter of the CERT C Secure Coding Standard (2008).
Python 743 Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) chapter of the CERT C Secure Coding Standard (2008).
Python 744 Weaknesses in this category are related to the rules and recommendations in the Environment (ENV) chapter of the CERT C Secure Coding Standard (2008).
Python 746 Weaknesses in this category are related to the rules and recommendations in the Error Handling (ERR) chapter of the CERT C Secure Coding Standard (2008).
Python 747 Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) chapter of the CERT C Secure Coding Standard (2008).
Python 750 CWE entries in this view (graph) are listed in the 2009 CWE/SANS Top 25 Programming Errors. This view is considered obsolete as a newer version of the Top 25 is available.
Python 751 Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2009 CWE/SANS Top 25 Programming Errors.
Python 752 Weaknesses in this category are listed in the "Risky Resource Management" section of the 2009 CWE/SANS Top 25 Programming Errors.
Python 753 Weaknesses in this category are listed in the "Porous Defenses" section of the 2009 CWE/SANS Top 25 Programming Errors.
Python 755 The product does not handle or incorrectly handles an exceptional condition.
Python 760 The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product uses a predictable salt as part of the input.
Python 778 When a security-critical event occurs, the product either does not record the event or omits important details about the event when logging it.
Python 779 The product logs too much information, making log files hard to process and possibly hindering recovery efforts or forensic analysis after an attack.
Python 783 The product uses an expression in which operator precedence causes incorrect logic to be used.
Python 798 The product contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.
Python 800 CWE entries in this view (graph) are listed in the 2010 CWE/SANS Top 25 Programming Errors. This view is considered obsolete as a newer version of the Top 25 is available.
Python 801 Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2010 CWE/SANS Top 25 Programming Errors.
Python 802 Weaknesses in this category are listed in the "Risky Resource Management" section of the 2010 CWE/SANS Top 25 Programming Errors.
Python 803 Weaknesses in this category are listed in the "Porous Defenses" section of the 2010 CWE/SANS Top 25 Programming Errors.
Python 807 The product uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism.
Python 808 Weaknesses in this category are not part of the general Top 25, but they were part of the original nominee list from which the Top 25 was drawn.
Python 809 CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2010. This view is considered obsolete as a newer version of the OWASP Top 10 is available.
Python 810 Weaknesses in this category are related to the A1 category in the OWASP Top 10 2010.
Python 811 Weaknesses in this category are related to the A2 category in the OWASP Top 10 2010.
Python 812 Weaknesses in this category are related to the A3 category in the OWASP Top 10 2010.
Python 813 Weaknesses in this category are related to the A4 category in the OWASP Top 10 2010.
Python 814 Weaknesses in this category are related to the A5 category in the OWASP Top 10 2010.
Python 815 Weaknesses in this category are related to the A6 category in the OWASP Top 10 2010.
Python 816 Weaknesses in this category are related to the A7 category in the OWASP Top 10 2010.
Python 817 Weaknesses in this category are related to the A8 category in the OWASP Top 10 2010.
Python 818 Weaknesses in this category are related to the A9 category in the OWASP Top 10 2010.
Python 819 Weaknesses in this category are related to the A10 category in the OWASP Top 10 2010.
Python 840 Weaknesses in this category identify some of the underlying problems that commonly allow attackers to manipulate the business logic of an application. Errors in business logic can be devastating to an entire application. They can be difficult to find automatically, since they typically involve legitimate use of the application's functionality. However, many business logic errors can exhibit patterns that are similar to well-understood implementation and design weaknesses.
Python 844 CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT Oracle Secure Coding Standard for Java" published in 2011. This view is considered obsolete as a newer version of the coding standard is available.
Python 845 Weaknesses in this category are related to rules in the Input Validation and Data Sanitization (IDS) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
Python 850 Weaknesses in this category are related to rules in the Methods (MET) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
Python 851 Weaknesses in this category are related to rules in the Exceptional Behavior (ERR) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
Python 857 Weaknesses in this category are related to rules in the Input Output (FIO) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
Python 858 Weaknesses in this category are related to rules in the Serialization (SER) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
Python 859 Weaknesses in this category are related to rules in the Platform Security (SEC) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
Python 860 Weaknesses in this category are related to rules in the Runtime Environment (ENV) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
Python 861 Weaknesses in this category are related to rules in the Miscellaneous (MSC) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
Python 862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Python 864 Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.
Python 865 Weaknesses in this category are listed in the "Risky Resource Management" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.
Python 866 Weaknesses in this category are listed in the "Porous Defenses" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.
Python 867 Weaknesses in this category are not part of the general Top 25, but they were part of the original nominee list from which the Top 25 was drawn.
Python 868 CWE entries in this view (graph) are fully or partially eliminated by following the SEI CERT C++ Coding Standard, as published in 2016. This view is no longer being actively maintained, since it statically represents the coding rules as they were in 2016.
Python 871 Weaknesses in this category are related to rules in the Expressions (EXP) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
Python 872 Weaknesses in this category are related to rules in the Integers (INT) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
Python 875 Weaknesses in this category are related to rules in the Characters and Strings (STR) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
Python 876 Weaknesses in this category are related to rules in the Memory Management (MEM) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
Python 877 Weaknesses in this category are related to rules in the Input Output (FIO) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
Python 878 Weaknesses in this category are related to rules in the Environment (ENV) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
Python 880 Weaknesses in this category are related to rules in the Exceptions and Error Handling (ERR) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
Python 881 Weaknesses in this category are related to rules in the Object Oriented Programming (OOP) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
Python 882 Weaknesses in this category are related to rules in the Concurrency (CON) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
Python 883 Weaknesses in this category are related to rules in the Miscellaneous (MSC) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
Python 884 This view contains a selection of weaknesses that represent the variety of weaknesses that are captured in CWE, at a level of abstraction that is likely to be useful to most audiences. It can be used by researchers to determine how broad their theories, models, or tools are. It will also be used by the CWE content team in 2012 to focus quality improvement efforts for individual CWE entries.
Python 885 This category identifies Software Fault Patterns (SFPs) within the Risky Values cluster (SFP1).
Python 886 This category identifies Software Fault Patterns (SFPs) within the Unused entities cluster (SFP2).
Python 887 This category identifies Software Fault Patterns (SFPs) within the API cluster (SFP3).
Python 888 CWE identifiers in this view are associated with clusters of Software Fault Patterns (SFPs).
Python 889 This category identifies Software Fault Patterns (SFPs) within the Exception Management cluster (SFP4, SFP5, SFP6).
Python 890 This category identifies Software Fault Patterns (SFPs) within the Memory Access cluster (SFP7, SFP8).
Python 892 This category identifies Software Fault Patterns (SFPs) within the Resource Management cluster (SFP37).
Python 893 This category identifies Software Fault Patterns (SFPs) within the Path Resolution cluster (SFP16, SFP17, SFP18).
Python 895 This category identifies Software Fault Patterns (SFPs) within the Information Leak cluster (SFP23).
Python 896 This category identifies Software Fault Patterns (SFPs) within the Tainted Input cluster (SFP24, SFP25, SFP26, SFP27).
Python 897 This category identifies Software Fault Patterns (SFPs) within the Entry Points cluster (SFP28).
Python 898 This category identifies Software Fault Patterns (SFPs) within the Authentication cluster (SFP29, SFP30, SFP31, SFP32, SFP33, SFP34).
Python 899 This category identifies Software Fault Patterns (SFPs) within the Access Control cluster (SFP35).
Python 900 CWE entries in this view (graph) are listed in the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.
Python 902 This category identifies Software Fault Patterns (SFPs) within the Channel cluster.
Python 903 This category identifies Software Fault Patterns (SFPs) within the Cryptography cluster.
Python 905 This category identifies Software Fault Patterns (SFPs) within the Predictability cluster.
Python 906 This category identifies Software Fault Patterns (SFPs) within the UI cluster.
Python 907 This category identifies Software Fault Patterns (SFPs) within the Other cluster.
Python 913 The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements.
Python 916 The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive.
Python 918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Python 922 The product stores sensitive information without properly limiting read or write access by unauthorized actors.
Python 923 The product establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that it is communicating with the correct endpoint.
Python 928 CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2013. This view is considered obsolete as a newer version of the OWASP Top 10 is available.
Python 929 Weaknesses in this category are related to the A1 category in the OWASP Top 10 2013.
Python 930 Weaknesses in this category are related to the A2 category in the OWASP Top 10 2013.
Python 931 Weaknesses in this category are related to the A3 category in the OWASP Top 10 2013.
Python 932 Weaknesses in this category are related to the A4 category in the OWASP Top 10 2013.
Python 933 Weaknesses in this category are related to the A5 category in the OWASP Top 10 2013.
Python 934 Weaknesses in this category are related to the A6 category in the OWASP Top 10 2013.
Python 935 Weaknesses in this category are related to the A7 category in the OWASP Top 10 2013.
Python 936 Weaknesses in this category are related to the A8 category in the OWASP Top 10 2013.
Python 938 Weaknesses in this category are related to the A10 category in the OWASP Top 10 2013.
Python 942 The product uses a cross-domain policy file that includes domains that should not be trusted.
Python 943 The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query.
Python 944 This category identifies Software Fault Patterns (SFPs) within the Access Management cluster.
Python 945 This category identifies Software Fault Patterns (SFPs) within the Insecure Resource Access cluster (SFP35).
Python 946 This category identifies Software Fault Patterns (SFPs) within the Insecure Resource Permissions cluster.
Python 947 This category identifies Software Fault Patterns (SFPs) within the Authentication Bypass cluster.
Python 949 This category identifies Software Fault Patterns (SFPs) within the Faulty Endpoint Authentication cluster (SFP29).
Python 950 This category identifies Software Fault Patterns (SFPs) within the Hardcoded Sensitive Data cluster (SFP33).
Python 951 This category identifies Software Fault Patterns (SFPs) within the Insecure Authentication Policy cluster.
Python 952 This category identifies Software Fault Patterns (SFPs) within the Missing Authentication cluster.
Python 956 This category identifies Software Fault Patterns (SFPs) within the Channel Attack cluster.
Python 957 This category identifies Software Fault Patterns (SFPs) within the Protocol Error cluster.
Python 958 This category identifies Software Fault Patterns (SFPs) within the Broken Cryptography cluster.
Python 959 This category identifies Software Fault Patterns (SFPs) within the Weak Cryptography cluster.
Python 961 This category identifies Software Fault Patterns (SFPs) within the Incorrect Exception Behavior cluster (SFP6).
Python 962 This category identifies Software Fault Patterns (SFPs) within the Unchecked Status Condition cluster (SFP4).
Python 963 This category identifies Software Fault Patterns (SFPs) within the Exposed Data cluster (SFP23).
Python 964 This category identifies Software Fault Patterns (SFPs) within the Exposure Temporary File cluster.
Python 966 This category identifies Software Fault Patterns (SFPs) within the Other Exposures cluster.
Python 971 This category identifies Software Fault Patterns (SFPs) within the Faulty Pointer Use cluster (SFP7).
Python 975 This category identifies Software Fault Patterns (SFPs) within the Architecture cluster.
Python 977 This category identifies Software Fault Patterns (SFPs) within the Design cluster.
Python 978 This category identifies Software Fault Patterns (SFPs) within the Implementation cluster.
Python 980 This category identifies Software Fault Patterns (SFPs) within the Link in Resource Name Resolution cluster (SFP18).
Python 981 This category identifies Software Fault Patterns (SFPs) within the Path Traversal cluster (SFP16).
Python 982 This category identifies Software Fault Patterns (SFPs) within the Failure to Release Resource cluster (SFP14).
Python 984 This category identifies Software Fault Patterns (SFPs) within the Life Cycle cluster.
Python 985 This category identifies Software Fault Patterns (SFPs) within the Unrestricted Consumption cluster (SFP13).
Python 990 This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Command cluster (SFP24).
Python 991 This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Environment cluster (SFP27).
Python 992 This category identifies Software Fault Patterns (SFPs) within the Faulty Input Transformation cluster.
Python 994 This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Variable cluster (SFP25).
Python 997 This category identifies Software Fault Patterns (SFPs) within the Information Loss cluster.
Python 998 This category identifies Software Fault Patterns (SFPs) within the Glitch in Computation cluster (SFP1).
Python 1000 This view is intended to facilitate research into weaknesses, including their inter-dependencies, and can be leveraged to systematically identify theoretical gaps within CWE. It is mainly organized according to abstractions of behaviors instead of how they can be detected, where they appear in code, or when they are introduced in the development life cycle. By design, this view is expected to include every weakness within CWE.
Python 1001 This category identifies Software Fault Patterns (SFPs) within the Use of an Improper API cluster (SFP3).
Python 1002 This category identifies Software Fault Patterns (SFPs) within the Unexpected Entry Points cluster.
Python 1003 CWE entries in this view (graph) may be used to categorize potential weaknesses within sources that handle public, third-party vulnerability information, such as the National Vulnerability Database (NVD). By design, this view is incomplete; it is limited to a small number of the most commonly-seen weaknesses, so that it is easier for humans to use. This view uses a shallow hierarchy of two levels in order to simplify the complex, category-oriented navigation of the entire CWE corpus.
Python 1004 The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag.
Python 1005 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that exist when an application does not properly validate or represent input. According to the authors of the Seven Pernicious Kingdoms, "Input validation and representation problems are caused by metacharacters, alternate encodings and numeric representations. Security problems result from trusting input."
Python 1006 Weaknesses in this category are related to coding practices that are deemed unsafe and increase the chances that an exploitable vulnerability will be present in the application. These weaknesses do not directly introduce a vulnerability, but indicate that the product has not been carefully developed or maintained. If a program is complex, difficult to maintain, not portable, or shows evidence of neglect, then there is a higher likelihood that weaknesses are buried in the code.
Python 1008 This view organizes weaknesses according to common architectural security tactics. It is intended to assist architects in identifying potential mistakes that can be made when designing software.
Python 1009 Weaknesses in this category are related to the design and architecture of audit-based components of the system. Frequently these deal with logging user activities in order to identify attackers and modifications to the system. The weaknesses in this category could lead to a degradation of the quality of the audit capability if they are not addressed when designing or implementing a secure architecture.
Python 1010 Weaknesses in this category are related to the design and architecture of authentication components of the system. Frequently these deal with verifying the entity is indeed who it claims to be. The weaknesses in this category could lead to a degradation of the quality of authentication if they are not addressed when designing or implementing a secure architecture.
Python 1011 Weaknesses in this category are related to the design and architecture of a system's authorization components. Frequently these deal with enforcing that agents have the required permissions before performing certain operations, such as modifying data. The weaknesses in this category could lead to a degradation of quality of the authorization capability if they are not addressed when designing or implementing a secure architecture.
Python 1012 Weaknesses in this category are related to the design and architecture of multiple security tactics and how they affect a system. For example, information exposure can impact the Limit Access and Limit Exposure security tactics. The weaknesses in this category could lead to a degradation of the quality of many capabilities if they are not addressed when designing or implementing a secure architecture.
Python 1013 Weaknesses in this category are related to the design and architecture of data confidentiality in a system. Frequently these deal with the use of encryption libraries. The weaknesses in this category could lead to a degradation of the quality data encryption if they are not addressed when designing or implementing a secure architecture.
Python 1014 Weaknesses in this category are related to the design and architecture of a system's identification management components. Frequently these deal with verifying that external agents provide inputs into the system. The weaknesses in this category could lead to a degradation of the quality of identification management if they are not addressed when designing or implementing a secure architecture.
Python 1015 Weaknesses in this category are related to the design and architecture of system resources. Frequently these deal with restricting the amount of resources that are accessed by actors, such as memory, network connections, CPU or access points. The weaknesses in this category could lead to a degradation of the quality of authentication if they are not addressed when designing or implementing a secure architecture.
Python 1016 Weaknesses in this category are related to the design and architecture of the entry points to a system. Frequently these deal with minimizing the attack surface through designing the system with the least needed amount of entry points. The weaknesses in this category could lead to a degradation of a system's defenses if they are not addressed when designing or implementing a secure architecture.
Python 1019 Weaknesses in this category are related to the design and architecture of a system's input validation components. Frequently these deal with sanitizing, neutralizing and validating any externally provided inputs to minimize malformed data from entering the system and preventing code injection in the input data. The weaknesses in this category could lead to a degradation of the quality of data flow in a system if they are not addressed when designing or implementing a secure architecture.
Python 1020 Weaknesses in this category are related to the design and architecture of a system's data integrity components. Frequently these deal with ensuring integrity of data, such as messages, resource files, deployment files, and configuration files. The weaknesses in this category could lead to a degradation of data integrity quality if they are not addressed when designing or implementing a secure architecture.
Python 1025 The code performs a comparison between two entities, but the comparison examines the wrong factors or characteristics of the entities, which can lead to incorrect results and resultant weaknesses.
Python 1026 CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2017.
Python 1027 Weaknesses in this category are related to the A1 category in the OWASP Top 10 2017.
Python 1028 Weaknesses in this category are related to the A2 category in the OWASP Top 10 2017.
Python 1029 Weaknesses in this category are related to the A3 category in the OWASP Top 10 2017.
Python 1030 Weaknesses in this category are related to the A4 category in the OWASP Top 10 2017.
Python 1031 Weaknesses in this category are related to the A5 category in the OWASP Top 10 2017.
Python 1032 Weaknesses in this category are related to the A6 category in the OWASP Top 10 2017.
Python 1033 Weaknesses in this category are related to the A7 category in the OWASP Top 10 2017.
Python 1034 Weaknesses in this category are related to the A8 category in the OWASP Top 10 2017.
Python 1036 Weaknesses in this category are related to the A10 category in the OWASP Top 10 2017.
Python 1041 The product has multiple functions, methods, procedures, macros, etc. that contain the same code.
Python 1104 The product relies on third-party components that are not actively supported or maintained by the original developer or a trusted proxy for the original developer.
Python 1128 This view outlines the most important software quality issues as identified by the Consortium for Information & Software Quality (CISQ) Automated Quality Characteristic Measures, released in 2016. These measures are derived from Object Management Group (OMG) standards.
Python 1130 Weaknesses in this category are related to the CISQ Quality Measures for Maintainability, as documented in 2016 with the Automated Source Code Maintainability Measure (ASCMM) Specification 1.0. Presence of these weaknesses could reduce the maintainability of the software.
Python 1131 Weaknesses in this category are related to the CISQ Quality Measures for Security, as documented in 2016 with the Automated Source Code Security Measure (ASCSM) Specification 1.0. Presence of these weaknesses could reduce the security of the software.
Python 1133 CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT Oracle Coding Standard for Java.
Python 1134 Weaknesses in this category are related to the rules and recommendations in the Input Validation and Data Sanitization (IDS) section of the SEI CERT Oracle Secure Coding Standard for Java.
Python 1136 Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) section of the SEI CERT Oracle Secure Coding Standard for Java.
Python 1140 Weaknesses in this category are related to the rules and recommendations in the Methods (MET) section of the SEI CERT Oracle Secure Coding Standard for Java.
Python 1141 Weaknesses in this category are related to the rules and recommendations in the Exceptional Behavior (ERR) section of the SEI CERT Oracle Secure Coding Standard for Java.
Python 1147 Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) section of the SEI CERT Oracle Secure Coding Standard for Java.
Python 1148 Weaknesses in this category are related to the rules and recommendations in the Serialization (SER) section of the SEI CERT Oracle Secure Coding Standard for Java.
Python 1149 Weaknesses in this category are related to the rules and recommendations in the Platform Security (SEC) section of the SEI CERT Oracle Secure Coding Standard for Java.
Python 1150 Weaknesses in this category are related to the rules and recommendations in the Runtime Environment (ENV) section of the SEI CERT Oracle Secure Coding Standard for Java.
Python 1152 Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT Oracle Secure Coding Standard for Java.
Python 1154 CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT C Coding Standard.
Python 1157 Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) section of the SEI CERT C Coding Standard.
Python 1161 Weaknesses in this category are related to the rules and recommendations in the Characters and Strings (STR) section of the SEI CERT C Coding Standard.
Python 1162 Weaknesses in this category are related to the rules and recommendations in the Memory Management (MEM) section of the SEI CERT C Coding Standard.
Python 1163 Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) section of the SEI CERT C Coding Standard.
Python 1164 The product contains code that is not essential for execution, i.e. makes no state changes and has no side effects that alter data or control flow, such that removal of the code would have no impact to functionality or correctness.
Python 1165 Weaknesses in this category are related to the rules and recommendations in the Environment (ENV) section of the SEI CERT C Coding Standard.
Python 1167 Weaknesses in this category are related to the rules and recommendations in the Error Handling (ERR) section of the SEI CERT C Coding Standard.
Python 1169 Weaknesses in this category are related to the rules and recommendations in the Concurrency (CON) section of the SEI CERT C Coding Standard.
Python 1170 Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT C Coding Standard.
Python 1172 Weaknesses in this category are related to the rules and recommendations in the Microsoft Windows (WIN) section of the SEI CERT C Coding Standard.
Python 1178 CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT Perl Coding Standard.
Python 1179 Weaknesses in this category are related to the rules and recommendations in the Input Validation and Data Sanitization (IDS) section of the SEI CERT Perl Coding Standard.
Python 1180 Weaknesses in this category are related to the rules and recommendations in the Declarations and Initialization (DCL) section of the SEI CERT Perl Coding Standard.
Python 1181 Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) section of the SEI CERT Perl Coding Standard.
Python 1186 Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT Perl Coding Standard.
Python 1194 This view organizes weaknesses around concepts that are frequently used or encountered in hardware design. Accordingly, this view can align closely with the perspectives of designers, manufacturers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping.
Python 1198 Weaknesses in this category are related to features and mechanisms providing hardware-based isolation and access control (e.g., identity, policy, locking control) of sensitive shared hardware resources such as registers and fuses.
Python 1200 CWE entries in this view are listed in the 2019 CWE Top 25 Most Dangerous Software Errors.
Python 1202 Weaknesses in this category are typically associated with memory (e.g., DRAM, SRAM) and storage technologies (e.g., NAND Flash, OTP, EEPROM, and eMMC).
Python 1207 Weaknesses in this category are related to hardware debug and test interfaces such as JTAG and scan chain.
Python 1210 Weaknesses in this category are related to audit-based components of a software system. Frequently these deal with logging user activities in order to identify undesired access and modifications to the system. The weaknesses in this category could lead to a degradation of the quality of the audit capability if they are not addressed.
Python 1211 Weaknesses in this category are related to authentication components of a system. Frequently these deal with the ability to verify that an entity is indeed who it claims to be. If not addressed when designing or implementing a software system, these weaknesses could lead to a degradation of the quality of the authentication capability.
Python 1212 Weaknesses in this category are related to authorization components of a system. Frequently these deal with the ability to enforce that agents have the required permissions before performing certain operations, such as modifying data. If not addressed when designing or implementing a software system, these weaknesses could lead to a degradation of the quality of the authorization capability.
Python 1213 Weaknesses in this category are related to a software system's random number generation.
Python 1214 Weaknesses in this category are related to a software system's data integrity components. Frequently these deal with the ability to ensure the integrity of data, such as messages, resource files, deployment files, and configuration files. The weaknesses in this category could lead to a degradation of data integrity quality if they are not addressed.
Python 1215 Weaknesses in this category are related to a software system's components for input validation, output validation, or other kinds of validation. Validation is a frequently-used technique for ensuring that data conforms to expectations before it is further processed as input or output. There are many varieties of validation (see CWE-20, which is just for input validation). Validation is distinct from other techniques that attempt to modify data before processing it, although developers may consider all attempts to product "safe" inputs or outputs as some kind of validation. Regardless, validation is a powerful tool that is often used to minimize malformed data from entering the system, or indirectly avoid code injection or other potentially-malicious patterns when generating output. The weaknesses in this category could lead to a degradation of the quality of data flow in a system if they are not addressed.
Python 1219 Weaknesses in this category are related to the handling of files within a software system. Files, directories, and folders are so central to information technology that many different weaknesses and variants have been discovered.
Python 1228 Weaknesses in this category are related to the use of built-in functions or external APIs.
Python 1275 The SameSite attribute for sensitive cookies is not set, or an insecure value is used.
Python 1305 This view outlines the most important software quality issues as identified by the Consortium for Information & Software Quality (CISQ) Automated Quality Characteristic Measures, released in 2020. These measures are derived from Object Management Group (OMG) standards.
Python 1306 Weaknesses in this category are related to the CISQ Quality Measures for Reliability. Presence of these weaknesses could reduce the reliability of the software.
Python 1307 Weaknesses in this category are related to the CISQ Quality Measures for Maintainability. Presence of these weaknesses could reduce the maintainability of the software.
Python 1308 Weaknesses in this category are related to the CISQ Quality Measures for Security. Presence of these weaknesses could reduce the security of the software.
Python 1309 Weaknesses in this category are related to the CISQ Quality Measures for Efficiency. Presence of these weaknesses could reduce the efficiency of the software.
Python 1327 The product assigns the address 0.0.0.0 for a database server, a cloud service/instance, or any computing resource that communicates remotely.
Python 1337 CWE entries in this view are listed in the 2021 CWE Top 25 Most Dangerous Software Weaknesses.
Python 1340 This view outlines the SMM representation of the Automated Source Code Data Protection Measurement specifications, as identified by the Consortium for Information & Software Quality (CISQ) Working Group.
Python 1344 CWE entries in this view (graph) are associated with the OWASP Top 10, as released in 2021.
Python 1345 Weaknesses in this category are related to the A01 category "Broken Access Control" in the OWASP Top 10 2021.
Python 1346 Weaknesses in this category are related to the A02 category "Cryptographic Failures" in the OWASP Top 10 2021.
Python 1347 Weaknesses in this category are related to the A03 category "Injection" in the OWASP Top 10 2021.
Python 1348 Weaknesses in this category are related to the A04 "Insecure Design" category in the OWASP Top 10 2021.
Python 1349 Weaknesses in this category are related to the A05 category "Security Misconfiguration" in the OWASP Top 10 2021.
Python 1350 CWE entries in this view are listed in the 2020 CWE Top 25 Most Dangerous Software Weaknesses.
Python 1352 Weaknesses in this category are related to the A06 category "Vulnerable and Outdated Components" in the OWASP Top 10 2021.
Python 1353 Weaknesses in this category are related to the A07 category "Identification and Authentication Failures" in the OWASP Top 10 2021.
Python 1354 Weaknesses in this category are related to the A08 category "Software and Data Integrity Failures" in the OWASP Top 10 2021.
Python 1355 Weaknesses in this category are related to the A09 category "Security Logging and Monitoring Failures" in the OWASP Top 10 2021.
Python 1356 Weaknesses in this category are related to the A10 category "Server-Side Request Forgery (SSRF)" in the OWASP Top 10 2021.
Python 1358 CWE entries in this view (graph) are associated with the Categories of Security Vulnerabilities in ICS, as published by the Securing Energy Infrastructure Executive Task Force (SEI ETF) in March 2022. Weaknesses and categories in this view are focused on issues that affect ICS (Industrial Control Systems) but have not been traditionally covered by CWE in the past due to its earlier emphasis on enterprise IT software. Note: weaknesses in this view are based on "Nearest IT Neighbor" recommendations and other suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Python 1359 Weaknesses in this category are related to the "ICS Communications" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.
Python 1360 Weaknesses in this category are related to the "ICS Dependencies (& Architecture)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.
Python 1361 Weaknesses in this category are related to the "ICS Supply Chain" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.
Python 1362 Weaknesses in this category are related to the "ICS Engineering (Constructions/Deployment)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.
Python 1363 Weaknesses in this category are related to the "ICS Operations (& Maintenance)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.
Python 1364 Weaknesses in this category are related to the "Zone Boundary Failures" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Within an ICS system, for traffic that crosses through network zone boundaries, vulnerabilities arise when those boundaries were designed for safety or other purposes but are being repurposed for security." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Python 1366 Weaknesses in this category are related to the "Frail Security in Protocols" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Vulnerabilities arise as a result of mis-implementation or incomplete implementation of security in ICS implementations of communication protocols." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Python 1368 Weaknesses in this category are related to the "External Digital Systems" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Due to the highly interconnected technologies in use, an external dependency on another digital system could cause a confidentiality, integrity, or availability incident for the protected system." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Python 1369 Weaknesses in this category are related to the "IT/OT Convergence/Expansion" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "The increased penetration of DER devices and smart loads make emerging ICS networks more like IT networks and thus susceptible to vulnerabilities similar to those of IT networks." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Python 1370 Weaknesses in this category are related to the "Common Mode Frailties" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "At the component level, most ICS systems are assembled from common parts made by other companies. One or more of these common parts might contain a vulnerability that could result in a wide-spread incident." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Python 1371 Weaknesses in this category are related to the "Poorly Documented or Undocumented Features" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Undocumented capabilities and configurations pose a risk by not having a clear understanding of what the device is specifically supposed to do and only do. Therefore possibly opening up the attack surface and vulnerabilities." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Python 1372 Weaknesses in this category are related to the "OT Counterfeit and Malicious Corruption" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "In ICS, when this procurement process results in a vulnerability or component damage, it can have grid impacts or cause physical harm." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Python 1373 Weaknesses in this category are related to the "Trust Model Problems" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Assumptions made about the user during the design or construction phase may result in vulnerabilities after the system is installed if the user operates it using a different security approach or process than what was designed or built." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Python 1375 Weaknesses in this category are related to the "Gaps in Details/Data" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Highly complex systems are often operated by personnel who have years of experience in managing that particular facility or plant. Much of their knowledge is passed along through verbal or hands-on training but may not be fully documented in written practices and procedures." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Python 1382 Weaknesses in this category are related to the "Emerging Energy Technologies" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "With the rapid evolution of the energy system accelerated by the emergence of new technologies such as DERs, electric vehicles, advanced communications (5G+), novel and diverse challenges arise for secure and resilient operation of the system." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Python 1383 Weaknesses in this category are related to the "Compliance/Conformance with Regulatory Requirements" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "The ICS environment faces overlapping regulatory regimes and authorities with multiple focus areas (e.g., operational resiliency, physical safety, interoperability, and security) which can result in cyber security vulnerabilities when implemented as written due to gaps in considerations, outdatedness, or conflicting requirements." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Python 1387 CWE entries in this view are listed in the 2022 CWE Top 25 Most Dangerous Software Weaknesses.
Python 1396 Weaknesses in this category are related to access control.
Python 1397 Weaknesses in this category are related to comparison.
Python 1398 Weaknesses in this category are related to component interaction.
Python 1400 This view organizes weaknesses around categories that are of interest to large-scale software assurance research to support the elimination of weaknesses using tactics such as secure language development. It is also intended to help tracking weakness trends in publicly disclosed vulnerability data. This view is comprehensive in that every weakness must be contained in it, unlike most other views that only use a subset of weaknesses. This view is structured with categories at the top level, with a second level of only weaknesses. Relationships among the weaknesses presented under the research view (CWE-1000) are not shown. Each weakness is added to only one category. All categories are mutually exclusive; that is, no weakness can be a member of more than one category. While weaknesses defy strict categorization along only one characteristic, the forced bucketing into a single category can simplify certain kinds of analysis. Note that the size of each category can vary widely because (1) CWE is not as well fleshed-out in some areas compared to others; (2) abstraction of the CWEs in the grouping might go down to Variant level for some buckets, versus others.
Python 1402 Weaknesses in this category are related to encryption.
Python 1403 Weaknesses in this category are related to exposed resource.
Python 1404 Weaknesses in this category are related to file handling.
Python 1405 Weaknesses in this category are related to improper check or handling of exceptional conditions.
Python 1406 Weaknesses in this category are related to improper input validation.
Python 1407 Weaknesses in this category are related to improper neutralization.
Python 1409 Weaknesses in this category are related to injection.
Python 1410 Weaknesses in this category are related to insufficient control flow management.
Python 1411 Weaknesses in this category are related to insufficient verification of data authenticity.
Python 1412 Weaknesses in this category are related to poor coding practices.
Python 1413 Weaknesses in this category are related to protection mechanism failure.
Python 1414 Weaknesses in this category are related to randomness.
Python 1415 Weaknesses in this category are related to resource control.
Python 1416 Weaknesses in this category are related to resource lifecycle management.
Python 1417 Weaknesses in this category are related to sensitive information exposure.
Python 1418 Weaknesses in this category are related to violation of secure design principles.
Ruby 2 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that are typically introduced during unexpected environmental conditions. According to the authors of the Seven Pernicious Kingdoms, "This section includes everything that is outside of the source code but is still critical to the security of the product that is being created. Because the issues covered by this kingdom are not directly related to source code, we separated it from the rest of the kingdoms."
Ruby 17 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
Ruby 18 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
Ruby 19 Weaknesses in this category are typically found in functionality that processes data. Data processing is the manipulation of input to retrieve or save information.
Ruby 20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Ruby 21 This category has been deprecated. It was originally used for organizing weaknesses involving file names, which enabled access to files outside of a restricted directory (path traversal) or to perform operations on files that would otherwise be restricted (path equivalence). Consider using either the File Handling Issues category (CWE-1219) or the class Use of Incorrectly-Resolved Name or Reference (CWE-706).
Ruby 22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Ruby 23 The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.
Ruby 36 The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as "/abs/path" that can resolve to a location that is outside of that directory.
Ruby 74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Ruby 77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Ruby 78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Ruby 79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Ruby 80 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.
Ruby 82 The web application does not neutralize or incorrectly neutralizes scripting elements within attributes of HTML IMG tags, such as the src attribute.
Ruby 83 The product does not neutralize or incorrectly neutralizes "javascript:" or other URIs from dangerous attributes within tags, such as onmouseover, onload, onerror, or style.
Ruby 85 The web application does not filter user-controlled input for executable script disguised using doubling of the involved characters.
Ruby 86 The product does not neutralize or incorrectly neutralizes invalid characters or byte sequences in the middle of tag names, URI schemes, and other identifiers.
Ruby 87 The product does not neutralize or incorrectly neutralizes user-controlled input for alternate script syntax.
Ruby 88 The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.
Ruby 89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.
Ruby 93 The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
Ruby 94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Ruby 95 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").
Ruby 113 The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.
Ruby 116 The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
Ruby 137 Weaknesses in this category are related to the creation or neutralization of data using an incorrect format.
Ruby 138 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as control elements or syntactic markers when they are sent to a downstream component.
Ruby 140 The product does not neutralize or incorrectly neutralizes delimiters.
Ruby 141 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as parameter or argument delimiters when they are sent to a downstream component.
Ruby 142 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as value delimiters when they are sent to a downstream component.
Ruby 146 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as expression or command delimiters when they are sent to a downstream component.
Ruby 149 Quotes injected into a product can be used to compromise a system. As data are parsed, an injected/absent/duplicate/malformed use of quotes may cause the process to take unexpected actions.
Ruby 150 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component.
Ruby 157 The product does not properly handle the characters that are used to mark the beginning and ending of a group of entities, such as parentheses, brackets, and braces.
Ruby 171 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. Weaknesses in this category were related to improper handling of data within protection mechanisms that attempt to perform neutralization for untrusted data. These weaknesses can be found in other similar categories.
Ruby 184 The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete, leading to resultant weaknesses.
Ruby 185 The product specifies a regular expression in a way that causes data to be improperly matched or compared.
Ruby 189 Weaknesses in this category are related to improper calculation or conversion of numbers.
Ruby 199 Weaknesses in this category are related to improper handling of sensitive information.
Ruby 200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Ruby 249 This entry has been deprecated because of name confusion and an accidental combination of multiple weaknesses. Most of its content has been transferred to CWE-785.
Ruby 254 Software security is not security software. Here we're concerned with topics like authentication, access control, confidentiality, cryptography, and privilege management.
Ruby 255 Weaknesses in this category are related to the management of credentials.
Ruby 264 Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control.
Ruby 265 Weaknesses in this category occur with improper handling, assignment, or management of privileges. A privilege is a property of an agent, such as a user. It lets the agent do things that are not ordinarily allowed. For example, there are privileges which allow an agent to perform maintenance functions such as restart a computer.
Ruby 284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Ruby 285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
Ruby 287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Ruby 295 The product does not validate, or incorrectly validates, a certificate.
Ruby 300 The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint.
Ruby 307 The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it more susceptible to brute force attacks.
Ruby 310 Weaknesses in this category are related to the design and implementation of data confidentiality and integrity. Frequently these deal with the use of encoding techniques, encryption libraries, and hashing algorithms. The weaknesses in this category could lead to a degradation of the quality data if they are not addressed.
Ruby 311 The product does not encrypt sensitive or critical information before storage or transmission.
Ruby 319 The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.
Ruby 320 Weaknesses in this category are related to errors in the management of cryptographic keys.
Ruby 327 The product uses a broken or risky cryptographic algorithm or protocol.
Ruby 330 The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.
Ruby 344 The product uses a constant value, name, or reference, but this value can (or should) vary across different environments.
Ruby 345 The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
Ruby 352 The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.
Ruby 353 The product uses a transmission protocol that does not include a mechanism for verifying the integrity of the data during transmission, such as a checksum.
Ruby 359 The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.
Ruby 361 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses related to the improper management of time and state in an environment that supports simultaneous or near-simultaneous computation by multiple systems, processes, or threads. According to the authors of the Seven Pernicious Kingdoms, "Distributed computation is about time and state. That is, in order for more than one component to communicate, state must be shared, and all that takes time. Most programmers anthropomorphize their work. They think about one thread of control carrying out the entire program in the same way they would if they had to do the job themselves. Modern computers, however, switch between tasks very quickly, and in multi-core, multi-CPU, or distributed systems, two events may take place at exactly the same time. Defects rush to fill the gap between the programmer's model of how a program executes and what happens in reality. These defects are related to unexpected interactions between threads, processes, time, and information. These interactions happen through shared state: semaphores, variables, the file system, and, basically, anything that can store information."
Ruby 369 The product divides a value by zero.
Ruby 371 Weaknesses in this category are related to improper management of system state.
Ruby 398 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that do not directly introduce a weakness or vulnerability, but indicate that the product has not been carefully developed or maintained. According to the authors of the Seven Pernicious Kingdoms, "Poor code quality leads to unpredictable behavior. From a user's perspective that often manifests itself as poor usability. For an adversary it provides an opportunity to stress the system in unexpected ways."
Ruby 399 Weaknesses in this category are related to improper management of system resources.
Ruby 404 The product does not release or incorrectly releases a resource before it is made available for re-use.
Ruby 435 An interaction error occurs when two entities have correct behavior when running independently of each other, but when they are integrated as components in a larger system or process, they introduce incorrect behaviors that may cause resultant weaknesses.
Ruby 436 Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.
Ruby 438 Weaknesses in this category are related to unexpected behaviors from code that an application uses.
Ruby 442 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
Ruby 470 The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code.
Ruby 502 The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
Ruby 505 This category has been deprecated as it was originally used for organizing the Development View (CWE-699), but it introduced unnecessary complexity and depth to the resulting tree.
Ruby 521 The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts.
Ruby 522 The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
Ruby 523 Login pages do not use adequate measures to protect the user name and password while they are in transit from the client to the server.
Ruby 601 A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.
Ruby 610 The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.
Ruby 624 The product uses a regular expression that either (1) contains an executable component with user-controlled inputs, or (2) allows a user to enable execution by inserting pattern modifiers.
Ruby 625 The product uses a regular expression that does not sufficiently restrict the set of allowed values.
Ruby 629 CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2007. This view is considered obsolete as a newer version of the OWASP Top 10 is available.
Ruby 632 This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE.
Ruby 634 This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE.
Ruby 635 CWE nodes in this view (slice) were used by NIST to categorize vulnerabilities within NVD, from 2008 to 2016. This original version has been used by many other projects.
Ruby 639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Ruby 642 The product stores security-critical state information about its users, or the product itself, in a location that is accessible to unauthorized actors.
Ruby 657 The product violates well-established principles for secure design.
Ruby 664 The product does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release.
Ruby 668 The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
Ruby 671 The product uses security features in a way that prevents the product's administrator from tailoring security settings to reflect the environment in which the product is being used. This introduces resultant weaknesses or prevents it from operating at a level of security that is desired by the administrator.
Ruby 682 The product performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management.
Ruby 691 The code does not sufficiently manage its control flow during execution, creating conditions in which the control flow can be modified in unexpected ways.
Ruby 692 The product uses a denylist-based protection mechanism to defend against XSS attacks, but the denylist is incomplete, allowing XSS variants to succeed.
Ruby 693 The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.
Ruby 697 The product compares two entities in a security-relevant context, but the comparison is incorrect, which may lead to resultant weaknesses.
Ruby 699 This view organizes weaknesses around concepts that are frequently used or encountered in software development. This includes all aspects of the software development lifecycle including both architecture and implementation. Accordingly, this view can align closely with the perspectives of architects, developers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping.
Ruby 700 This view (graph) organizes weaknesses using a hierarchical structure that is similar to that used by Seven Pernicious Kingdoms.
Ruby 706 The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.
Ruby 707 The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component.
Ruby 710 The product does not follow certain coding rules for development, which can lead to resultant weaknesses or increase the severity of the associated vulnerabilities.
Ruby 711 CWE entries in this view (graph) are associated with the OWASP Top 10, as released in 2004, and as required for compliance with PCI DSS version 1.1. This view is considered obsolete as a newer version of the OWASP Top 10 is available.
Ruby 712 Weaknesses in this category are related to the A1 category in the OWASP Top 10 2007.
Ruby 713 Weaknesses in this category are related to the A2 category in the OWASP Top 10 2007.
Ruby 714 Weaknesses in this category are related to the A3 category in the OWASP Top 10 2007.
Ruby 715 Weaknesses in this category are related to the A4 category in the OWASP Top 10 2007.
Ruby 716 Weaknesses in this category are related to the A5 category in the OWASP Top 10 2007.
Ruby 717 Weaknesses in this category are related to the A6 category in the OWASP Top 10 2007.
Ruby 718 Weaknesses in this category are related to the A7 category in the OWASP Top 10 2007.
Ruby 719 Weaknesses in this category are related to the A8 category in the OWASP Top 10 2007.
Ruby 720 Weaknesses in this category are related to the A9 category in the OWASP Top 10 2007.
Ruby 721 Weaknesses in this category are related to the A10 category in the OWASP Top 10 2007.
Ruby 722 Weaknesses in this category are related to the A1 category in the OWASP Top 10 2004.
Ruby 723 Weaknesses in this category are related to the A2 category in the OWASP Top 10 2004.
Ruby 724 Weaknesses in this category are related to the A3 category in the OWASP Top 10 2004.
Ruby 725 Weaknesses in this category are related to the A4 category in the OWASP Top 10 2004.
Ruby 727 Weaknesses in this category are related to the A6 category in the OWASP Top 10 2004.
Ruby 729 Weaknesses in this category are related to the A8 category in the OWASP Top 10 2004.
Ruby 730 Weaknesses in this category are related to the A9 category in the OWASP Top 10 2004.
Ruby 731 Weaknesses in this category are related to the A10 category in the OWASP Top 10 2004.
Ruby 734 CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT C Secure Coding Standard" published in 2008. This view is considered obsolete, as a newer version of the coding standard is available. This view statically represents the coding rules as they were in 2008.
Ruby 738 Weaknesses in this category are related to the rules and recommendations in the Integers (INT) chapter of the CERT C Secure Coding Standard (2008).
Ruby 739 Weaknesses in this category are related to the rules and recommendations in the Floating Point (FLP) chapter of the CERT C Secure Coding Standard (2008).
Ruby 741 Weaknesses in this category are related to the rules and recommendations in the Characters and Strings (STR) chapter of the CERT C Secure Coding Standard (2008).
Ruby 742 Weaknesses in this category are related to the rules and recommendations in the Memory Management (MEM) chapter of the CERT C Secure Coding Standard (2008).
Ruby 743 Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) chapter of the CERT C Secure Coding Standard (2008).
Ruby 744 Weaknesses in this category are related to the rules and recommendations in the Environment (ENV) chapter of the CERT C Secure Coding Standard (2008).
Ruby 746 Weaknesses in this category are related to the rules and recommendations in the Error Handling (ERR) chapter of the CERT C Secure Coding Standard (2008).
Ruby 747 Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) chapter of the CERT C Secure Coding Standard (2008).
Ruby 750 CWE entries in this view (graph) are listed in the 2009 CWE/SANS Top 25 Programming Errors. This view is considered obsolete as a newer version of the Top 25 is available.
Ruby 751 Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2009 CWE/SANS Top 25 Programming Errors.
Ruby 752 Weaknesses in this category are listed in the "Risky Resource Management" section of the 2009 CWE/SANS Top 25 Programming Errors.
Ruby 753 Weaknesses in this category are listed in the "Porous Defenses" section of the 2009 CWE/SANS Top 25 Programming Errors.
Ruby 777 The product uses a regular expression to perform neutralization, but the regular expression is not anchored and may allow malicious or malformed data to slip through.
Ruby 798 The product contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.
Ruby 799 The product does not properly limit the number or frequency of interactions that it has with an actor, such as the number of incoming requests.
Ruby 800 CWE entries in this view (graph) are listed in the 2010 CWE/SANS Top 25 Programming Errors. This view is considered obsolete as a newer version of the Top 25 is available.
Ruby 801 Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2010 CWE/SANS Top 25 Programming Errors.
Ruby 802 Weaknesses in this category are listed in the "Risky Resource Management" section of the 2010 CWE/SANS Top 25 Programming Errors.
Ruby 803 Weaknesses in this category are listed in the "Porous Defenses" section of the 2010 CWE/SANS Top 25 Programming Errors.
Ruby 808 Weaknesses in this category are not part of the general Top 25, but they were part of the original nominee list from which the Top 25 was drawn.
Ruby 809 CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2010. This view is considered obsolete as a newer version of the OWASP Top 10 is available.
Ruby 810 Weaknesses in this category are related to the A1 category in the OWASP Top 10 2010.
Ruby 811 Weaknesses in this category are related to the A2 category in the OWASP Top 10 2010.
Ruby 812 Weaknesses in this category are related to the A3 category in the OWASP Top 10 2010.
Ruby 813 Weaknesses in this category are related to the A4 category in the OWASP Top 10 2010.
Ruby 814 Weaknesses in this category are related to the A5 category in the OWASP Top 10 2010.
Ruby 816 Weaknesses in this category are related to the A7 category in the OWASP Top 10 2010.
Ruby 817 Weaknesses in this category are related to the A8 category in the OWASP Top 10 2010.
Ruby 818 Weaknesses in this category are related to the A9 category in the OWASP Top 10 2010.
Ruby 819 Weaknesses in this category are related to the A10 category in the OWASP Top 10 2010.
Ruby 840 Weaknesses in this category identify some of the underlying problems that commonly allow attackers to manipulate the business logic of an application. Errors in business logic can be devastating to an entire application. They can be difficult to find automatically, since they typically involve legitimate use of the application's functionality. However, many business logic errors can exhibit patterns that are similar to well-understood implementation and design weaknesses.
Ruby 844 CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT Oracle Secure Coding Standard for Java" published in 2011. This view is considered obsolete as a newer version of the coding standard is available.
Ruby 845 Weaknesses in this category are related to rules in the Input Validation and Data Sanitization (IDS) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
Ruby 848 Weaknesses in this category are related to rules in the Numeric Types and Operations (NUM) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
Ruby 857 Weaknesses in this category are related to rules in the Input Output (FIO) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
Ruby 858 Weaknesses in this category are related to rules in the Serialization (SER) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
Ruby 859 Weaknesses in this category are related to rules in the Platform Security (SEC) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
Ruby 861 Weaknesses in this category are related to rules in the Miscellaneous (MSC) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
Ruby 862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Ruby 864 Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.
Ruby 865 Weaknesses in this category are listed in the "Risky Resource Management" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.
Ruby 866 Weaknesses in this category are listed in the "Porous Defenses" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.
Ruby 867 Weaknesses in this category are not part of the general Top 25, but they were part of the original nominee list from which the Top 25 was drawn.
Ruby 868 CWE entries in this view (graph) are fully or partially eliminated by following the SEI CERT C++ Coding Standard, as published in 2016. This view is no longer being actively maintained, since it statically represents the coding rules as they were in 2016.
Ruby 872 Weaknesses in this category are related to rules in the Integers (INT) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
Ruby 873 Weaknesses in this category are related to rules in the Floating Point Arithmetic (FLP) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
Ruby 875 Weaknesses in this category are related to rules in the Characters and Strings (STR) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
Ruby 876 Weaknesses in this category are related to rules in the Memory Management (MEM) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
Ruby 877 Weaknesses in this category are related to rules in the Input Output (FIO) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
Ruby 878 Weaknesses in this category are related to rules in the Environment (ENV) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
Ruby 882 Weaknesses in this category are related to rules in the Concurrency (CON) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
Ruby 883 Weaknesses in this category are related to rules in the Miscellaneous (MSC) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
Ruby 884 This view contains a selection of weaknesses that represent the variety of weaknesses that are captured in CWE, at a level of abstraction that is likely to be useful to most audiences. It can be used by researchers to determine how broad their theories, models, or tools are. It will also be used by the CWE content team in 2012 to focus quality improvement efforts for individual CWE entries.
Ruby 885 This category identifies Software Fault Patterns (SFPs) within the Risky Values cluster (SFP1).
Ruby 888 CWE identifiers in this view are associated with clusters of Software Fault Patterns (SFPs).
Ruby 892 This category identifies Software Fault Patterns (SFPs) within the Resource Management cluster (SFP37).
Ruby 893 This category identifies Software Fault Patterns (SFPs) within the Path Resolution cluster (SFP16, SFP17, SFP18).
Ruby 895 This category identifies Software Fault Patterns (SFPs) within the Information Leak cluster (SFP23).
Ruby 896 This category identifies Software Fault Patterns (SFPs) within the Tainted Input cluster (SFP24, SFP25, SFP26, SFP27).
Ruby 898 This category identifies Software Fault Patterns (SFPs) within the Authentication cluster (SFP29, SFP30, SFP31, SFP32, SFP33, SFP34).
Ruby 899 This category identifies Software Fault Patterns (SFPs) within the Access Control cluster (SFP35).
Ruby 900 CWE entries in this view (graph) are listed in the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.
Ruby 902 This category identifies Software Fault Patterns (SFPs) within the Channel cluster.
Ruby 903 This category identifies Software Fault Patterns (SFPs) within the Cryptography cluster.
Ruby 905 This category identifies Software Fault Patterns (SFPs) within the Predictability cluster.
Ruby 907 This category identifies Software Fault Patterns (SFPs) within the Other cluster.
Ruby 913 The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements.
Ruby 915 The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.
Ruby 916 The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive.
Ruby 923 The product establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that it is communicating with the correct endpoint.
Ruby 928 CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2013. This view is considered obsolete as a newer version of the OWASP Top 10 is available.
Ruby 929 Weaknesses in this category are related to the A1 category in the OWASP Top 10 2013.
Ruby 930 Weaknesses in this category are related to the A2 category in the OWASP Top 10 2013.
Ruby 931 Weaknesses in this category are related to the A3 category in the OWASP Top 10 2013.
Ruby 932 Weaknesses in this category are related to the A4 category in the OWASP Top 10 2013.
Ruby 933 Weaknesses in this category are related to the A5 category in the OWASP Top 10 2013.
Ruby 934 Weaknesses in this category are related to the A6 category in the OWASP Top 10 2013.
Ruby 935 Weaknesses in this category are related to the A7 category in the OWASP Top 10 2013.
Ruby 936 Weaknesses in this category are related to the A8 category in the OWASP Top 10 2013.
Ruby 937 Weaknesses in this category are related to the A9 category in the OWASP Top 10 2013.
Ruby 938 Weaknesses in this category are related to the A10 category in the OWASP Top 10 2013.
Ruby 943 The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query.
Ruby 944 This category identifies Software Fault Patterns (SFPs) within the Access Management cluster.
Ruby 945 This category identifies Software Fault Patterns (SFPs) within the Insecure Resource Access cluster (SFP35).
Ruby 947 This category identifies Software Fault Patterns (SFPs) within the Authentication Bypass cluster.
Ruby 949 This category identifies Software Fault Patterns (SFPs) within the Faulty Endpoint Authentication cluster (SFP29).
Ruby 951 This category identifies Software Fault Patterns (SFPs) within the Insecure Authentication Policy cluster.
Ruby 955 This category identifies Software Fault Patterns (SFPs) within the Unrestricted Authentication cluster (SFP34).
Ruby 956 This category identifies Software Fault Patterns (SFPs) within the Channel Attack cluster.
Ruby 957 This category identifies Software Fault Patterns (SFPs) within the Protocol Error cluster.
Ruby 958 This category identifies Software Fault Patterns (SFPs) within the Broken Cryptography cluster.
Ruby 963 This category identifies Software Fault Patterns (SFPs) within the Exposed Data cluster (SFP23).
Ruby 975 This category identifies Software Fault Patterns (SFPs) within the Architecture cluster.
Ruby 977 This category identifies Software Fault Patterns (SFPs) within the Design cluster.
Ruby 978 This category identifies Software Fault Patterns (SFPs) within the Implementation cluster.
Ruby 980 This category identifies Software Fault Patterns (SFPs) within the Link in Resource Name Resolution cluster (SFP18).
Ruby 981 This category identifies Software Fault Patterns (SFPs) within the Path Traversal cluster (SFP16).
Ruby 982 This category identifies Software Fault Patterns (SFPs) within the Failure to Release Resource cluster (SFP14).
Ruby 984 This category identifies Software Fault Patterns (SFPs) within the Life Cycle cluster.
Ruby 990 This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Command cluster (SFP24).
Ruby 991 This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Environment cluster (SFP27).
Ruby 992 This category identifies Software Fault Patterns (SFPs) within the Faulty Input Transformation cluster.
Ruby 994 This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Variable cluster (SFP25).
Ruby 998 This category identifies Software Fault Patterns (SFPs) within the Glitch in Computation cluster (SFP1).
Ruby 1000 This view is intended to facilitate research into weaknesses, including their inter-dependencies, and can be leveraged to systematically identify theoretical gaps within CWE. It is mainly organized according to abstractions of behaviors instead of how they can be detected, where they appear in code, or when they are introduced in the development life cycle. By design, this view is expected to include every weakness within CWE.
Ruby 1003 CWE entries in this view (graph) may be used to categorize potential weaknesses within sources that handle public, third-party vulnerability information, such as the National Vulnerability Database (NVD). By design, this view is incomplete; it is limited to a small number of the most commonly-seen weaknesses, so that it is easier for humans to use. This view uses a shallow hierarchy of two levels in order to simplify the complex, category-oriented navigation of the entire CWE corpus.
Ruby 1005 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that exist when an application does not properly validate or represent input. According to the authors of the Seven Pernicious Kingdoms, "Input validation and representation problems are caused by metacharacters, alternate encodings and numeric representations. Security problems result from trusting input."
Ruby 1006 Weaknesses in this category are related to coding practices that are deemed unsafe and increase the chances that an exploitable vulnerability will be present in the application. These weaknesses do not directly introduce a vulnerability, but indicate that the product has not been carefully developed or maintained. If a program is complex, difficult to maintain, not portable, or shows evidence of neglect, then there is a higher likelihood that weaknesses are buried in the code.
Ruby 1008 This view organizes weaknesses according to common architectural security tactics. It is intended to assist architects in identifying potential mistakes that can be made when designing software.
Ruby 1010 Weaknesses in this category are related to the design and architecture of authentication components of the system. Frequently these deal with verifying the entity is indeed who it claims to be. The weaknesses in this category could lead to a degradation of the quality of authentication if they are not addressed when designing or implementing a secure architecture.
Ruby 1011 Weaknesses in this category are related to the design and architecture of a system's authorization components. Frequently these deal with enforcing that agents have the required permissions before performing certain operations, such as modifying data. The weaknesses in this category could lead to a degradation of quality of the authorization capability if they are not addressed when designing or implementing a secure architecture.
Ruby 1013 Weaknesses in this category are related to the design and architecture of data confidentiality in a system. Frequently these deal with the use of encryption libraries. The weaknesses in this category could lead to a degradation of the quality data encryption if they are not addressed when designing or implementing a secure architecture.
Ruby 1014 Weaknesses in this category are related to the design and architecture of a system's identification management components. Frequently these deal with verifying that external agents provide inputs into the system. The weaknesses in this category could lead to a degradation of the quality of identification management if they are not addressed when designing or implementing a secure architecture.
Ruby 1015 Weaknesses in this category are related to the design and architecture of system resources. Frequently these deal with restricting the amount of resources that are accessed by actors, such as memory, network connections, CPU or access points. The weaknesses in this category could lead to a degradation of the quality of authentication if they are not addressed when designing or implementing a secure architecture.
Ruby 1019 Weaknesses in this category are related to the design and architecture of a system's input validation components. Frequently these deal with sanitizing, neutralizing and validating any externally provided inputs to minimize malformed data from entering the system and preventing code injection in the input data. The weaknesses in this category could lead to a degradation of the quality of data flow in a system if they are not addressed when designing or implementing a secure architecture.
Ruby 1020 Weaknesses in this category are related to the design and architecture of a system's data integrity components. Frequently these deal with ensuring integrity of data, such as messages, resource files, deployment files, and configuration files. The weaknesses in this category could lead to a degradation of data integrity quality if they are not addressed when designing or implementing a secure architecture.
Ruby 1026 CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2017.
Ruby 1027 Weaknesses in this category are related to the A1 category in the OWASP Top 10 2017.
Ruby 1028 Weaknesses in this category are related to the A2 category in the OWASP Top 10 2017.
Ruby 1029 Weaknesses in this category are related to the A3 category in the OWASP Top 10 2017.
Ruby 1031 Weaknesses in this category are related to the A5 category in the OWASP Top 10 2017.
Ruby 1033 Weaknesses in this category are related to the A7 category in the OWASP Top 10 2017.
Ruby 1034 Weaknesses in this category are related to the A8 category in the OWASP Top 10 2017.
Ruby 1035 Weaknesses in this category are related to the A9 category in the OWASP Top 10 2017.
Ruby 1104 The product relies on third-party components that are not actively supported or maintained by the original developer or a trusted proxy for the original developer.
Ruby 1128 This view outlines the most important software quality issues as identified by the Consortium for Information & Software Quality (CISQ) Automated Quality Characteristic Measures, released in 2016. These measures are derived from Object Management Group (OMG) standards.
Ruby 1131 Weaknesses in this category are related to the CISQ Quality Measures for Security, as documented in 2016 with the Automated Source Code Security Measure (ASCSM) Specification 1.0. Presence of these weaknesses could reduce the security of the software.
Ruby 1133 CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT Oracle Coding Standard for Java.
Ruby 1134 Weaknesses in this category are related to the rules and recommendations in the Input Validation and Data Sanitization (IDS) section of the SEI CERT Oracle Secure Coding Standard for Java.
Ruby 1137 Weaknesses in this category are related to the rules and recommendations in the Numeric Types and Operations (NUM) section of the SEI CERT Oracle Secure Coding Standard for Java.
Ruby 1140 Weaknesses in this category are related to the rules and recommendations in the Methods (MET) section of the SEI CERT Oracle Secure Coding Standard for Java.
Ruby 1147 Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) section of the SEI CERT Oracle Secure Coding Standard for Java.
Ruby 1148 Weaknesses in this category are related to the rules and recommendations in the Serialization (SER) section of the SEI CERT Oracle Secure Coding Standard for Java.
Ruby 1152 Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT Oracle Secure Coding Standard for Java.
Ruby 1154 CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT C Coding Standard.
Ruby 1158 Weaknesses in this category are related to the rules and recommendations in the Integers (INT) section of the SEI CERT C Coding Standard.
Ruby 1159 Weaknesses in this category are related to the rules and recommendations in the Floating Point (FLP) section of the SEI CERT C Coding Standard.
Ruby 1162 Weaknesses in this category are related to the rules and recommendations in the Memory Management (MEM) section of the SEI CERT C Coding Standard.
Ruby 1163 Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) section of the SEI CERT C Coding Standard.
Ruby 1165 Weaknesses in this category are related to the rules and recommendations in the Environment (ENV) section of the SEI CERT C Coding Standard.
Ruby 1169 Weaknesses in this category are related to the rules and recommendations in the Concurrency (CON) section of the SEI CERT C Coding Standard.
Ruby 1170 Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT C Coding Standard.
Ruby 1178 CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT Perl Coding Standard.
Ruby 1179 Weaknesses in this category are related to the rules and recommendations in the Input Validation and Data Sanitization (IDS) section of the SEI CERT Perl Coding Standard.
Ruby 1182 Weaknesses in this category are related to the rules and recommendations in the Integers (INT) section of the SEI CERT Perl Coding Standard.
Ruby 1194 This view organizes weaknesses around concepts that are frequently used or encountered in hardware design. Accordingly, this view can align closely with the perspectives of designers, manufacturers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping.
Ruby 1200 CWE entries in this view are listed in the 2019 CWE Top 25 Most Dangerous Software Errors.
Ruby 1207 Weaknesses in this category are related to hardware debug and test interfaces such as JTAG and scan chain.
Ruby 1211 Weaknesses in this category are related to authentication components of a system. Frequently these deal with the ability to verify that an entity is indeed who it claims to be. If not addressed when designing or implementing a software system, these weaknesses could lead to a degradation of the quality of the authentication capability.
Ruby 1212 Weaknesses in this category are related to authorization components of a system. Frequently these deal with the ability to enforce that agents have the required permissions before performing certain operations, such as modifying data. If not addressed when designing or implementing a software system, these weaknesses could lead to a degradation of the quality of the authorization capability.
Ruby 1213 Weaknesses in this category are related to a software system's random number generation.
Ruby 1214 Weaknesses in this category are related to a software system's data integrity components. Frequently these deal with the ability to ensure the integrity of data, such as messages, resource files, deployment files, and configuration files. The weaknesses in this category could lead to a degradation of data integrity quality if they are not addressed.
Ruby 1215 Weaknesses in this category are related to a software system's components for input validation, output validation, or other kinds of validation. Validation is a frequently-used technique for ensuring that data conforms to expectations before it is further processed as input or output. There are many varieties of validation (see CWE-20, which is just for input validation). Validation is distinct from other techniques that attempt to modify data before processing it, although developers may consider all attempts to product "safe" inputs or outputs as some kind of validation. Regardless, validation is a powerful tool that is often used to minimize malformed data from entering the system, or indirectly avoid code injection or other potentially-malicious patterns when generating output. The weaknesses in this category could lead to a degradation of the quality of data flow in a system if they are not addressed.
Ruby 1219 Weaknesses in this category are related to the handling of files within a software system. Files, directories, and folders are so central to information technology that many different weaknesses and variants have been discovered.
Ruby 1305 This view outlines the most important software quality issues as identified by the Consortium for Information & Software Quality (CISQ) Automated Quality Characteristic Measures, released in 2020. These measures are derived from Object Management Group (OMG) standards.
Ruby 1306 Weaknesses in this category are related to the CISQ Quality Measures for Reliability. Presence of these weaknesses could reduce the reliability of the software.
Ruby 1308 Weaknesses in this category are related to the CISQ Quality Measures for Security. Presence of these weaknesses could reduce the security of the software.
Ruby 1309 Weaknesses in this category are related to the CISQ Quality Measures for Efficiency. Presence of these weaknesses could reduce the efficiency of the software.
Ruby 1337 CWE entries in this view are listed in the 2021 CWE Top 25 Most Dangerous Software Weaknesses.
Ruby 1340 This view outlines the SMM representation of the Automated Source Code Data Protection Measurement specifications, as identified by the Consortium for Information & Software Quality (CISQ) Working Group.
Ruby 1344 CWE entries in this view (graph) are associated with the OWASP Top 10, as released in 2021.
Ruby 1345 Weaknesses in this category are related to the A01 category "Broken Access Control" in the OWASP Top 10 2021.
Ruby 1346 Weaknesses in this category are related to the A02 category "Cryptographic Failures" in the OWASP Top 10 2021.
Ruby 1347 Weaknesses in this category are related to the A03 category "Injection" in the OWASP Top 10 2021.
Ruby 1348 Weaknesses in this category are related to the A04 "Insecure Design" category in the OWASP Top 10 2021.
Ruby 1349 Weaknesses in this category are related to the A05 category "Security Misconfiguration" in the OWASP Top 10 2021.
Ruby 1350 CWE entries in this view are listed in the 2020 CWE Top 25 Most Dangerous Software Weaknesses.
Ruby 1352 Weaknesses in this category are related to the A06 category "Vulnerable and Outdated Components" in the OWASP Top 10 2021.
Ruby 1353 Weaknesses in this category are related to the A07 category "Identification and Authentication Failures" in the OWASP Top 10 2021.
Ruby 1354 Weaknesses in this category are related to the A08 category "Software and Data Integrity Failures" in the OWASP Top 10 2021.
Ruby 1358 CWE entries in this view (graph) are associated with the Categories of Security Vulnerabilities in ICS, as published by the Securing Energy Infrastructure Executive Task Force (SEI ETF) in March 2022. Weaknesses and categories in this view are focused on issues that affect ICS (Industrial Control Systems) but have not been traditionally covered by CWE in the past due to its earlier emphasis on enterprise IT software. Note: weaknesses in this view are based on "Nearest IT Neighbor" recommendations and other suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Ruby 1359 Weaknesses in this category are related to the "ICS Communications" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.
Ruby 1360 Weaknesses in this category are related to the "ICS Dependencies (& Architecture)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.
Ruby 1361 Weaknesses in this category are related to the "ICS Supply Chain" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.
Ruby 1362 Weaknesses in this category are related to the "ICS Engineering (Constructions/Deployment)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.
Ruby 1363 Weaknesses in this category are related to the "ICS Operations (& Maintenance)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.
Ruby 1364 Weaknesses in this category are related to the "Zone Boundary Failures" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Within an ICS system, for traffic that crosses through network zone boundaries, vulnerabilities arise when those boundaries were designed for safety or other purposes but are being repurposed for security." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Ruby 1366 Weaknesses in this category are related to the "Frail Security in Protocols" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Vulnerabilities arise as a result of mis-implementation or incomplete implementation of security in ICS implementations of communication protocols." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Ruby 1368 Weaknesses in this category are related to the "External Digital Systems" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Due to the highly interconnected technologies in use, an external dependency on another digital system could cause a confidentiality, integrity, or availability incident for the protected system." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Ruby 1369 Weaknesses in this category are related to the "IT/OT Convergence/Expansion" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "The increased penetration of DER devices and smart loads make emerging ICS networks more like IT networks and thus susceptible to vulnerabilities similar to those of IT networks." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Ruby 1370 Weaknesses in this category are related to the "Common Mode Frailties" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "At the component level, most ICS systems are assembled from common parts made by other companies. One or more of these common parts might contain a vulnerability that could result in a wide-spread incident." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Ruby 1372 Weaknesses in this category are related to the "OT Counterfeit and Malicious Corruption" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "In ICS, when this procurement process results in a vulnerability or component damage, it can have grid impacts or cause physical harm." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Ruby 1375 Weaknesses in this category are related to the "Gaps in Details/Data" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Highly complex systems are often operated by personnel who have years of experience in managing that particular facility or plant. Much of their knowledge is passed along through verbal or hands-on training but may not be fully documented in written practices and procedures." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Ruby 1382 Weaknesses in this category are related to the "Emerging Energy Technologies" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "With the rapid evolution of the energy system accelerated by the emergence of new technologies such as DERs, electric vehicles, advanced communications (5G+), novel and diverse challenges arise for secure and resilient operation of the system." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Ruby 1383 Weaknesses in this category are related to the "Compliance/Conformance with Regulatory Requirements" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "The ICS environment faces overlapping regulatory regimes and authorities with multiple focus areas (e.g., operational resiliency, physical safety, interoperability, and security) which can result in cyber security vulnerabilities when implemented as written due to gaps in considerations, outdatedness, or conflicting requirements." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Ruby 1387 CWE entries in this view are listed in the 2022 CWE Top 25 Most Dangerous Software Weaknesses.
Ruby 1396 Weaknesses in this category are related to access control.
Ruby 1397 Weaknesses in this category are related to comparison.
Ruby 1398 Weaknesses in this category are related to component interaction.
Ruby 1400 This view organizes weaknesses around categories that are of interest to large-scale software assurance research to support the elimination of weaknesses using tactics such as secure language development. It is also intended to help tracking weakness trends in publicly disclosed vulnerability data. This view is comprehensive in that every weakness must be contained in it, unlike most other views that only use a subset of weaknesses. This view is structured with categories at the top level, with a second level of only weaknesses. Relationships among the weaknesses presented under the research view (CWE-1000) are not shown. Each weakness is added to only one category. All categories are mutually exclusive; that is, no weakness can be a member of more than one category. While weaknesses defy strict categorization along only one characteristic, the forced bucketing into a single category can simplify certain kinds of analysis. Note that the size of each category can vary widely because (1) CWE is not as well fleshed-out in some areas compared to others; (2) abstraction of the CWEs in the grouping might go down to Variant level for some buckets, versus others.
Ruby 1402 Weaknesses in this category are related to encryption.
Ruby 1403 Weaknesses in this category are related to exposed resource.
Ruby 1404 Weaknesses in this category are related to file handling.
Ruby 1406 Weaknesses in this category are related to improper input validation.
Ruby 1407 Weaknesses in this category are related to improper neutralization.
Ruby 1408 Weaknesses in this category are related to incorrect calculation.
Ruby 1409 Weaknesses in this category are related to injection.
Ruby 1410 Weaknesses in this category are related to insufficient control flow management.
Ruby 1411 Weaknesses in this category are related to insufficient verification of data authenticity.
Ruby 1412 Weaknesses in this category are related to poor coding practices.
Ruby 1413 Weaknesses in this category are related to protection mechanism failure.
Ruby 1414 Weaknesses in this category are related to randomness.
Ruby 1415 Weaknesses in this category are related to resource control.
Ruby 1416 Weaknesses in this category are related to resource lifecycle management.
Ruby 1417 Weaknesses in this category are related to sensitive information exposure.
Ruby 1418 Weaknesses in this category are related to violation of secure design principles.
Scala 17 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
Scala 18 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
Scala 19 Weaknesses in this category are typically found in functionality that processes data. Data processing is the manipulation of input to retrieve or save information.
Scala 20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Scala 74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Scala 94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Scala 116 The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
Scala 133 Weaknesses in this category are related to the creation and modification of strings.
Scala 137 Weaknesses in this category are related to the creation or neutralization of data using an incorrect format.
Scala 171 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. Weaknesses in this category were related to improper handling of data within protection mechanisms that attempt to perform neutralization for untrusted data. These weaknesses can be found in other similar categories.
Scala 189 Weaknesses in this category are related to improper calculation or conversion of numbers.
Scala 190 The product performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control.
Scala 254 Software security is not security software. Here we're concerned with topics like authentication, access control, confidentiality, cryptography, and privilege management.
Scala 361 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses related to the improper management of time and state in an environment that supports simultaneous or near-simultaneous computation by multiple systems, processes, or threads. According to the authors of the Seven Pernicious Kingdoms, "Distributed computation is about time and state. That is, in order for more than one component to communicate, state must be shared, and all that takes time. Most programmers anthropomorphize their work. They think about one thread of control carrying out the entire program in the same way they would if they had to do the job themselves. Modern computers, however, switch between tasks very quickly, and in multi-core, multi-CPU, or distributed systems, two events may take place at exactly the same time. Defects rush to fill the gap between the programmer's model of how a program executes and what happens in reality. These defects are related to unexpected interactions between threads, processes, time, and information. These interactions happen through shared state: semaphores, variables, the file system, and, basically, anything that can store information."
Scala 398 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that do not directly introduce a weakness or vulnerability, but indicate that the product has not been carefully developed or maintained. According to the authors of the Seven Pernicious Kingdoms, "Poor code quality leads to unpredictable behavior. From a user's perspective that often manifests itself as poor usability. For an adversary it provides an opportunity to stress the system in unexpected ways."
Scala 399 Weaknesses in this category are related to improper management of system resources.
Scala 438 Weaknesses in this category are related to unexpected behaviors from code that an application uses.
Scala 452 Weaknesses in this category occur in behaviors that are used for initialization and breakdown.
Scala 465 Weaknesses in this category are related to improper handling of pointers.
Scala 476 A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.
Scala 480 The product accidentally uses the wrong operator, which changes the logic in security-relevant ways.
Scala 483 The code does not explicitly delimit a block that is intended to contain 2 or more statements, creating a logic error.
Scala 505 This category has been deprecated as it was originally used for organizing the Development View (CWE-699), but it introduced unnecessary complexity and depth to the resulting tree.
Scala 561 The product contains dead code, which can never be executed.
Scala 569 Weaknesses in this category are related to incorrectly written expressions within code.
Scala 635 CWE nodes in this view (slice) were used by NIST to categorize vulnerabilities within NVD, from 2008 to 2016. This original version has been used by many other projects.
Scala 664 The product does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release.
Scala 665 The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.
Scala 670 The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated.
Scala 682 The product performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management.
Scala 691 The code does not sufficiently manage its control flow during execution, creating conditions in which the control flow can be modified in unexpected ways.
Scala 693 The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.
Scala 699 This view organizes weaknesses around concepts that are frequently used or encountered in software development. This includes all aspects of the software development lifecycle including both architecture and implementation. Accordingly, this view can align closely with the perspectives of architects, developers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping.
Scala 700 This view (graph) organizes weaknesses using a hierarchical structure that is similar to that used by Seven Pernicious Kingdoms.
Scala 707 The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component.
Scala 710 The product does not follow certain coding rules for development, which can lead to resultant weaknesses or increase the severity of the associated vulnerabilities.
Scala 711 CWE entries in this view (graph) are associated with the OWASP Top 10, as released in 2004, and as required for compliance with PCI DSS version 1.1. This view is considered obsolete as a newer version of the OWASP Top 10 is available.
Scala 722 Weaknesses in this category are related to the A1 category in the OWASP Top 10 2004.
Scala 727 Weaknesses in this category are related to the A6 category in the OWASP Top 10 2004.
Scala 730 Weaknesses in this category are related to the A9 category in the OWASP Top 10 2004.
Scala 734 CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT C Secure Coding Standard" published in 2008. This view is considered obsolete, as a newer version of the coding standard is available. This view statically represents the coding rules as they were in 2008.
Scala 737 Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) chapter of the CERT C Secure Coding Standard (2008).
Scala 738 Weaknesses in this category are related to the rules and recommendations in the Integers (INT) chapter of the CERT C Secure Coding Standard (2008).
Scala 739 Weaknesses in this category are related to the rules and recommendations in the Floating Point (FLP) chapter of the CERT C Secure Coding Standard (2008).
Scala 740 Weaknesses in this category are related to the rules and recommendations in the Arrays (ARR) chapter of the CERT C Secure Coding Standard (2008).
Scala 742 Weaknesses in this category are related to the rules and recommendations in the Memory Management (MEM) chapter of the CERT C Secure Coding Standard (2008).
Scala 746 Weaknesses in this category are related to the rules and recommendations in the Error Handling (ERR) chapter of the CERT C Secure Coding Standard (2008).
Scala 747 Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) chapter of the CERT C Secure Coding Standard (2008).
Scala 750 CWE entries in this view (graph) are listed in the 2009 CWE/SANS Top 25 Programming Errors. This view is considered obsolete as a newer version of the Top 25 is available.
Scala 751 Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2009 CWE/SANS Top 25 Programming Errors.
Scala 752 Weaknesses in this category are listed in the "Risky Resource Management" section of the 2009 CWE/SANS Top 25 Programming Errors.
Scala 783 The product uses an expression in which operator precedence causes incorrect logic to be used.
Scala 800 CWE entries in this view (graph) are listed in the 2010 CWE/SANS Top 25 Programming Errors. This view is considered obsolete as a newer version of the Top 25 is available.
Scala 802 Weaknesses in this category are listed in the "Risky Resource Management" section of the 2010 CWE/SANS Top 25 Programming Errors.
Scala 808 Weaknesses in this category are not part of the general Top 25, but they were part of the original nominee list from which the Top 25 was drawn.
Scala 844 CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT Oracle Secure Coding Standard for Java" published in 2011. This view is considered obsolete as a newer version of the coding standard is available.
Scala 845 Weaknesses in this category are related to rules in the Input Validation and Data Sanitization (IDS) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
Scala 846 Weaknesses in this category are related to rules in the Declarations and Initialization (DCL) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
Scala 865 Weaknesses in this category are listed in the "Risky Resource Management" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.
Scala 867 Weaknesses in this category are not part of the general Top 25, but they were part of the original nominee list from which the Top 25 was drawn.
Scala 868 CWE entries in this view (graph) are fully or partially eliminated by following the SEI CERT C++ Coding Standard, as published in 2016. This view is no longer being actively maintained, since it statically represents the coding rules as they were in 2016.
Scala 871 Weaknesses in this category are related to rules in the Expressions (EXP) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
Scala 872 Weaknesses in this category are related to rules in the Integers (INT) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
Scala 873 Weaknesses in this category are related to rules in the Floating Point Arithmetic (FLP) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
Scala 874 Weaknesses in this category are related to rules in the Arrays and the STL (ARR) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
Scala 876 Weaknesses in this category are related to rules in the Memory Management (MEM) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
Scala 883 Weaknesses in this category are related to rules in the Miscellaneous (MSC) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
Scala 884 This view contains a selection of weaknesses that represent the variety of weaknesses that are captured in CWE, at a level of abstraction that is likely to be useful to most audiences. It can be used by researchers to determine how broad their theories, models, or tools are. It will also be used by the CWE content team in 2012 to focus quality improvement efforts for individual CWE entries.
Scala 885 This category identifies Software Fault Patterns (SFPs) within the Risky Values cluster (SFP1).
Scala 886 This category identifies Software Fault Patterns (SFPs) within the Unused entities cluster (SFP2).
Scala 888 CWE identifiers in this view are associated with clusters of Software Fault Patterns (SFPs).
Scala 889 This category identifies Software Fault Patterns (SFPs) within the Exception Management cluster (SFP4, SFP5, SFP6).
Scala 890 This category identifies Software Fault Patterns (SFPs) within the Memory Access cluster (SFP7, SFP8).
Scala 892 This category identifies Software Fault Patterns (SFPs) within the Resource Management cluster (SFP37).
Scala 896 This category identifies Software Fault Patterns (SFPs) within the Tainted Input cluster (SFP24, SFP25, SFP26, SFP27).
Scala 900 CWE entries in this view (graph) are listed in the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.
Scala 907 This category identifies Software Fault Patterns (SFPs) within the Other cluster.
Scala 913 The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements.
Scala 928 CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2013. This view is considered obsolete as a newer version of the OWASP Top 10 is available.
Scala 929 Weaknesses in this category are related to the A1 category in the OWASP Top 10 2013.
Scala 962 This category identifies Software Fault Patterns (SFPs) within the Unchecked Status Condition cluster (SFP4).
Scala 971 This category identifies Software Fault Patterns (SFPs) within the Faulty Pointer Use cluster (SFP7).
Scala 975 This category identifies Software Fault Patterns (SFPs) within the Architecture cluster.
Scala 977 This category identifies Software Fault Patterns (SFPs) within the Design cluster.
Scala 978 This category identifies Software Fault Patterns (SFPs) within the Implementation cluster.
Scala 984 This category identifies Software Fault Patterns (SFPs) within the Life Cycle cluster.
Scala 990 This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Command cluster (SFP24).
Scala 991 This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Environment cluster (SFP27).
Scala 992 This category identifies Software Fault Patterns (SFPs) within the Faulty Input Transformation cluster.
Scala 994 This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Variable cluster (SFP25).
Scala 998 This category identifies Software Fault Patterns (SFPs) within the Glitch in Computation cluster (SFP1).
Scala 1000 This view is intended to facilitate research into weaknesses, including their inter-dependencies, and can be leveraged to systematically identify theoretical gaps within CWE. It is mainly organized according to abstractions of behaviors instead of how they can be detected, where they appear in code, or when they are introduced in the development life cycle. By design, this view is expected to include every weakness within CWE.
Scala 1003 CWE entries in this view (graph) may be used to categorize potential weaknesses within sources that handle public, third-party vulnerability information, such as the National Vulnerability Database (NVD). By design, this view is incomplete; it is limited to a small number of the most commonly-seen weaknesses, so that it is easier for humans to use. This view uses a shallow hierarchy of two levels in order to simplify the complex, category-oriented navigation of the entire CWE corpus.
Scala 1005 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that exist when an application does not properly validate or represent input. According to the authors of the Seven Pernicious Kingdoms, "Input validation and representation problems are caused by metacharacters, alternate encodings and numeric representations. Security problems result from trusting input."
Scala 1006 Weaknesses in this category are related to coding practices that are deemed unsafe and increase the chances that an exploitable vulnerability will be present in the application. These weaknesses do not directly introduce a vulnerability, but indicate that the product has not been carefully developed or maintained. If a program is complex, difficult to maintain, not portable, or shows evidence of neglect, then there is a higher likelihood that weaknesses are buried in the code.
Scala 1008 This view organizes weaknesses according to common architectural security tactics. It is intended to assist architects in identifying potential mistakes that can be made when designing software.
Scala 1019 Weaknesses in this category are related to the design and architecture of a system's input validation components. Frequently these deal with sanitizing, neutralizing and validating any externally provided inputs to minimize malformed data from entering the system and preventing code injection in the input data. The weaknesses in this category could lead to a degradation of the quality of data flow in a system if they are not addressed when designing or implementing a secure architecture.
Scala 1020 Weaknesses in this category are related to the design and architecture of a system's data integrity components. Frequently these deal with ensuring integrity of data, such as messages, resource files, deployment files, and configuration files. The weaknesses in this category could lead to a degradation of data integrity quality if they are not addressed when designing or implementing a secure architecture.
Scala 1025 The code performs a comparison between two entities, but the comparison examines the wrong factors or characteristics of the entities, which can lead to incorrect results and resultant weaknesses.
Scala 1041 The product has multiple functions, methods, procedures, macros, etc. that contain the same code.
Scala 1078 The source code does not follow desired style or formatting for indentation, white space, comments, etc.
Scala 1114 The source code contains whitespace that is inconsistent across the code or does not follow expected standards for the product.
Scala 1128 This view outlines the most important software quality issues as identified by the Consortium for Information & Software Quality (CISQ) Automated Quality Characteristic Measures, released in 2016. These measures are derived from Object Management Group (OMG) standards.
Scala 1130 Weaknesses in this category are related to the CISQ Quality Measures for Maintainability, as documented in 2016 with the Automated Source Code Maintainability Measure (ASCMM) Specification 1.0. Presence of these weaknesses could reduce the maintainability of the software.
Scala 1133 CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT Oracle Coding Standard for Java.
Scala 1134 Weaknesses in this category are related to the rules and recommendations in the Input Validation and Data Sanitization (IDS) section of the SEI CERT Oracle Secure Coding Standard for Java.
Scala 1135 Weaknesses in this category are related to the rules and recommendations in the Declarations and Initialization (DCL) section of the SEI CERT Oracle Secure Coding Standard for Java.
Scala 1136 Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) section of the SEI CERT Oracle Secure Coding Standard for Java.
Scala 1137 Weaknesses in this category are related to the rules and recommendations in the Numeric Types and Operations (NUM) section of the SEI CERT Oracle Secure Coding Standard for Java.
Scala 1147 Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) section of the SEI CERT Oracle Secure Coding Standard for Java.
Scala 1154 CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT C Coding Standard.
Scala 1157 Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) section of the SEI CERT C Coding Standard.
Scala 1158 Weaknesses in this category are related to the rules and recommendations in the Integers (INT) section of the SEI CERT C Coding Standard.
Scala 1159 Weaknesses in this category are related to the rules and recommendations in the Floating Point (FLP) section of the SEI CERT C Coding Standard.
Scala 1162 Weaknesses in this category are related to the rules and recommendations in the Memory Management (MEM) section of the SEI CERT C Coding Standard.
Scala 1163 Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) section of the SEI CERT C Coding Standard.
Scala 1164 The product contains code that is not essential for execution, i.e. makes no state changes and has no side effects that alter data or control flow, such that removal of the code would have no impact to functionality or correctness.
Scala 1178 CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT Perl Coding Standard.
Scala 1179 Weaknesses in this category are related to the rules and recommendations in the Input Validation and Data Sanitization (IDS) section of the SEI CERT Perl Coding Standard.
Scala 1181 Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) section of the SEI CERT Perl Coding Standard.
Scala 1182 Weaknesses in this category are related to the rules and recommendations in the Integers (INT) section of the SEI CERT Perl Coding Standard.
Scala 1186 Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT Perl Coding Standard.
Scala 1200 CWE entries in this view are listed in the 2019 CWE Top 25 Most Dangerous Software Errors.
Scala 1305 This view outlines the most important software quality issues as identified by the Consortium for Information & Software Quality (CISQ) Automated Quality Characteristic Measures, released in 2020. These measures are derived from Object Management Group (OMG) standards.
Scala 1306 Weaknesses in this category are related to the CISQ Quality Measures for Reliability. Presence of these weaknesses could reduce the reliability of the software.
Scala 1307 Weaknesses in this category are related to the CISQ Quality Measures for Maintainability. Presence of these weaknesses could reduce the maintainability of the software.
Scala 1308 Weaknesses in this category are related to the CISQ Quality Measures for Security. Presence of these weaknesses could reduce the security of the software.
Scala 1337 CWE entries in this view are listed in the 2021 CWE Top 25 Most Dangerous Software Weaknesses.
Scala 1340 This view outlines the SMM representation of the Automated Source Code Data Protection Measurement specifications, as identified by the Consortium for Information & Software Quality (CISQ) Working Group.
Scala 1344 CWE entries in this view (graph) are associated with the OWASP Top 10, as released in 2021.
Scala 1345 Weaknesses in this category are related to the A01 category "Broken Access Control" in the OWASP Top 10 2021.
Scala 1347 Weaknesses in this category are related to the A03 category "Injection" in the OWASP Top 10 2021.
Scala 1350 CWE entries in this view are listed in the 2020 CWE Top 25 Most Dangerous Software Weaknesses.
Scala 1358 CWE entries in this view (graph) are associated with the Categories of Security Vulnerabilities in ICS, as published by the Securing Energy Infrastructure Executive Task Force (SEI ETF) in March 2022. Weaknesses and categories in this view are focused on issues that affect ICS (Industrial Control Systems) but have not been traditionally covered by CWE in the past due to its earlier emphasis on enterprise IT software. Note: weaknesses in this view are based on "Nearest IT Neighbor" recommendations and other suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Scala 1361 Weaknesses in this category are related to the "ICS Supply Chain" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.
Scala 1362 Weaknesses in this category are related to the "ICS Engineering (Constructions/Deployment)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.
Scala 1363 Weaknesses in this category are related to the "ICS Operations (& Maintenance)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.
Scala 1370 Weaknesses in this category are related to the "Common Mode Frailties" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "At the component level, most ICS systems are assembled from common parts made by other companies. One or more of these common parts might contain a vulnerability that could result in a wide-spread incident." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Scala 1375 Weaknesses in this category are related to the "Gaps in Details/Data" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Highly complex systems are often operated by personnel who have years of experience in managing that particular facility or plant. Much of their knowledge is passed along through verbal or hands-on training but may not be fully documented in written practices and procedures." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Scala 1382 Weaknesses in this category are related to the "Emerging Energy Technologies" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "With the rapid evolution of the energy system accelerated by the emergence of new technologies such as DERs, electric vehicles, advanced communications (5G+), novel and diverse challenges arise for secure and resilient operation of the system." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Scala 1383 Weaknesses in this category are related to the "Compliance/Conformance with Regulatory Requirements" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "The ICS environment faces overlapping regulatory regimes and authorities with multiple focus areas (e.g., operational resiliency, physical safety, interoperability, and security) which can result in cyber security vulnerabilities when implemented as written due to gaps in considerations, outdatedness, or conflicting requirements." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Scala 1387 CWE entries in this view are listed in the 2022 CWE Top 25 Most Dangerous Software Weaknesses.
Scala 1397 Weaknesses in this category are related to comparison.
Scala 1400 This view organizes weaknesses around categories that are of interest to large-scale software assurance research to support the elimination of weaknesses using tactics such as secure language development. It is also intended to help tracking weakness trends in publicly disclosed vulnerability data. This view is comprehensive in that every weakness must be contained in it, unlike most other views that only use a subset of weaknesses. This view is structured with categories at the top level, with a second level of only weaknesses. Relationships among the weaknesses presented under the research view (CWE-1000) are not shown. Each weakness is added to only one category. All categories are mutually exclusive; that is, no weakness can be a member of more than one category. While weaknesses defy strict categorization along only one characteristic, the forced bucketing into a single category can simplify certain kinds of analysis. Note that the size of each category can vary widely because (1) CWE is not as well fleshed-out in some areas compared to others; (2) abstraction of the CWEs in the grouping might go down to Variant level for some buckets, versus others.
Scala 1406 Weaknesses in this category are related to improper input validation.
Scala 1407 Weaknesses in this category are related to improper neutralization.
Scala 1408 Weaknesses in this category are related to incorrect calculation.
Scala 1409 Weaknesses in this category are related to injection.
Scala 1410 Weaknesses in this category are related to insufficient control flow management.
Scala 1412 Weaknesses in this category are related to poor coding practices.
Scala 1413 Weaknesses in this category are related to protection mechanism failure.
Scala 1416 Weaknesses in this category are related to resource lifecycle management.
Swift 17 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
Swift 18 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
Swift 19 Weaknesses in this category are typically found in functionality that processes data. Data processing is the manipulation of input to retrieve or save information.
Swift 20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Swift 21 This category has been deprecated. It was originally used for organizing weaknesses involving file names, which enabled access to files outside of a restricted directory (path traversal) or to perform operations on files that would otherwise be restricted (path equivalence). Consider using either the File Handling Issues category (CWE-1219) or the class Use of Incorrectly-Resolved Name or Reference (CWE-706).
Swift 22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Swift 74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Swift 79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Swift 89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.
Swift 91 The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.
Swift 94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Swift 95 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").
Swift 99 The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control.
Swift 116 The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
Swift 137 Weaknesses in this category are related to the creation or neutralization of data using an incorrect format.
Swift 171 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. Weaknesses in this category were related to improper handling of data within protection mechanisms that attempt to perform neutralization for untrusted data. These weaknesses can be found in other similar categories.
Swift 172 The product does not properly encode or decode the data, resulting in unexpected values.
Swift 176 The product does not properly handle when an input contains Unicode encoding.
Swift 199 Weaknesses in this category are related to improper handling of sensitive information.
Swift 200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Swift 212 The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product makes the resource available to unauthorized actors.
Swift 227 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that involve the software using an API in a manner contrary to its intended use. According to the authors of the Seven Pernicious Kingdoms, "An API is a contract between a caller and a callee. The most common forms of API misuse occurs when the caller does not honor its end of this contract. For example, if a program does not call chdir() after calling chroot(), it violates the contract that specifies how to change the active root directory in a secure fashion. Another good example of library abuse is expecting the callee to return trustworthy DNS information to the caller. In this case, the caller misuses the callee API by making certain assumptions about its behavior (that the return value can be used for authentication purposes). One can also violate the caller-callee contract from the other side. For example, if a coder subclasses SecureRandom and returns a non-random value, the contract is violated."
Swift 254 Software security is not security software. Here we're concerned with topics like authentication, access control, confidentiality, cryptography, and privilege management.
Swift 255 Weaknesses in this category are related to the management of credentials.
Swift 264 Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control.
Swift 265 Weaknesses in this category occur with improper handling, assignment, or management of privileges. A privilege is a property of an agent, such as a user. It lets the agent do things that are not ordinarily allowed. For example, there are privileges which allow an agent to perform maintenance functions such as restart a computer.
Swift 284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Swift 285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
Swift 287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Swift 295 The product does not validate, or incorrectly validates, a certificate.
Swift 296 The product does not follow, or incorrectly follows, the chain of trust for a certificate back to a trusted root certificate, resulting in incorrect trust of any resource that is associated with that certificate.
Swift 300 The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint.
Swift 310 Weaknesses in this category are related to the design and implementation of data confidentiality and integrity. Frequently these deal with the use of encoding techniques, encryption libraries, and hashing algorithms. The weaknesses in this category could lead to a degradation of the quality data if they are not addressed.
Swift 311 The product does not encrypt sensitive or critical information before storage or transmission.
Swift 312 The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
Swift 319 The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.
Swift 320 Weaknesses in this category are related to errors in the management of cryptographic keys.
Swift 326 The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
Swift 327 The product uses a broken or risky cryptographic algorithm or protocol.
Swift 330 The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.
Swift 344 The product uses a constant value, name, or reference, but this value can (or should) vary across different environments.
Swift 345 The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
Swift 346 The product does not properly verify that the source of data or communication is valid.
Swift 352 The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.
Swift 359 The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.
Swift 361 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses related to the improper management of time and state in an environment that supports simultaneous or near-simultaneous computation by multiple systems, processes, or threads. According to the authors of the Seven Pernicious Kingdoms, "Distributed computation is about time and state. That is, in order for more than one component to communicate, state must be shared, and all that takes time. Most programmers anthropomorphize their work. They think about one thread of control carrying out the entire program in the same way they would if they had to do the job themselves. Modern computers, however, switch between tasks very quickly, and in multi-core, multi-CPU, or distributed systems, two events may take place at exactly the same time. Defects rush to fill the gap between the programmer's model of how a program executes and what happens in reality. These defects are related to unexpected interactions between threads, processes, time, and information. These interactions happen through shared state: semaphores, variables, the file system, and, basically, anything that can store information."
Swift 376 This category has been deprecated. It was originally used for organizing the Development View (CWE-699), but it introduced unnecessary complexity and depth to the resulting tree. Consider using the File Handling Issues category (CWE-1219).
Swift 377 Creating and using insecure temporary files can leave application and system data vulnerable to attack.
Swift 398 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that do not directly introduce a weakness or vulnerability, but indicate that the product has not been carefully developed or maintained. According to the authors of the Seven Pernicious Kingdoms, "Poor code quality leads to unpredictable behavior. From a user's perspective that often manifests itself as poor usability. For an adversary it provides an opportunity to stress the system in unexpected ways."
Swift 399 Weaknesses in this category are related to improper management of system resources.
Swift 400 The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.
Swift 417 Weaknesses in this category are related to improper handling of communication channels and access paths. These weaknesses include problems in creating, managing, or removing alternate channels and alternate paths. Some of these can overlap virtual file problems and are commonly used in "bypass" attacks, such as those that exploit authentication errors.
Swift 442 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
Swift 452 Weaknesses in this category occur in behaviors that are used for initialization and breakdown.
Swift 485 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that occur when the product does not sufficiently encapsulate critical data or functionality. According to the authors of the Seven Pernicious Kingdoms, "Encapsulation is about drawing strong boundaries. In a web browser that might mean ensuring that your mobile code cannot be abused by other mobile code. On the server it might mean differentiation between validated data and unvalidated data, between one user's data and another's, or between data users are allowed to see and data that they are not."
Swift 497 The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does.
Swift 502 The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
Swift 505 This category has been deprecated as it was originally used for organizing the Development View (CWE-699), but it introduced unnecessary complexity and depth to the resulting tree.
Swift 524 The code uses a cache that contains sensitive information, but the cache can be read by an actor outside of the intended control sphere.
Swift 525 The web application does not use an appropriate caching policy that specifies the extent to which each web page and associated form fields should be cached.
Swift 573 The product does not follow or incorrectly follows the specifications as required by the implementation language, environment, framework, protocol, or platform.
Swift 610 The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.
Swift 611 The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
Swift 613 According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
Swift 614 The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session.
Swift 629 CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2007. This view is considered obsolete as a newer version of the OWASP Top 10 is available.
Swift 632 This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE.
Swift 635 CWE nodes in this view (slice) were used by NIST to categorize vulnerabilities within NVD, from 2008 to 2016. This original version has been used by many other projects.
Swift 643 The product uses external input to dynamically construct an XPath expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query.
Swift 657 The product violates well-established principles for secure design.
Swift 664 The product does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release.
Swift 666 The product performs an operation on a resource at the wrong phase of the resource's lifecycle, which can lead to unexpected behaviors.
Swift 668 The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
Swift 669 The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource.
Swift 671 The product uses security features in a way that prevents the product's administrator from tailoring security settings to reflect the environment in which the product is being used. This introduces resultant weaknesses or prevents it from operating at a level of security that is desired by the administrator.
Swift 672 The product uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked.
Swift 691 The code does not sufficiently manage its control flow during execution, creating conditions in which the control flow can be modified in unexpected ways.
Swift 693 The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.
Swift 699 This view organizes weaknesses around concepts that are frequently used or encountered in software development. This includes all aspects of the software development lifecycle including both architecture and implementation. Accordingly, this view can align closely with the perspectives of architects, developers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping.
Swift 700 This view (graph) organizes weaknesses using a hierarchical structure that is similar to that used by Seven Pernicious Kingdoms.
Swift 706 The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.
Swift 707 The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component.
Swift 710 The product does not follow certain coding rules for development, which can lead to resultant weaknesses or increase the severity of the associated vulnerabilities.
Swift 711 CWE entries in this view (graph) are associated with the OWASP Top 10, as released in 2004, and as required for compliance with PCI DSS version 1.1. This view is considered obsolete as a newer version of the OWASP Top 10 is available.
Swift 712 Weaknesses in this category are related to the A1 category in the OWASP Top 10 2007.
Swift 713 Weaknesses in this category are related to the A2 category in the OWASP Top 10 2007.
Swift 714 Weaknesses in this category are related to the A3 category in the OWASP Top 10 2007.
Swift 715 Weaknesses in this category are related to the A4 category in the OWASP Top 10 2007.
Swift 716 Weaknesses in this category are related to the A5 category in the OWASP Top 10 2007.
Swift 717 Weaknesses in this category are related to the A6 category in the OWASP Top 10 2007.
Swift 718 Weaknesses in this category are related to the A7 category in the OWASP Top 10 2007.
Swift 719 Weaknesses in this category are related to the A8 category in the OWASP Top 10 2007.
Swift 720 Weaknesses in this category are related to the A9 category in the OWASP Top 10 2007.
Swift 721 Weaknesses in this category are related to the A10 category in the OWASP Top 10 2007.
Swift 722 Weaknesses in this category are related to the A1 category in the OWASP Top 10 2004.
Swift 723 Weaknesses in this category are related to the A2 category in the OWASP Top 10 2004.
Swift 724 Weaknesses in this category are related to the A3 category in the OWASP Top 10 2004.
Swift 725 Weaknesses in this category are related to the A4 category in the OWASP Top 10 2004.
Swift 727 Weaknesses in this category are related to the A6 category in the OWASP Top 10 2004.
Swift 729 Weaknesses in this category are related to the A8 category in the OWASP Top 10 2004.
Swift 730 Weaknesses in this category are related to the A9 category in the OWASP Top 10 2004.
Swift 731 Weaknesses in this category are related to the A10 category in the OWASP Top 10 2004.
Swift 734 CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT C Secure Coding Standard" published in 2008. This view is considered obsolete, as a newer version of the coding standard is available. This view statically represents the coding rules as they were in 2008.
Swift 738 Weaknesses in this category are related to the rules and recommendations in the Integers (INT) chapter of the CERT C Secure Coding Standard (2008).
Swift 742 Weaknesses in this category are related to the rules and recommendations in the Memory Management (MEM) chapter of the CERT C Secure Coding Standard (2008).
Swift 743 Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) chapter of the CERT C Secure Coding Standard (2008).
Swift 746 Weaknesses in this category are related to the rules and recommendations in the Error Handling (ERR) chapter of the CERT C Secure Coding Standard (2008).
Swift 747 Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) chapter of the CERT C Secure Coding Standard (2008).
Swift 750 CWE entries in this view (graph) are listed in the 2009 CWE/SANS Top 25 Programming Errors. This view is considered obsolete as a newer version of the Top 25 is available.
Swift 751 Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2009 CWE/SANS Top 25 Programming Errors.
Swift 752 Weaknesses in this category are listed in the "Risky Resource Management" section of the 2009 CWE/SANS Top 25 Programming Errors.
Swift 753 Weaknesses in this category are listed in the "Porous Defenses" section of the 2009 CWE/SANS Top 25 Programming Errors.
Swift 759 The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product does not also use a salt as part of the input.
Swift 779 The product logs too much information, making log files hard to process and possibly hindering recovery efforts or forensic analysis after an attack.
Swift 798 The product contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.
Swift 800 CWE entries in this view (graph) are listed in the 2010 CWE/SANS Top 25 Programming Errors. This view is considered obsolete as a newer version of the Top 25 is available.
Swift 801 Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2010 CWE/SANS Top 25 Programming Errors.
Swift 802 Weaknesses in this category are listed in the "Risky Resource Management" section of the 2010 CWE/SANS Top 25 Programming Errors.
Swift 803 Weaknesses in this category are listed in the "Porous Defenses" section of the 2010 CWE/SANS Top 25 Programming Errors.
Swift 808 Weaknesses in this category are not part of the general Top 25, but they were part of the original nominee list from which the Top 25 was drawn.
Swift 809 CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2010. This view is considered obsolete as a newer version of the OWASP Top 10 is available.
Swift 810 Weaknesses in this category are related to the A1 category in the OWASP Top 10 2010.
Swift 811 Weaknesses in this category are related to the A2 category in the OWASP Top 10 2010.
Swift 812 Weaknesses in this category are related to the A3 category in the OWASP Top 10 2010.
Swift 813 Weaknesses in this category are related to the A4 category in the OWASP Top 10 2010.
Swift 814 Weaknesses in this category are related to the A5 category in the OWASP Top 10 2010.
Swift 816 Weaknesses in this category are related to the A7 category in the OWASP Top 10 2010.
Swift 817 Weaknesses in this category are related to the A8 category in the OWASP Top 10 2010.
Swift 818 Weaknesses in this category are related to the A9 category in the OWASP Top 10 2010.
Swift 829 The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.
Swift 840 Weaknesses in this category identify some of the underlying problems that commonly allow attackers to manipulate the business logic of an application. Errors in business logic can be devastating to an entire application. They can be difficult to find automatically, since they typically involve legitimate use of the application's functionality. However, many business logic errors can exhibit patterns that are similar to well-understood implementation and design weaknesses.
Swift 844 CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT Oracle Secure Coding Standard for Java" published in 2011. This view is considered obsolete as a newer version of the coding standard is available.
Swift 845 Weaknesses in this category are related to rules in the Input Validation and Data Sanitization (IDS) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
Swift 850 Weaknesses in this category are related to rules in the Methods (MET) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
Swift 851 Weaknesses in this category are related to rules in the Exceptional Behavior (ERR) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
Swift 857 Weaknesses in this category are related to rules in the Input Output (FIO) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
Swift 858 Weaknesses in this category are related to rules in the Serialization (SER) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
Swift 859 Weaknesses in this category are related to rules in the Platform Security (SEC) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
Swift 861 Weaknesses in this category are related to rules in the Miscellaneous (MSC) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
Swift 863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.
Swift 864 Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.
Swift 865 Weaknesses in this category are listed in the "Risky Resource Management" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.
Swift 866 Weaknesses in this category are listed in the "Porous Defenses" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.
Swift 867 Weaknesses in this category are not part of the general Top 25, but they were part of the original nominee list from which the Top 25 was drawn.
Swift 868 CWE entries in this view (graph) are fully or partially eliminated by following the SEI CERT C++ Coding Standard, as published in 2016. This view is no longer being actively maintained, since it statically represents the coding rules as they were in 2016.
Swift 872 Weaknesses in this category are related to rules in the Integers (INT) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
Swift 876 Weaknesses in this category are related to rules in the Memory Management (MEM) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
Swift 877 Weaknesses in this category are related to rules in the Input Output (FIO) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
Swift 880 Weaknesses in this category are related to rules in the Exceptions and Error Handling (ERR) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
Swift 881 Weaknesses in this category are related to rules in the Object Oriented Programming (OOP) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
Swift 883 Weaknesses in this category are related to rules in the Miscellaneous (MSC) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
Swift 884 This view contains a selection of weaknesses that represent the variety of weaknesses that are captured in CWE, at a level of abstraction that is likely to be useful to most audiences. It can be used by researchers to determine how broad their theories, models, or tools are. It will also be used by the CWE content team in 2012 to focus quality improvement efforts for individual CWE entries.
Swift 887 This category identifies Software Fault Patterns (SFPs) within the API cluster (SFP3).
Swift 888 CWE identifiers in this view are associated with clusters of Software Fault Patterns (SFPs).
Swift 892 This category identifies Software Fault Patterns (SFPs) within the Resource Management cluster (SFP37).
Swift 893 This category identifies Software Fault Patterns (SFPs) within the Path Resolution cluster (SFP16, SFP17, SFP18).
Swift 895 This category identifies Software Fault Patterns (SFPs) within the Information Leak cluster (SFP23).
Swift 896 This category identifies Software Fault Patterns (SFPs) within the Tainted Input cluster (SFP24, SFP25, SFP26, SFP27).
Swift 898 This category identifies Software Fault Patterns (SFPs) within the Authentication cluster (SFP29, SFP30, SFP31, SFP32, SFP33, SFP34).
Swift 899 This category identifies Software Fault Patterns (SFPs) within the Access Control cluster (SFP35).
Swift 900 CWE entries in this view (graph) are listed in the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.
Swift 902 This category identifies Software Fault Patterns (SFPs) within the Channel cluster.
Swift 903 This category identifies Software Fault Patterns (SFPs) within the Cryptography cluster.
Swift 905 This category identifies Software Fault Patterns (SFPs) within the Predictability cluster.
Swift 907 This category identifies Software Fault Patterns (SFPs) within the Other cluster.
Swift 913 The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements.
Swift 916 The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive.
Swift 921 The product stores sensitive information in a file system or device that does not have built-in access control.
Swift 922 The product stores sensitive information without properly limiting read or write access by unauthorized actors.
Swift 923 The product establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that it is communicating with the correct endpoint.
Swift 928 CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2013. This view is considered obsolete as a newer version of the OWASP Top 10 is available.
Swift 929 Weaknesses in this category are related to the A1 category in the OWASP Top 10 2013.
Swift 930 Weaknesses in this category are related to the A2 category in the OWASP Top 10 2013.
Swift 931 Weaknesses in this category are related to the A3 category in the OWASP Top 10 2013.
Swift 932 Weaknesses in this category are related to the A4 category in the OWASP Top 10 2013.
Swift 934 Weaknesses in this category are related to the A6 category in the OWASP Top 10 2013.
Swift 935 Weaknesses in this category are related to the A7 category in the OWASP Top 10 2013.
Swift 936 Weaknesses in this category are related to the A8 category in the OWASP Top 10 2013.
Swift 943 The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query.
Swift 944 This category identifies Software Fault Patterns (SFPs) within the Access Management cluster.
Swift 945 This category identifies Software Fault Patterns (SFPs) within the Insecure Resource Access cluster (SFP35).
Swift 947 This category identifies Software Fault Patterns (SFPs) within the Authentication Bypass cluster.
Swift 948 This category identifies Software Fault Patterns (SFPs) within the Digital Certificate cluster.
Swift 949 This category identifies Software Fault Patterns (SFPs) within the Faulty Endpoint Authentication cluster (SFP29).
Swift 951 This category identifies Software Fault Patterns (SFPs) within the Insecure Authentication Policy cluster.
Swift 956 This category identifies Software Fault Patterns (SFPs) within the Channel Attack cluster.
Swift 958 This category identifies Software Fault Patterns (SFPs) within the Broken Cryptography cluster.
Swift 959 This category identifies Software Fault Patterns (SFPs) within the Weak Cryptography cluster.
Swift 963 This category identifies Software Fault Patterns (SFPs) within the Exposed Data cluster (SFP23).
Swift 964 This category identifies Software Fault Patterns (SFPs) within the Exposure Temporary File cluster.
Swift 965 This category identifies Software Fault Patterns (SFPs) within the Insecure Session Management cluster.
Swift 966 This category identifies Software Fault Patterns (SFPs) within the Other Exposures cluster.
Swift 975 This category identifies Software Fault Patterns (SFPs) within the Architecture cluster.
Swift 977 This category identifies Software Fault Patterns (SFPs) within the Design cluster.
Swift 978 This category identifies Software Fault Patterns (SFPs) within the Implementation cluster.
Swift 980 This category identifies Software Fault Patterns (SFPs) within the Link in Resource Name Resolution cluster (SFP18).
Swift 981 This category identifies Software Fault Patterns (SFPs) within the Path Traversal cluster (SFP16).
Swift 983 This category identifies Software Fault Patterns (SFPs) within the Faulty Resource Use cluster (SFP15).
Swift 984 This category identifies Software Fault Patterns (SFPs) within the Life Cycle cluster.
Swift 985 This category identifies Software Fault Patterns (SFPs) within the Unrestricted Consumption cluster (SFP13).
Swift 990 This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Command cluster (SFP24).
Swift 991 This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Environment cluster (SFP27).
Swift 992 This category identifies Software Fault Patterns (SFPs) within the Faulty Input Transformation cluster.
Swift 994 This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Variable cluster (SFP25).
Swift 1000 This view is intended to facilitate research into weaknesses, including their inter-dependencies, and can be leveraged to systematically identify theoretical gaps within CWE. It is mainly organized according to abstractions of behaviors instead of how they can be detected, where they appear in code, or when they are introduced in the development life cycle. By design, this view is expected to include every weakness within CWE.
Swift 1001 This category identifies Software Fault Patterns (SFPs) within the Use of an Improper API cluster (SFP3).
Swift 1003 CWE entries in this view (graph) may be used to categorize potential weaknesses within sources that handle public, third-party vulnerability information, such as the National Vulnerability Database (NVD). By design, this view is incomplete; it is limited to a small number of the most commonly-seen weaknesses, so that it is easier for humans to use. This view uses a shallow hierarchy of two levels in order to simplify the complex, category-oriented navigation of the entire CWE corpus.
Swift 1005 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that exist when an application does not properly validate or represent input. According to the authors of the Seven Pernicious Kingdoms, "Input validation and representation problems are caused by metacharacters, alternate encodings and numeric representations. Security problems result from trusting input."
Swift 1006 Weaknesses in this category are related to coding practices that are deemed unsafe and increase the chances that an exploitable vulnerability will be present in the application. These weaknesses do not directly introduce a vulnerability, but indicate that the product has not been carefully developed or maintained. If a program is complex, difficult to maintain, not portable, or shows evidence of neglect, then there is a higher likelihood that weaknesses are buried in the code.
Swift 1008 This view organizes weaknesses according to common architectural security tactics. It is intended to assist architects in identifying potential mistakes that can be made when designing software.
Swift 1009 Weaknesses in this category are related to the design and architecture of audit-based components of the system. Frequently these deal with logging user activities in order to identify attackers and modifications to the system. The weaknesses in this category could lead to a degradation of the quality of the audit capability if they are not addressed when designing or implementing a secure architecture.
Swift 1010 Weaknesses in this category are related to the design and architecture of authentication components of the system. Frequently these deal with verifying the entity is indeed who it claims to be. The weaknesses in this category could lead to a degradation of the quality of authentication if they are not addressed when designing or implementing a secure architecture.
Swift 1011 Weaknesses in this category are related to the design and architecture of a system's authorization components. Frequently these deal with enforcing that agents have the required permissions before performing certain operations, such as modifying data. The weaknesses in this category could lead to a degradation of quality of the authorization capability if they are not addressed when designing or implementing a secure architecture.
Swift 1013 Weaknesses in this category are related to the design and architecture of data confidentiality in a system. Frequently these deal with the use of encryption libraries. The weaknesses in this category could lead to a degradation of the quality data encryption if they are not addressed when designing or implementing a secure architecture.
Swift 1014 Weaknesses in this category are related to the design and architecture of a system's identification management components. Frequently these deal with verifying that external agents provide inputs into the system. The weaknesses in this category could lead to a degradation of the quality of identification management if they are not addressed when designing or implementing a secure architecture.
Swift 1015 Weaknesses in this category are related to the design and architecture of system resources. Frequently these deal with restricting the amount of resources that are accessed by actors, such as memory, network connections, CPU or access points. The weaknesses in this category could lead to a degradation of the quality of authentication if they are not addressed when designing or implementing a secure architecture.
Swift 1016 Weaknesses in this category are related to the design and architecture of the entry points to a system. Frequently these deal with minimizing the attack surface through designing the system with the least needed amount of entry points. The weaknesses in this category could lead to a degradation of a system's defenses if they are not addressed when designing or implementing a secure architecture.
Swift 1018 Weaknesses in this category are related to the design and architecture of session management. Frequently these deal with the information or status about each user and their access rights for the duration of multiple requests. The weaknesses in this category could lead to a degradation of the quality of session management if they are not addressed when designing or implementing a secure architecture.
Swift 1019 Weaknesses in this category are related to the design and architecture of a system's input validation components. Frequently these deal with sanitizing, neutralizing and validating any externally provided inputs to minimize malformed data from entering the system and preventing code injection in the input data. The weaknesses in this category could lead to a degradation of the quality of data flow in a system if they are not addressed when designing or implementing a secure architecture.
Swift 1020 Weaknesses in this category are related to the design and architecture of a system's data integrity components. Frequently these deal with ensuring integrity of data, such as messages, resource files, deployment files, and configuration files. The weaknesses in this category could lead to a degradation of data integrity quality if they are not addressed when designing or implementing a secure architecture.
Swift 1026 CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2017.
Swift 1027 Weaknesses in this category are related to the A1 category in the OWASP Top 10 2017.
Swift 1028 Weaknesses in this category are related to the A2 category in the OWASP Top 10 2017.
Swift 1029 Weaknesses in this category are related to the A3 category in the OWASP Top 10 2017.
Swift 1030 Weaknesses in this category are related to the A4 category in the OWASP Top 10 2017.
Swift 1031 Weaknesses in this category are related to the A5 category in the OWASP Top 10 2017.
Swift 1033 Weaknesses in this category are related to the A7 category in the OWASP Top 10 2017.
Swift 1034 Weaknesses in this category are related to the A8 category in the OWASP Top 10 2017.
Swift 1128 This view outlines the most important software quality issues as identified by the Consortium for Information & Software Quality (CISQ) Automated Quality Characteristic Measures, released in 2016. These measures are derived from Object Management Group (OMG) standards.
Swift 1131 Weaknesses in this category are related to the CISQ Quality Measures for Security, as documented in 2016 with the Automated Source Code Security Measure (ASCSM) Specification 1.0. Presence of these weaknesses could reduce the security of the software.
Swift 1133 CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT Oracle Coding Standard for Java.
Swift 1134 Weaknesses in this category are related to the rules and recommendations in the Input Validation and Data Sanitization (IDS) section of the SEI CERT Oracle Secure Coding Standard for Java.
Swift 1140 Weaknesses in this category are related to the rules and recommendations in the Methods (MET) section of the SEI CERT Oracle Secure Coding Standard for Java.
Swift 1147 Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) section of the SEI CERT Oracle Secure Coding Standard for Java.
Swift 1148 Weaknesses in this category are related to the rules and recommendations in the Serialization (SER) section of the SEI CERT Oracle Secure Coding Standard for Java.
Swift 1152 Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT Oracle Secure Coding Standard for Java.
Swift 1154 CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT C Coding Standard.
Swift 1162 Weaknesses in this category are related to the rules and recommendations in the Memory Management (MEM) section of the SEI CERT C Coding Standard.
Swift 1163 Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) section of the SEI CERT C Coding Standard.
Swift 1169 Weaknesses in this category are related to the rules and recommendations in the Concurrency (CON) section of the SEI CERT C Coding Standard.
Swift 1170 Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT C Coding Standard.
Swift 1172 Weaknesses in this category are related to the rules and recommendations in the Microsoft Windows (WIN) section of the SEI CERT C Coding Standard.
Swift 1178 CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT Perl Coding Standard.
Swift 1179 Weaknesses in this category are related to the rules and recommendations in the Input Validation and Data Sanitization (IDS) section of the SEI CERT Perl Coding Standard.
Swift 1194 This view organizes weaknesses around concepts that are frequently used or encountered in hardware design. Accordingly, this view can align closely with the perspectives of designers, manufacturers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping.
Swift 1199 Weaknesses in this category are related to hardware-circuit design and logic (e.g., CMOS transistors, finite state machines, and registers) as well as issues related to hardware description languages such as System Verilog and VHDL.
Swift 1200 CWE entries in this view are listed in the 2019 CWE Top 25 Most Dangerous Software Errors.
Swift 1204 The product uses a cryptographic primitive that uses an Initialization Vector (IV), but the product does not generate IVs that are sufficiently unpredictable or unique according to the expected cryptographic requirements for that primitive.
Swift 1207 Weaknesses in this category are related to hardware debug and test interfaces such as JTAG and scan chain.
Swift 1210 Weaknesses in this category are related to audit-based components of a software system. Frequently these deal with logging user activities in order to identify undesired access and modifications to the system. The weaknesses in this category could lead to a degradation of the quality of the audit capability if they are not addressed.
Swift 1211 Weaknesses in this category are related to authentication components of a system. Frequently these deal with the ability to verify that an entity is indeed who it claims to be. If not addressed when designing or implementing a software system, these weaknesses could lead to a degradation of the quality of the authentication capability.
Swift 1213 Weaknesses in this category are related to a software system's random number generation.
Swift 1214 Weaknesses in this category are related to a software system's data integrity components. Frequently these deal with the ability to ensure the integrity of data, such as messages, resource files, deployment files, and configuration files. The weaknesses in this category could lead to a degradation of data integrity quality if they are not addressed.
Swift 1217 Weaknesses in this category are related to session management. Frequently these deal with the information or status about each user and their access rights for the duration of multiple requests. The weaknesses in this category could lead to a degradation of the quality of session management if they are not addressed.
Swift 1219 Weaknesses in this category are related to the handling of files within a software system. Files, directories, and folders are so central to information technology that many different weaknesses and variants have been discovered.
Swift 1250 The product has or supports multiple distributed components or sub-systems that are each required to keep their own local copy of shared data - such as state or cache - but the product does not ensure that all local copies remain consistent with each other.
Swift 1305 This view outlines the most important software quality issues as identified by the Consortium for Information & Software Quality (CISQ) Automated Quality Characteristic Measures, released in 2020. These measures are derived from Object Management Group (OMG) standards.
Swift 1306 Weaknesses in this category are related to the CISQ Quality Measures for Reliability. Presence of these weaknesses could reduce the reliability of the software.
Swift 1308 Weaknesses in this category are related to the CISQ Quality Measures for Security. Presence of these weaknesses could reduce the security of the software.
Swift 1337 CWE entries in this view are listed in the 2021 CWE Top 25 Most Dangerous Software Weaknesses.
Swift 1340 This view outlines the SMM representation of the Automated Source Code Data Protection Measurement specifications, as identified by the Consortium for Information & Software Quality (CISQ) Working Group.
Swift 1344 CWE entries in this view (graph) are associated with the OWASP Top 10, as released in 2021.
Swift 1345 Weaknesses in this category are related to the A01 category "Broken Access Control" in the OWASP Top 10 2021.
Swift 1346 Weaknesses in this category are related to the A02 category "Cryptographic Failures" in the OWASP Top 10 2021.
Swift 1347 Weaknesses in this category are related to the A03 category "Injection" in the OWASP Top 10 2021.
Swift 1348 Weaknesses in this category are related to the A04 "Insecure Design" category in the OWASP Top 10 2021.
Swift 1349 Weaknesses in this category are related to the A05 category "Security Misconfiguration" in the OWASP Top 10 2021.
Swift 1350 CWE entries in this view are listed in the 2020 CWE Top 25 Most Dangerous Software Weaknesses.
Swift 1353 Weaknesses in this category are related to the A07 category "Identification and Authentication Failures" in the OWASP Top 10 2021.
Swift 1354 Weaknesses in this category are related to the A08 category "Software and Data Integrity Failures" in the OWASP Top 10 2021.
Swift 1358 CWE entries in this view (graph) are associated with the Categories of Security Vulnerabilities in ICS, as published by the Securing Energy Infrastructure Executive Task Force (SEI ETF) in March 2022. Weaknesses and categories in this view are focused on issues that affect ICS (Industrial Control Systems) but have not been traditionally covered by CWE in the past due to its earlier emphasis on enterprise IT software. Note: weaknesses in this view are based on "Nearest IT Neighbor" recommendations and other suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Swift 1359 Weaknesses in this category are related to the "ICS Communications" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.
Swift 1360 Weaknesses in this category are related to the "ICS Dependencies (& Architecture)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.
Swift 1361 Weaknesses in this category are related to the "ICS Supply Chain" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.
Swift 1362 Weaknesses in this category are related to the "ICS Engineering (Constructions/Deployment)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.
Swift 1363 Weaknesses in this category are related to the "ICS Operations (& Maintenance)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.
Swift 1364 Weaknesses in this category are related to the "Zone Boundary Failures" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Within an ICS system, for traffic that crosses through network zone boundaries, vulnerabilities arise when those boundaries were designed for safety or other purposes but are being repurposed for security." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Swift 1366 Weaknesses in this category are related to the "Frail Security in Protocols" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Vulnerabilities arise as a result of mis-implementation or incomplete implementation of security in ICS implementations of communication protocols." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Swift 1368 Weaknesses in this category are related to the "External Digital Systems" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Due to the highly interconnected technologies in use, an external dependency on another digital system could cause a confidentiality, integrity, or availability incident for the protected system." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Swift 1369 Weaknesses in this category are related to the "IT/OT Convergence/Expansion" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "The increased penetration of DER devices and smart loads make emerging ICS networks more like IT networks and thus susceptible to vulnerabilities similar to those of IT networks." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Swift 1370 Weaknesses in this category are related to the "Common Mode Frailties" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "At the component level, most ICS systems are assembled from common parts made by other companies. One or more of these common parts might contain a vulnerability that could result in a wide-spread incident." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Swift 1372 Weaknesses in this category are related to the "OT Counterfeit and Malicious Corruption" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "In ICS, when this procurement process results in a vulnerability or component damage, it can have grid impacts or cause physical harm." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Swift 1375 Weaknesses in this category are related to the "Gaps in Details/Data" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Highly complex systems are often operated by personnel who have years of experience in managing that particular facility or plant. Much of their knowledge is passed along through verbal or hands-on training but may not be fully documented in written practices and procedures." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Swift 1382 Weaknesses in this category are related to the "Emerging Energy Technologies" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "With the rapid evolution of the energy system accelerated by the emergence of new technologies such as DERs, electric vehicles, advanced communications (5G+), novel and diverse challenges arise for secure and resilient operation of the system." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Swift 1383 Weaknesses in this category are related to the "Compliance/Conformance with Regulatory Requirements" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "The ICS environment faces overlapping regulatory regimes and authorities with multiple focus areas (e.g., operational resiliency, physical safety, interoperability, and security) which can result in cyber security vulnerabilities when implemented as written due to gaps in considerations, outdatedness, or conflicting requirements." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Swift 1387 CWE entries in this view are listed in the 2022 CWE Top 25 Most Dangerous Software Weaknesses.
Swift 1396 Weaknesses in this category are related to access control.
Swift 1400 This view organizes weaknesses around categories that are of interest to large-scale software assurance research to support the elimination of weaknesses using tactics such as secure language development. It is also intended to help tracking weakness trends in publicly disclosed vulnerability data. This view is comprehensive in that every weakness must be contained in it, unlike most other views that only use a subset of weaknesses. This view is structured with categories at the top level, with a second level of only weaknesses. Relationships among the weaknesses presented under the research view (CWE-1000) are not shown. Each weakness is added to only one category. All categories are mutually exclusive; that is, no weakness can be a member of more than one category. While weaknesses defy strict categorization along only one characteristic, the forced bucketing into a single category can simplify certain kinds of analysis. Note that the size of each category can vary widely because (1) CWE is not as well fleshed-out in some areas compared to others; (2) abstraction of the CWEs in the grouping might go down to Variant level for some buckets, versus others.
Swift 1402 Weaknesses in this category are related to encryption.
Swift 1403 Weaknesses in this category are related to exposed resource.
Swift 1404 Weaknesses in this category are related to file handling.
Swift 1406 Weaknesses in this category are related to improper input validation.
Swift 1407 Weaknesses in this category are related to improper neutralization.
Swift 1409 Weaknesses in this category are related to injection.
Swift 1410 Weaknesses in this category are related to insufficient control flow management.
Swift 1411 Weaknesses in this category are related to insufficient verification of data authenticity.
Swift 1412 Weaknesses in this category are related to poor coding practices.
Swift 1413 Weaknesses in this category are related to protection mechanism failure.
Swift 1414 Weaknesses in this category are related to randomness.
Swift 1415 Weaknesses in this category are related to resource control.
Swift 1416 Weaknesses in this category are related to resource lifecycle management.
Swift 1417 Weaknesses in this category are related to sensitive information exposure.
Swift 1418 Weaknesses in this category are related to violation of secure design principles.
TypeScript 2 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that are typically introduced during unexpected environmental conditions. According to the authors of the Seven Pernicious Kingdoms, "This section includes everything that is outside of the source code but is still critical to the security of the product that is being created. Because the issues covered by this kingdom are not directly related to source code, we separated it from the rest of the kingdoms."
TypeScript 4 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
TypeScript 5 Information sent over a network can be compromised while in transit. An attacker may be able to read or modify the contents if the data are sent in plaintext or are weakly encrypted.
TypeScript 16 Weaknesses in this category are typically introduced during the configuration of the software.
TypeScript 17 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
TypeScript 18 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
TypeScript 19 Weaknesses in this category are typically found in functionality that processes data. Data processing is the manipulation of input to retrieve or save information.
TypeScript 20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
TypeScript 21 This category has been deprecated. It was originally used for organizing weaknesses involving file names, which enabled access to files outside of a restricted directory (path traversal) or to perform operations on files that would otherwise be restricted (path equivalence). Consider using either the File Handling Issues category (CWE-1219) or the class Use of Incorrectly-Resolved Name or Reference (CWE-706).
TypeScript 22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
TypeScript 23 The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.
TypeScript 36 The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as "/abs/path" that can resolve to a location that is outside of that directory.
TypeScript 73 The product allows user input to control or influence paths or file names that are used in filesystem operations.
TypeScript 74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
TypeScript 77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
TypeScript 78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
TypeScript 79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
TypeScript 80 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.
TypeScript 82 The web application does not neutralize or incorrectly neutralizes scripting elements within attributes of HTML IMG tags, such as the src attribute.
TypeScript 83 The product does not neutralize or incorrectly neutralizes "javascript:" or other URIs from dangerous attributes within tags, such as onmouseover, onload, onerror, or style.
TypeScript 85 The web application does not filter user-controlled input for executable script disguised using doubling of the involved characters.
TypeScript 86 The product does not neutralize or incorrectly neutralizes invalid characters or byte sequences in the middle of tag names, URI schemes, and other identifiers.
TypeScript 87 The product does not neutralize or incorrectly neutralizes user-controlled input for alternate script syntax.
TypeScript 88 The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.
TypeScript 89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.
TypeScript 93 The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
TypeScript 94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
TypeScript 95 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").
TypeScript 99 The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control.
TypeScript 113 The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.
TypeScript 116 The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
TypeScript 117 The product does not neutralize or incorrectly neutralizes output that is written to logs.
TypeScript 133 Weaknesses in this category are related to the creation and modification of strings.
TypeScript 137 Weaknesses in this category are related to the creation or neutralization of data using an incorrect format.
TypeScript 138 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as control elements or syntactic markers when they are sent to a downstream component.
TypeScript 140 The product does not neutralize or incorrectly neutralizes delimiters.
TypeScript 141 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as parameter or argument delimiters when they are sent to a downstream component.
TypeScript 142 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as value delimiters when they are sent to a downstream component.
TypeScript 143 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as record delimiters when they are sent to a downstream component.
TypeScript 146 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as expression or command delimiters when they are sent to a downstream component.
TypeScript 149 Quotes injected into a product can be used to compromise a system. As data are parsed, an injected/absent/duplicate/malformed use of quotes may cause the process to take unexpected actions.
TypeScript 150 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component.
TypeScript 157 The product does not properly handle the characters that are used to mark the beginning and ending of a group of entities, such as parentheses, brackets, and braces.
TypeScript 171 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. Weaknesses in this category were related to improper handling of data within protection mechanisms that attempt to perform neutralization for untrusted data. These weaknesses can be found in other similar categories.
TypeScript 183 The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is too permissive - that is, it allows an input that is unsafe, leading to resultant weaknesses.
TypeScript 185 The product specifies a regular expression in a way that causes data to be improperly matched or compared.
TypeScript 187 The product performs a comparison that only examines a portion of a factor before determining whether there is a match, such as a substring, leading to resultant weaknesses.
TypeScript 199 Weaknesses in this category are related to improper handling of sensitive information.
TypeScript 200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
TypeScript 201 The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.
TypeScript 209 The product generates an error message that includes sensitive information about its environment, users, or associated data.
TypeScript 210 The product identifies an error condition and creates its own diagnostic or error messages that contain sensitive information.
TypeScript 211 The product performs an operation that triggers an external diagnostic or error message that is not directly generated or controlled by the product, such as an error generated by the programming language interpreter that a software application uses. The error can contain sensitive system information.
TypeScript 215 The product inserts sensitive information into debugging code, which could expose this information if the debugging code is not disabled in production.
TypeScript 221 The product does not record, or improperly records, security-relevant information that leads to an incorrect decision or hampers later analysis.
TypeScript 223 The product does not record or display information that would be important for identifying the source or nature of an attack, or determining if an action is safe.
TypeScript 226 The product releases a resource such as memory or a file so that it can be made available for reuse, but it does not clear or "zeroize" the information contained in the resource before the product performs a critical state transition or makes the resource available for reuse by other entities.
TypeScript 227 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that involve the software using an API in a manner contrary to its intended use. According to the authors of the Seven Pernicious Kingdoms, "An API is a contract between a caller and a callee. The most common forms of API misuse occurs when the caller does not honor its end of this contract. For example, if a program does not call chdir() after calling chroot(), it violates the contract that specifies how to change the active root directory in a secure fashion. Another good example of library abuse is expecting the callee to return trustworthy DNS information to the caller. In this case, the caller misuses the callee API by making certain assumptions about its behavior (that the return value can be used for authentication purposes). One can also violate the caller-callee contract from the other side. For example, if a coder subclasses SecureRandom and returns a non-random value, the contract is violated."
TypeScript 228 The product does not handle or incorrectly handles input that is not syntactically well-formed with respect to the associated specification.
TypeScript 233 The product does not properly handle when the expected number of parameters, fields, or arguments is not provided in input, or if those parameters are undefined.
TypeScript 248 An exception is thrown from a function, but it is not caught.
TypeScript 249 This entry has been deprecated because of name confusion and an accidental combination of multiple weaknesses. Most of its content has been transferred to CWE-785.
TypeScript 254 Software security is not security software. Here we're concerned with topics like authentication, access control, confidentiality, cryptography, and privilege management.
TypeScript 255 Weaknesses in this category are related to the management of credentials.
TypeScript 256 Storing a password in plaintext may result in a system compromise.
TypeScript 257 The storage of passwords in a recoverable format makes them subject to password reuse attacks by malicious users. In fact, it should be noted that recoverable encrypted passwords provide no significant benefit over plaintext passwords since they are subject not only to reuse by malicious attackers but also by malicious insiders. If a system administrator can recover a password directly, or use a brute force search on the available information, the administrator can use the password on other accounts.
TypeScript 258 Using an empty string as a password is insecure.
TypeScript 260 The product stores a password in a configuration file that might be accessible to actors who do not know the password.
TypeScript 263 The product supports password aging, but the expiration period is too long.
TypeScript 264 Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control.
TypeScript 265 Weaknesses in this category occur with improper handling, assignment, or management of privileges. A privilege is a property of an agent, such as a user. It lets the agent do things that are not ordinarily allowed. For example, there are privileges which allow an agent to perform maintenance functions such as restart a computer.
TypeScript 269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
TypeScript 271 The product does not drop privileges before passing control of a resource to an actor that does not have those privileges.
TypeScript 272 The elevated privilege level required to perform operations such as chroot() should be dropped immediately after the operation is performed.
TypeScript 275 Weaknesses in this category are related to improper assignment or handling of permissions.
TypeScript 284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
TypeScript 285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
TypeScript 287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
TypeScript 289 The product performs authentication based on the name of a resource being accessed, or the name of the actor performing the access, but it does not properly check all possible names for that resource or actor.
TypeScript 290 This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.
TypeScript 295 The product does not validate, or incorrectly validates, a certificate.
TypeScript 296 The product does not follow, or incorrectly follows, the chain of trust for a certificate back to a trusted root certificate, resulting in incorrect trust of any resource that is associated with that certificate.
TypeScript 300 The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint.
TypeScript 304 The product implements an authentication technique, but it skips a step that weakens the technique.
TypeScript 305 The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error.
TypeScript 306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
TypeScript 307 The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it more susceptible to brute force attacks.
TypeScript 308 The use of single-factor authentication can lead to unnecessary risk of compromise when compared with the benefits of a dual-factor authentication scheme.
TypeScript 309 The use of password systems as the primary means of authentication may be subject to several flaws or shortcomings, each reducing the effectiveness of the mechanism.
TypeScript 310 Weaknesses in this category are related to the design and implementation of data confidentiality and integrity. Frequently these deal with the use of encoding techniques, encryption libraries, and hashing algorithms. The weaknesses in this category could lead to a degradation of the quality data if they are not addressed.
TypeScript 311 The product does not encrypt sensitive or critical information before storage or transmission.
TypeScript 312 The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
TypeScript 313 The product stores sensitive information in cleartext in a file, or on disk.
TypeScript 314 The product stores sensitive information in cleartext in the registry.
TypeScript 315 The product stores sensitive information in cleartext in a cookie.
TypeScript 317 The product stores sensitive information in cleartext within the GUI.
TypeScript 319 The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.
TypeScript 320 Weaknesses in this category are related to errors in the management of cryptographic keys.
TypeScript 322 The product performs a key exchange with an actor without verifying the identity of that actor.
TypeScript 324 The product uses a cryptographic key or password past its expiration date, which diminishes its safety significantly by increasing the timing window for cracking attacks against that key.
TypeScript 326 The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
TypeScript 327 The product uses a broken or risky cryptographic algorithm or protocol.
TypeScript 328 The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (2nd preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack).
TypeScript 330 The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.
TypeScript 338 The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.
TypeScript 344 The product uses a constant value, name, or reference, but this value can (or should) vary across different environments.
TypeScript 345 The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
TypeScript 346 The product does not properly verify that the source of data or communication is valid.
TypeScript 347 The product does not verify, or incorrectly verifies, the cryptographic signature for data.
TypeScript 352 The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.
TypeScript 353 The product uses a transmission protocol that does not include a mechanism for verifying the integrity of the data during transmission, such as a checksum.
TypeScript 355 Weaknesses in this category are related to or introduced in the User Interface (UI).
TypeScript 358 The product does not implement or incorrectly implements one or more security-relevant checks as specified by the design of a standardized algorithm, protocol, or technique.
TypeScript 359 The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.
TypeScript 361 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses related to the improper management of time and state in an environment that supports simultaneous or near-simultaneous computation by multiple systems, processes, or threads. According to the authors of the Seven Pernicious Kingdoms, "Distributed computation is about time and state. That is, in order for more than one component to communicate, state must be shared, and all that takes time. Most programmers anthropomorphize their work. They think about one thread of control carrying out the entire program in the same way they would if they had to do the job themselves. Modern computers, however, switch between tasks very quickly, and in multi-core, multi-CPU, or distributed systems, two events may take place at exactly the same time. Defects rush to fill the gap between the programmer's model of how a program executes and what happens in reality. These defects are related to unexpected interactions between threads, processes, time, and information. These interactions happen through shared state: semaphores, variables, the file system, and, basically, anything that can store information."
TypeScript 371 Weaknesses in this category are related to improper management of system state.
TypeScript 388 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that occur when an application does not properly handle errors that occur during processing. According to the authors of the Seven Pernicious Kingdoms, "Errors and error handling represent a class of API. Errors related to error handling are so common that they deserve a special kingdom of their own. As with 'API Abuse,' there are two ways to introduce an error-related security vulnerability: the most common one is handling errors poorly (or not at all). The second is producing errors that either give out too much information (to possible attackers) or are difficult to handle."
TypeScript 389 This category includes weaknesses that occur if a function does not generate the correct return/status code, or if the application does not handle all possible return/status codes that could be generated by a function. This type of problem is most often found in conditions that are rarely encountered during the normal operation of the product. Presumably, most bugs related to common conditions are found and eliminated during development and testing. In some cases, the attacker can directly control or influence the environment to trigger the rare conditions.
TypeScript 398 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that do not directly introduce a weakness or vulnerability, but indicate that the product has not been carefully developed or maintained. According to the authors of the Seven Pernicious Kingdoms, "Poor code quality leads to unpredictable behavior. From a user's perspective that often manifests itself as poor usability. For an adversary it provides an opportunity to stress the system in unexpected ways."
TypeScript 399 Weaknesses in this category are related to improper management of system resources.
TypeScript 400 The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.
TypeScript 404 The product does not release or incorrectly releases a resource before it is made available for re-use.
TypeScript 405 The product does not properly control situations in which an adversary can cause the product to consume or produce excessive resources without requiring the adversary to invest equivalent work or otherwise prove authorization, i.e., the adversary's influence is "asymmetric."
TypeScript 409 The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.
TypeScript 417 Weaknesses in this category are related to improper handling of communication channels and access paths. These weaknesses include problems in creating, managing, or removing alternate channels and alternate paths. Some of these can overlap virtual file problems and are commonly used in "bypass" attacks, such as those that exploit authentication errors.
TypeScript 418 This category has been deprecated because it redundant with the grouping provided by CWE-417.
TypeScript 419 The product uses a primary channel for administration or restricted functionality, but it does not properly protect the channel.
TypeScript 435 An interaction error occurs when two entities have correct behavior when running independently of each other, but when they are integrated as components in a larger system or process, they introduce incorrect behaviors that may cause resultant weaknesses.
TypeScript 436 Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.
TypeScript 438 Weaknesses in this category are related to unexpected behaviors from code that an application uses.
TypeScript 441 The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor.
TypeScript 442 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
TypeScript 452 Weaknesses in this category occur in behaviors that are used for initialization and breakdown.
TypeScript 455 The product does not exit or otherwise modify its operation when security-relevant errors occur during initialization, such as when a configuration file has a format error or a hardware security module (HSM) cannot be activated, which can cause the product to execute in a less secure fashion than intended by the administrator.
TypeScript 459 The product does not properly "clean up" and remove temporary or supporting resources after they have been used.
TypeScript 461 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
TypeScript 463 The accidental deletion of a data-structure sentinel can cause serious programming logic problems.
TypeScript 465 Weaknesses in this category are related to improper handling of pointers.
TypeScript 476 A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.
TypeScript 480 The product accidentally uses the wrong operator, which changes the logic in security-relevant ways.
TypeScript 483 The code does not explicitly delimit a block that is intended to contain 2 or more statements, creating a logic error.
TypeScript 484 The product omits a break statement within a switch or similar construct, causing code associated with multiple conditions to execute. This can cause problems when the programmer only intended to execute code associated with one condition.
TypeScript 485 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that occur when the product does not sufficiently encapsulate critical data or functionality. According to the authors of the Seven Pernicious Kingdoms, "Encapsulation is about drawing strong boundaries. In a web browser that might mean ensuring that your mobile code cannot be abused by other mobile code. On the server it might mean differentiation between validated data and unvalidated data, between one user's data and another's, or between data users are allowed to see and data that they are not."
TypeScript 489 The product is deployed to unauthorized actors with debugging code still enabled or active, which can create unintended entry points or expose sensitive information.
TypeScript 497 The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does.
TypeScript 502 The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
TypeScript 505 This category has been deprecated as it was originally used for organizing the Development View (CWE-699), but it introduced unnecessary complexity and depth to the resulting tree.
TypeScript 506 The product contains code that appears to be malicious in nature.
TypeScript 521 The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts.
TypeScript 522 The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
TypeScript 523 Login pages do not use adequate measures to protect the user name and password while they are in transit from the client to the server.
TypeScript 524 The code uses a cache that contains sensitive information, but the cache can be read by an actor outside of the intended control sphere.
TypeScript 525 The web application does not use an appropriate caching policy that specifies the extent to which each web page and associated form fields should be cached.
TypeScript 526 The product uses an environment variable to store unencrypted sensitive information.
TypeScript 530 A backup file is stored in a directory or archive that is made accessible to unauthorized actors.
TypeScript 532 Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.
TypeScript 536 A servlet error message indicates that there exists an unhandled exception in your web application code and may provide useful information to an attacker.
TypeScript 538 The product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the sensitive information.
TypeScript 539 The web application uses persistent cookies, but the cookies contain sensitive information.
TypeScript 548 A directory listing is inappropriately exposed, yielding potentially sensitive information to attackers.
TypeScript 550 Certain conditions, such as network failure, will cause a server error message to be displayed.
TypeScript 552 The product makes files or directories accessible to unauthorized actors, even though they should not be.
TypeScript 559 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
TypeScript 561 The product contains dead code, which can never be executed.
TypeScript 565 The product relies on the existence or values of cookies when performing security-critical operations, but it does not properly ensure that the setting is valid for the associated user.
TypeScript 566 The product uses a database table that includes records that should not be accessible to an actor, but it executes a SQL statement with a primary key that can be controlled by that actor.
TypeScript 569 Weaknesses in this category are related to incorrectly written expressions within code.
TypeScript 573 The product does not follow or incorrectly follows the specifications as required by the implementation language, environment, framework, protocol, or platform.
TypeScript 592 This weakness has been deprecated because it covered redundant concepts already described in CWE-287.
TypeScript 601 A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.
TypeScript 602 The product is composed of a server that relies on the client to implement a mechanism that is intended to protect the server.
TypeScript 610 The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.
TypeScript 611 The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
TypeScript 613 According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
TypeScript 614 The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session.
TypeScript 624 The product uses a regular expression that either (1) contains an executable component with user-controlled inputs, or (2) allows a user to enable execution by inserting pattern modifiers.
TypeScript 625 The product uses a regular expression that does not sufficiently restrict the set of allowed values.
TypeScript 628 The product calls a function, procedure, or routine with arguments that are not correctly specified, leading to always-incorrect behavior and resultant weaknesses.
TypeScript 629 CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2007. This view is considered obsolete as a newer version of the OWASP Top 10 is available.
TypeScript 632 This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE.
TypeScript 633 This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE.
TypeScript 634 This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE.
TypeScript 635 CWE nodes in this view (slice) were used by NIST to categorize vulnerabilities within NVD, from 2008 to 2016. This original version has been used by many other projects.
TypeScript 636 When the product encounters an error condition or failure, its design requires it to fall back to a state that is less secure than other options that are available, such as selecting the weakest encryption algorithm or using the most permissive access control restrictions.
TypeScript 639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
TypeScript 642 The product stores security-critical state information about its users, or the product itself, in a location that is accessible to unauthorized actors.
TypeScript 644 The product does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers, such as Flash.
TypeScript 654 A protection mechanism relies exclusively, or to a large extent, on the evaluation of a single condition or the integrity of a single object or entity in order to make a decision about granting access to restricted resources or functionality.
TypeScript 657 The product violates well-established principles for secure design.
TypeScript 664 The product does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release.
TypeScript 665 The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.
TypeScript 666 The product performs an operation on a resource at the wrong phase of the resource's lifecycle, which can lead to unexpected behaviors.
TypeScript 668 The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
TypeScript 669 The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource.
TypeScript 670 The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated.
TypeScript 671 The product uses security features in a way that prevents the product's administrator from tailoring security settings to reflect the environment in which the product is being used. This introduces resultant weaknesses or prevents it from operating at a level of security that is desired by the administrator.
TypeScript 672 The product uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked.
TypeScript 674 The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.
TypeScript 676 The product invokes a potentially dangerous function that could introduce a vulnerability if it is used incorrectly, but the function can also be used safely.
TypeScript 688 The product calls a function, procedure, or routine, but the caller specifies the wrong variable or reference as one of the arguments, which may lead to undefined behavior and resultant weaknesses.
TypeScript 691 The code does not sufficiently manage its control flow during execution, creating conditions in which the control flow can be modified in unexpected ways.
TypeScript 692 The product uses a denylist-based protection mechanism to defend against XSS attacks, but the denylist is incomplete, allowing XSS variants to succeed.
TypeScript 693 The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.
TypeScript 697 The product compares two entities in a security-relevant context, but the comparison is incorrect, which may lead to resultant weaknesses.
TypeScript 699 This view organizes weaknesses around concepts that are frequently used or encountered in software development. This includes all aspects of the software development lifecycle including both architecture and implementation. Accordingly, this view can align closely with the perspectives of architects, developers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping.
TypeScript 700 This view (graph) organizes weaknesses using a hierarchical structure that is similar to that used by Seven Pernicious Kingdoms.
TypeScript 703 The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product.
TypeScript 705 The product does not properly return control flow to the proper location after it has completed a task or detected an unusual condition.
TypeScript 706 The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.
TypeScript 707 The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component.
TypeScript 710 The product does not follow certain coding rules for development, which can lead to resultant weaknesses or increase the severity of the associated vulnerabilities.
TypeScript 711 CWE entries in this view (graph) are associated with the OWASP Top 10, as released in 2004, and as required for compliance with PCI DSS version 1.1. This view is considered obsolete as a newer version of the OWASP Top 10 is available.
TypeScript 712 Weaknesses in this category are related to the A1 category in the OWASP Top 10 2007.
TypeScript 713 Weaknesses in this category are related to the A2 category in the OWASP Top 10 2007.
TypeScript 714 Weaknesses in this category are related to the A3 category in the OWASP Top 10 2007.
TypeScript 715 Weaknesses in this category are related to the A4 category in the OWASP Top 10 2007.
TypeScript 716 Weaknesses in this category are related to the A5 category in the OWASP Top 10 2007.
TypeScript 717 Weaknesses in this category are related to the A6 category in the OWASP Top 10 2007.
TypeScript 718 Weaknesses in this category are related to the A7 category in the OWASP Top 10 2007.
TypeScript 719 Weaknesses in this category are related to the A8 category in the OWASP Top 10 2007.
TypeScript 720 Weaknesses in this category are related to the A9 category in the OWASP Top 10 2007.
TypeScript 721 Weaknesses in this category are related to the A10 category in the OWASP Top 10 2007.
TypeScript 722 Weaknesses in this category are related to the A1 category in the OWASP Top 10 2004.
TypeScript 723 Weaknesses in this category are related to the A2 category in the OWASP Top 10 2004.
TypeScript 724 Weaknesses in this category are related to the A3 category in the OWASP Top 10 2004.
TypeScript 725 Weaknesses in this category are related to the A4 category in the OWASP Top 10 2004.
TypeScript 727 Weaknesses in this category are related to the A6 category in the OWASP Top 10 2004.
TypeScript 728 Weaknesses in this category are related to the A7 category in the OWASP Top 10 2004.
TypeScript 729 Weaknesses in this category are related to the A8 category in the OWASP Top 10 2004.
TypeScript 730 Weaknesses in this category are related to the A9 category in the OWASP Top 10 2004.
TypeScript 731 Weaknesses in this category are related to the A10 category in the OWASP Top 10 2004.
TypeScript 732 The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.
TypeScript 734 CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT C Secure Coding Standard" published in 2008. This view is considered obsolete, as a newer version of the coding standard is available. This view statically represents the coding rules as they were in 2008.
TypeScript 736 Weaknesses in this category are related to the rules and recommendations in the Declarations and Initialization (DCL) chapter of the CERT C Secure Coding Standard (2008).
TypeScript 737 Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) chapter of the CERT C Secure Coding Standard (2008).
TypeScript 738 Weaknesses in this category are related to the rules and recommendations in the Integers (INT) chapter of the CERT C Secure Coding Standard (2008).
TypeScript 740 Weaknesses in this category are related to the rules and recommendations in the Arrays (ARR) chapter of the CERT C Secure Coding Standard (2008).
TypeScript 741 Weaknesses in this category are related to the rules and recommendations in the Characters and Strings (STR) chapter of the CERT C Secure Coding Standard (2008).
TypeScript 742 Weaknesses in this category are related to the rules and recommendations in the Memory Management (MEM) chapter of the CERT C Secure Coding Standard (2008).
TypeScript 743 Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) chapter of the CERT C Secure Coding Standard (2008).
TypeScript 744 Weaknesses in this category are related to the rules and recommendations in the Environment (ENV) chapter of the CERT C Secure Coding Standard (2008).
TypeScript 746 Weaknesses in this category are related to the rules and recommendations in the Error Handling (ERR) chapter of the CERT C Secure Coding Standard (2008).
TypeScript 747 Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) chapter of the CERT C Secure Coding Standard (2008).
TypeScript 748 Weaknesses in this category are related to the rules and recommendations in the POSIX (POS) appendix of the CERT C Secure Coding Standard (2008).
TypeScript 750 CWE entries in this view (graph) are listed in the 2009 CWE/SANS Top 25 Programming Errors. This view is considered obsolete as a newer version of the Top 25 is available.
TypeScript 751 Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2009 CWE/SANS Top 25 Programming Errors.
TypeScript 752 Weaknesses in this category are listed in the "Risky Resource Management" section of the 2009 CWE/SANS Top 25 Programming Errors.
TypeScript 753 Weaknesses in this category are listed in the "Porous Defenses" section of the 2009 CWE/SANS Top 25 Programming Errors.
TypeScript 755 The product does not handle or incorrectly handles an exceptional condition.
TypeScript 757 A protocol or its implementation supports interaction between multiple actors and allows those actors to negotiate which algorithm should be used as a protection mechanism such as encryption or authentication, but it does not select the strongest algorithm that is available to both parties.
TypeScript 759 The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product does not also use a salt as part of the input.
TypeScript 760 The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product uses a predictable salt as part of the input.
TypeScript 776 The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.
TypeScript 778 When a security-critical event occurs, the product either does not record the event or omits important details about the event when logging it.
TypeScript 779 The product logs too much information, making log files hard to process and possibly hindering recovery efforts or forensic analysis after an attack.
TypeScript 783 The product uses an expression in which operator precedence causes incorrect logic to be used.
TypeScript 798 The product contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.
TypeScript 799 The product does not properly limit the number or frequency of interactions that it has with an actor, such as the number of incoming requests.
TypeScript 800 CWE entries in this view (graph) are listed in the 2010 CWE/SANS Top 25 Programming Errors. This view is considered obsolete as a newer version of the Top 25 is available.
TypeScript 801 Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2010 CWE/SANS Top 25 Programming Errors.
TypeScript 802 Weaknesses in this category are listed in the "Risky Resource Management" section of the 2010 CWE/SANS Top 25 Programming Errors.
TypeScript 803 Weaknesses in this category are listed in the "Porous Defenses" section of the 2010 CWE/SANS Top 25 Programming Errors.
TypeScript 807 The product uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism.
TypeScript 808 Weaknesses in this category are not part of the general Top 25, but they were part of the original nominee list from which the Top 25 was drawn.
TypeScript 809 CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2010. This view is considered obsolete as a newer version of the OWASP Top 10 is available.
TypeScript 810 Weaknesses in this category are related to the A1 category in the OWASP Top 10 2010.
TypeScript 811 Weaknesses in this category are related to the A2 category in the OWASP Top 10 2010.
TypeScript 812 Weaknesses in this category are related to the A3 category in the OWASP Top 10 2010.
TypeScript 813 Weaknesses in this category are related to the A4 category in the OWASP Top 10 2010.
TypeScript 814 Weaknesses in this category are related to the A5 category in the OWASP Top 10 2010.
TypeScript 815 Weaknesses in this category are related to the A6 category in the OWASP Top 10 2010.
TypeScript 816 Weaknesses in this category are related to the A7 category in the OWASP Top 10 2010.
TypeScript 817 Weaknesses in this category are related to the A8 category in the OWASP Top 10 2010.
TypeScript 818 Weaknesses in this category are related to the A9 category in the OWASP Top 10 2010.
TypeScript 819 Weaknesses in this category are related to the A10 category in the OWASP Top 10 2010.
TypeScript 829 The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.
TypeScript 834 The product performs an iteration or loop without sufficiently limiting the number of times that the loop is executed.
TypeScript 840 Weaknesses in this category identify some of the underlying problems that commonly allow attackers to manipulate the business logic of an application. Errors in business logic can be devastating to an entire application. They can be difficult to find automatically, since they typically involve legitimate use of the application's functionality. However, many business logic errors can exhibit patterns that are similar to well-understood implementation and design weaknesses.
TypeScript 844 CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT Oracle Secure Coding Standard for Java" published in 2011. This view is considered obsolete as a newer version of the coding standard is available.
TypeScript 845 Weaknesses in this category are related to rules in the Input Validation and Data Sanitization (IDS) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
TypeScript 846 Weaknesses in this category are related to rules in the Declarations and Initialization (DCL) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
TypeScript 850 Weaknesses in this category are related to rules in the Methods (MET) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
TypeScript 851 Weaknesses in this category are related to rules in the Exceptional Behavior (ERR) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
TypeScript 854 Weaknesses in this category are related to rules in the Thread APIs (THI) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
TypeScript 855 Weaknesses in this category are related to rules in the Thread Pools (TPS) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
TypeScript 857 Weaknesses in this category are related to rules in the Input Output (FIO) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
TypeScript 858 Weaknesses in this category are related to rules in the Serialization (SER) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
TypeScript 859 Weaknesses in this category are related to rules in the Platform Security (SEC) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
TypeScript 860 Weaknesses in this category are related to rules in the Runtime Environment (ENV) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
TypeScript 861 Weaknesses in this category are related to rules in the Miscellaneous (MSC) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
TypeScript 862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
TypeScript 864 Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.
TypeScript 865 Weaknesses in this category are listed in the "Risky Resource Management" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.
TypeScript 866 Weaknesses in this category are listed in the "Porous Defenses" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.
TypeScript 867 Weaknesses in this category are not part of the general Top 25, but they were part of the original nominee list from which the Top 25 was drawn.
TypeScript 868 CWE entries in this view (graph) are fully or partially eliminated by following the SEI CERT C++ Coding Standard, as published in 2016. This view is no longer being actively maintained, since it statically represents the coding rules as they were in 2016.
TypeScript 871 Weaknesses in this category are related to rules in the Expressions (EXP) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
TypeScript 872 Weaknesses in this category are related to rules in the Integers (INT) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
TypeScript 874 Weaknesses in this category are related to rules in the Arrays and the STL (ARR) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
TypeScript 875 Weaknesses in this category are related to rules in the Characters and Strings (STR) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
TypeScript 876 Weaknesses in this category are related to rules in the Memory Management (MEM) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
TypeScript 877 Weaknesses in this category are related to rules in the Input Output (FIO) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
TypeScript 878 Weaknesses in this category are related to rules in the Environment (ENV) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
TypeScript 880 Weaknesses in this category are related to rules in the Exceptions and Error Handling (ERR) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
TypeScript 881 Weaknesses in this category are related to rules in the Object Oriented Programming (OOP) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
TypeScript 882 Weaknesses in this category are related to rules in the Concurrency (CON) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
TypeScript 883 Weaknesses in this category are related to rules in the Miscellaneous (MSC) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
TypeScript 884 This view contains a selection of weaknesses that represent the variety of weaknesses that are captured in CWE, at a level of abstraction that is likely to be useful to most audiences. It can be used by researchers to determine how broad their theories, models, or tools are. It will also be used by the CWE content team in 2012 to focus quality improvement efforts for individual CWE entries.
TypeScript 885 This category identifies Software Fault Patterns (SFPs) within the Risky Values cluster (SFP1).
TypeScript 886 This category identifies Software Fault Patterns (SFPs) within the Unused entities cluster (SFP2).
TypeScript 887 This category identifies Software Fault Patterns (SFPs) within the API cluster (SFP3).
TypeScript 888 CWE identifiers in this view are associated with clusters of Software Fault Patterns (SFPs).
TypeScript 889 This category identifies Software Fault Patterns (SFPs) within the Exception Management cluster (SFP4, SFP5, SFP6).
TypeScript 890 This category identifies Software Fault Patterns (SFPs) within the Memory Access cluster (SFP7, SFP8).
TypeScript 892 This category identifies Software Fault Patterns (SFPs) within the Resource Management cluster (SFP37).
TypeScript 893 This category identifies Software Fault Patterns (SFPs) within the Path Resolution cluster (SFP16, SFP17, SFP18).
TypeScript 895 This category identifies Software Fault Patterns (SFPs) within the Information Leak cluster (SFP23).
TypeScript 896 This category identifies Software Fault Patterns (SFPs) within the Tainted Input cluster (SFP24, SFP25, SFP26, SFP27).
TypeScript 897 This category identifies Software Fault Patterns (SFPs) within the Entry Points cluster (SFP28).
TypeScript 898 This category identifies Software Fault Patterns (SFPs) within the Authentication cluster (SFP29, SFP30, SFP31, SFP32, SFP33, SFP34).
TypeScript 899 This category identifies Software Fault Patterns (SFPs) within the Access Control cluster (SFP35).
TypeScript 900 CWE entries in this view (graph) are listed in the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.
TypeScript 901 This category identifies Software Fault Patterns (SFPs) within the Privilege cluster (SFP36).
TypeScript 902 This category identifies Software Fault Patterns (SFPs) within the Channel cluster.
TypeScript 903 This category identifies Software Fault Patterns (SFPs) within the Cryptography cluster.
TypeScript 904 This category identifies Software Fault Patterns (SFPs) within the Malware cluster.
TypeScript 905 This category identifies Software Fault Patterns (SFPs) within the Predictability cluster.
TypeScript 906 This category identifies Software Fault Patterns (SFPs) within the UI cluster.
TypeScript 907 This category identifies Software Fault Patterns (SFPs) within the Other cluster.
TypeScript 908 The product uses or accesses a resource that has not been initialized.
TypeScript 912 The product contains functionality that is not documented, not part of the specification, and not accessible through an interface or command sequence that is obvious to the product's users or administrators.
TypeScript 913 The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements.
TypeScript 916 The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive.
TypeScript 917 The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.
TypeScript 918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
TypeScript 921 The product stores sensitive information in a file system or device that does not have built-in access control.
TypeScript 922 The product stores sensitive information without properly limiting read or write access by unauthorized actors.
TypeScript 923 The product establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that it is communicating with the correct endpoint.
TypeScript 928 CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2013. This view is considered obsolete as a newer version of the OWASP Top 10 is available.
TypeScript 929 Weaknesses in this category are related to the A1 category in the OWASP Top 10 2013.
TypeScript 930 Weaknesses in this category are related to the A2 category in the OWASP Top 10 2013.
TypeScript 931 Weaknesses in this category are related to the A3 category in the OWASP Top 10 2013.
TypeScript 932 Weaknesses in this category are related to the A4 category in the OWASP Top 10 2013.
TypeScript 933 Weaknesses in this category are related to the A5 category in the OWASP Top 10 2013.
TypeScript 934 Weaknesses in this category are related to the A6 category in the OWASP Top 10 2013.
TypeScript 935 Weaknesses in this category are related to the A7 category in the OWASP Top 10 2013.
TypeScript 936 Weaknesses in this category are related to the A8 category in the OWASP Top 10 2013.
TypeScript 938 Weaknesses in this category are related to the A10 category in the OWASP Top 10 2013.
TypeScript 942 The product uses a cross-domain policy file that includes domains that should not be trusted.
TypeScript 943 The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query.
TypeScript 944 This category identifies Software Fault Patterns (SFPs) within the Access Management cluster.
TypeScript 945 This category identifies Software Fault Patterns (SFPs) within the Insecure Resource Access cluster (SFP35).
TypeScript 946 This category identifies Software Fault Patterns (SFPs) within the Insecure Resource Permissions cluster.
TypeScript 947 This category identifies Software Fault Patterns (SFPs) within the Authentication Bypass cluster.
TypeScript 948 This category identifies Software Fault Patterns (SFPs) within the Digital Certificate cluster.
TypeScript 949 This category identifies Software Fault Patterns (SFPs) within the Faulty Endpoint Authentication cluster (SFP29).
TypeScript 950 This category identifies Software Fault Patterns (SFPs) within the Hardcoded Sensitive Data cluster (SFP33).
TypeScript 951 This category identifies Software Fault Patterns (SFPs) within the Insecure Authentication Policy cluster.
TypeScript 952 This category identifies Software Fault Patterns (SFPs) within the Missing Authentication cluster.
TypeScript 955 This category identifies Software Fault Patterns (SFPs) within the Unrestricted Authentication cluster (SFP34).
TypeScript 956 This category identifies Software Fault Patterns (SFPs) within the Channel Attack cluster.
TypeScript 957 This category identifies Software Fault Patterns (SFPs) within the Protocol Error cluster.
TypeScript 958 This category identifies Software Fault Patterns (SFPs) within the Broken Cryptography cluster.
TypeScript 959 This category identifies Software Fault Patterns (SFPs) within the Weak Cryptography cluster.
TypeScript 961 This category identifies Software Fault Patterns (SFPs) within the Incorrect Exception Behavior cluster (SFP6).
TypeScript 962 This category identifies Software Fault Patterns (SFPs) within the Unchecked Status Condition cluster (SFP4).
TypeScript 963 This category identifies Software Fault Patterns (SFPs) within the Exposed Data cluster (SFP23).
TypeScript 965 This category identifies Software Fault Patterns (SFPs) within the Insecure Session Management cluster.
TypeScript 966 This category identifies Software Fault Patterns (SFPs) within the Other Exposures cluster.
TypeScript 971 This category identifies Software Fault Patterns (SFPs) within the Faulty Pointer Use cluster (SFP7).
TypeScript 975 This category identifies Software Fault Patterns (SFPs) within the Architecture cluster.
TypeScript 977 This category identifies Software Fault Patterns (SFPs) within the Design cluster.
TypeScript 978 This category identifies Software Fault Patterns (SFPs) within the Implementation cluster.
TypeScript 980 This category identifies Software Fault Patterns (SFPs) within the Link in Resource Name Resolution cluster (SFP18).
TypeScript 981 This category identifies Software Fault Patterns (SFPs) within the Path Traversal cluster (SFP16).
TypeScript 982 This category identifies Software Fault Patterns (SFPs) within the Failure to Release Resource cluster (SFP14).
TypeScript 983 This category identifies Software Fault Patterns (SFPs) within the Faulty Resource Use cluster (SFP15).
TypeScript 984 This category identifies Software Fault Patterns (SFPs) within the Life Cycle cluster.
TypeScript 985 This category identifies Software Fault Patterns (SFPs) within the Unrestricted Consumption cluster (SFP13).
TypeScript 990 This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Command cluster (SFP24).
TypeScript 991 This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Environment cluster (SFP27).
TypeScript 992 This category identifies Software Fault Patterns (SFPs) within the Faulty Input Transformation cluster.
TypeScript 993 This category identifies Software Fault Patterns (SFPs) within the Incorrect Input Handling cluster.
TypeScript 994 This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Variable cluster (SFP25).
TypeScript 997 This category identifies Software Fault Patterns (SFPs) within the Information Loss cluster.
TypeScript 998 This category identifies Software Fault Patterns (SFPs) within the Glitch in Computation cluster (SFP1).
TypeScript 1000 This view is intended to facilitate research into weaknesses, including their inter-dependencies, and can be leveraged to systematically identify theoretical gaps within CWE. It is mainly organized according to abstractions of behaviors instead of how they can be detected, where they appear in code, or when they are introduced in the development life cycle. By design, this view is expected to include every weakness within CWE.
TypeScript 1001 This category identifies Software Fault Patterns (SFPs) within the Use of an Improper API cluster (SFP3).
TypeScript 1002 This category identifies Software Fault Patterns (SFPs) within the Unexpected Entry Points cluster.
TypeScript 1003 CWE entries in this view (graph) may be used to categorize potential weaknesses within sources that handle public, third-party vulnerability information, such as the National Vulnerability Database (NVD). By design, this view is incomplete; it is limited to a small number of the most commonly-seen weaknesses, so that it is easier for humans to use. This view uses a shallow hierarchy of two levels in order to simplify the complex, category-oriented navigation of the entire CWE corpus.
TypeScript 1004 The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag.
TypeScript 1005 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that exist when an application does not properly validate or represent input. According to the authors of the Seven Pernicious Kingdoms, "Input validation and representation problems are caused by metacharacters, alternate encodings and numeric representations. Security problems result from trusting input."
TypeScript 1006 Weaknesses in this category are related to coding practices that are deemed unsafe and increase the chances that an exploitable vulnerability will be present in the application. These weaknesses do not directly introduce a vulnerability, but indicate that the product has not been carefully developed or maintained. If a program is complex, difficult to maintain, not portable, or shows evidence of neglect, then there is a higher likelihood that weaknesses are buried in the code.
TypeScript 1008 This view organizes weaknesses according to common architectural security tactics. It is intended to assist architects in identifying potential mistakes that can be made when designing software.
TypeScript 1009 Weaknesses in this category are related to the design and architecture of audit-based components of the system. Frequently these deal with logging user activities in order to identify attackers and modifications to the system. The weaknesses in this category could lead to a degradation of the quality of the audit capability if they are not addressed when designing or implementing a secure architecture.
TypeScript 1010 Weaknesses in this category are related to the design and architecture of authentication components of the system. Frequently these deal with verifying the entity is indeed who it claims to be. The weaknesses in this category could lead to a degradation of the quality of authentication if they are not addressed when designing or implementing a secure architecture.
TypeScript 1011 Weaknesses in this category are related to the design and architecture of a system's authorization components. Frequently these deal with enforcing that agents have the required permissions before performing certain operations, such as modifying data. The weaknesses in this category could lead to a degradation of quality of the authorization capability if they are not addressed when designing or implementing a secure architecture.
TypeScript 1012 Weaknesses in this category are related to the design and architecture of multiple security tactics and how they affect a system. For example, information exposure can impact the Limit Access and Limit Exposure security tactics. The weaknesses in this category could lead to a degradation of the quality of many capabilities if they are not addressed when designing or implementing a secure architecture.
TypeScript 1013 Weaknesses in this category are related to the design and architecture of data confidentiality in a system. Frequently these deal with the use of encryption libraries. The weaknesses in this category could lead to a degradation of the quality data encryption if they are not addressed when designing or implementing a secure architecture.
TypeScript 1014 Weaknesses in this category are related to the design and architecture of a system's identification management components. Frequently these deal with verifying that external agents provide inputs into the system. The weaknesses in this category could lead to a degradation of the quality of identification management if they are not addressed when designing or implementing a secure architecture.
TypeScript 1015 Weaknesses in this category are related to the design and architecture of system resources. Frequently these deal with restricting the amount of resources that are accessed by actors, such as memory, network connections, CPU or access points. The weaknesses in this category could lead to a degradation of the quality of authentication if they are not addressed when designing or implementing a secure architecture.
TypeScript 1016 Weaknesses in this category are related to the design and architecture of the entry points to a system. Frequently these deal with minimizing the attack surface through designing the system with the least needed amount of entry points. The weaknesses in this category could lead to a degradation of a system's defenses if they are not addressed when designing or implementing a secure architecture.
TypeScript 1018 Weaknesses in this category are related to the design and architecture of session management. Frequently these deal with the information or status about each user and their access rights for the duration of multiple requests. The weaknesses in this category could lead to a degradation of the quality of session management if they are not addressed when designing or implementing a secure architecture.
TypeScript 1019 Weaknesses in this category are related to the design and architecture of a system's input validation components. Frequently these deal with sanitizing, neutralizing and validating any externally provided inputs to minimize malformed data from entering the system and preventing code injection in the input data. The weaknesses in this category could lead to a degradation of the quality of data flow in a system if they are not addressed when designing or implementing a secure architecture.
TypeScript 1020 Weaknesses in this category are related to the design and architecture of a system's data integrity components. Frequently these deal with ensuring integrity of data, such as messages, resource files, deployment files, and configuration files. The weaknesses in this category could lead to a degradation of data integrity quality if they are not addressed when designing or implementing a secure architecture.
TypeScript 1021 The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with.
TypeScript 1022 The web application produces links to untrusted external sites outside of its sphere of control, but it does not properly prevent the external site from modifying security-critical properties of the window.opener object, such as the location property.
TypeScript 1025 The code performs a comparison between two entities, but the comparison examines the wrong factors or characteristics of the entities, which can lead to incorrect results and resultant weaknesses.
TypeScript 1026 CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2017.
TypeScript 1027 Weaknesses in this category are related to the A1 category in the OWASP Top 10 2017.
TypeScript 1028 Weaknesses in this category are related to the A2 category in the OWASP Top 10 2017.
TypeScript 1029 Weaknesses in this category are related to the A3 category in the OWASP Top 10 2017.
TypeScript 1030 Weaknesses in this category are related to the A4 category in the OWASP Top 10 2017.
TypeScript 1031 Weaknesses in this category are related to the A5 category in the OWASP Top 10 2017.
TypeScript 1032 Weaknesses in this category are related to the A6 category in the OWASP Top 10 2017.
TypeScript 1033 Weaknesses in this category are related to the A7 category in the OWASP Top 10 2017.
TypeScript 1034 Weaknesses in this category are related to the A8 category in the OWASP Top 10 2017.
TypeScript 1036 Weaknesses in this category are related to the A10 category in the OWASP Top 10 2017.
TypeScript 1041 The product has multiple functions, methods, procedures, macros, etc. that contain the same code.
TypeScript 1078 The source code does not follow desired style or formatting for indentation, white space, comments, etc.
TypeScript 1104 The product relies on third-party components that are not actively supported or maintained by the original developer or a trusted proxy for the original developer.
TypeScript 1114 The source code contains whitespace that is inconsistent across the code or does not follow expected standards for the product.
TypeScript 1128 This view outlines the most important software quality issues as identified by the Consortium for Information & Software Quality (CISQ) Automated Quality Characteristic Measures, released in 2016. These measures are derived from Object Management Group (OMG) standards.
TypeScript 1129 Weaknesses in this category are related to the CISQ Quality Measures for Reliability, as documented in 2016 with the Automated Source Code CISQ Reliability Measure (ASCRM) Specification 1.0. Presence of these weaknesses could reduce the reliability of the software.
TypeScript 1130 Weaknesses in this category are related to the CISQ Quality Measures for Maintainability, as documented in 2016 with the Automated Source Code Maintainability Measure (ASCMM) Specification 1.0. Presence of these weaknesses could reduce the maintainability of the software.
TypeScript 1131 Weaknesses in this category are related to the CISQ Quality Measures for Security, as documented in 2016 with the Automated Source Code Security Measure (ASCSM) Specification 1.0. Presence of these weaknesses could reduce the security of the software.
TypeScript 1133 CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT Oracle Coding Standard for Java.
TypeScript 1134 Weaknesses in this category are related to the rules and recommendations in the Input Validation and Data Sanitization (IDS) section of the SEI CERT Oracle Secure Coding Standard for Java.
TypeScript 1135 Weaknesses in this category are related to the rules and recommendations in the Declarations and Initialization (DCL) section of the SEI CERT Oracle Secure Coding Standard for Java.
TypeScript 1136 Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) section of the SEI CERT Oracle Secure Coding Standard for Java.
TypeScript 1140 Weaknesses in this category are related to the rules and recommendations in the Methods (MET) section of the SEI CERT Oracle Secure Coding Standard for Java.
TypeScript 1141 Weaknesses in this category are related to the rules and recommendations in the Exceptional Behavior (ERR) section of the SEI CERT Oracle Secure Coding Standard for Java.
TypeScript 1145 Weaknesses in this category are related to the rules and recommendations in the Thread Pools (TPS) section of the SEI CERT Oracle Secure Coding Standard for Java.
TypeScript 1147 Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) section of the SEI CERT Oracle Secure Coding Standard for Java.
TypeScript 1148 Weaknesses in this category are related to the rules and recommendations in the Serialization (SER) section of the SEI CERT Oracle Secure Coding Standard for Java.
TypeScript 1149 Weaknesses in this category are related to the rules and recommendations in the Platform Security (SEC) section of the SEI CERT Oracle Secure Coding Standard for Java.
TypeScript 1150 Weaknesses in this category are related to the rules and recommendations in the Runtime Environment (ENV) section of the SEI CERT Oracle Secure Coding Standard for Java.
TypeScript 1152 Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT Oracle Secure Coding Standard for Java.
TypeScript 1154 CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT C Coding Standard.
TypeScript 1157 Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) section of the SEI CERT C Coding Standard.
TypeScript 1161 Weaknesses in this category are related to the rules and recommendations in the Characters and Strings (STR) section of the SEI CERT C Coding Standard.
TypeScript 1162 Weaknesses in this category are related to the rules and recommendations in the Memory Management (MEM) section of the SEI CERT C Coding Standard.
TypeScript 1163 Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) section of the SEI CERT C Coding Standard.
TypeScript 1164 The product contains code that is not essential for execution, i.e. makes no state changes and has no side effects that alter data or control flow, such that removal of the code would have no impact to functionality or correctness.
TypeScript 1165 Weaknesses in this category are related to the rules and recommendations in the Environment (ENV) section of the SEI CERT C Coding Standard.
TypeScript 1167 Weaknesses in this category are related to the rules and recommendations in the Error Handling (ERR) section of the SEI CERT C Coding Standard.
TypeScript 1169 Weaknesses in this category are related to the rules and recommendations in the Concurrency (CON) section of the SEI CERT C Coding Standard.
TypeScript 1170 Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT C Coding Standard.
TypeScript 1172 Weaknesses in this category are related to the rules and recommendations in the Microsoft Windows (WIN) section of the SEI CERT C Coding Standard.
TypeScript 1178 CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT Perl Coding Standard.
TypeScript 1179 Weaknesses in this category are related to the rules and recommendations in the Input Validation and Data Sanitization (IDS) section of the SEI CERT Perl Coding Standard.
TypeScript 1180 Weaknesses in this category are related to the rules and recommendations in the Declarations and Initialization (DCL) section of the SEI CERT Perl Coding Standard.
TypeScript 1181 Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) section of the SEI CERT Perl Coding Standard.
TypeScript 1186 Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT Perl Coding Standard.
TypeScript 1187 This entry has been deprecated because it was a duplicate of CWE-908. All content has been transferred to CWE-908.
TypeScript 1194 This view organizes weaknesses around concepts that are frequently used or encountered in hardware design. Accordingly, this view can align closely with the perspectives of designers, manufacturers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping.
TypeScript 1198 Weaknesses in this category are related to features and mechanisms providing hardware-based isolation and access control (e.g., identity, policy, locking control) of sensitive shared hardware resources such as registers and fuses.
TypeScript 1200 CWE entries in this view are listed in the 2019 CWE Top 25 Most Dangerous Software Errors.
TypeScript 1202 Weaknesses in this category are typically associated with memory (e.g., DRAM, SRAM) and storage technologies (e.g., NAND Flash, OTP, EEPROM, and eMMC).
TypeScript 1207 Weaknesses in this category are related to hardware debug and test interfaces such as JTAG and scan chain.
TypeScript 1210 Weaknesses in this category are related to audit-based components of a software system. Frequently these deal with logging user activities in order to identify undesired access and modifications to the system. The weaknesses in this category could lead to a degradation of the quality of the audit capability if they are not addressed.
TypeScript 1211 Weaknesses in this category are related to authentication components of a system. Frequently these deal with the ability to verify that an entity is indeed who it claims to be. If not addressed when designing or implementing a software system, these weaknesses could lead to a degradation of the quality of the authentication capability.
TypeScript 1212 Weaknesses in this category are related to authorization components of a system. Frequently these deal with the ability to enforce that agents have the required permissions before performing certain operations, such as modifying data. If not addressed when designing or implementing a software system, these weaknesses could lead to a degradation of the quality of the authorization capability.
TypeScript 1213 Weaknesses in this category are related to a software system's random number generation.
TypeScript 1214 Weaknesses in this category are related to a software system's data integrity components. Frequently these deal with the ability to ensure the integrity of data, such as messages, resource files, deployment files, and configuration files. The weaknesses in this category could lead to a degradation of data integrity quality if they are not addressed.
TypeScript 1215 Weaknesses in this category are related to a software system's components for input validation, output validation, or other kinds of validation. Validation is a frequently-used technique for ensuring that data conforms to expectations before it is further processed as input or output. There are many varieties of validation (see CWE-20, which is just for input validation). Validation is distinct from other techniques that attempt to modify data before processing it, although developers may consider all attempts to product "safe" inputs or outputs as some kind of validation. Regardless, validation is a powerful tool that is often used to minimize malformed data from entering the system, or indirectly avoid code injection or other potentially-malicious patterns when generating output. The weaknesses in this category could lead to a degradation of the quality of data flow in a system if they are not addressed.
TypeScript 1217 Weaknesses in this category are related to session management. Frequently these deal with the information or status about each user and their access rights for the duration of multiple requests. The weaknesses in this category could lead to a degradation of the quality of session management if they are not addressed.
TypeScript 1219 Weaknesses in this category are related to the handling of files within a software system. Files, directories, and folders are so central to information technology that many different weaknesses and variants have been discovered.
TypeScript 1228 Weaknesses in this category are related to the use of built-in functions or external APIs.
TypeScript 1275 The SameSite attribute for sensitive cookies is not set, or an insecure value is used.
TypeScript 1305 This view outlines the most important software quality issues as identified by the Consortium for Information & Software Quality (CISQ) Automated Quality Characteristic Measures, released in 2020. These measures are derived from Object Management Group (OMG) standards.
TypeScript 1306 Weaknesses in this category are related to the CISQ Quality Measures for Reliability. Presence of these weaknesses could reduce the reliability of the software.
TypeScript 1307 Weaknesses in this category are related to the CISQ Quality Measures for Maintainability. Presence of these weaknesses could reduce the maintainability of the software.
TypeScript 1308 Weaknesses in this category are related to the CISQ Quality Measures for Security. Presence of these weaknesses could reduce the security of the software.
TypeScript 1309 Weaknesses in this category are related to the CISQ Quality Measures for Efficiency. Presence of these weaknesses could reduce the efficiency of the software.
TypeScript 1327 The product assigns the address 0.0.0.0 for a database server, a cloud service/instance, or any computing resource that communicates remotely.
TypeScript 1337 CWE entries in this view are listed in the 2021 CWE Top 25 Most Dangerous Software Weaknesses.
TypeScript 1340 This view outlines the SMM representation of the Automated Source Code Data Protection Measurement specifications, as identified by the Consortium for Information & Software Quality (CISQ) Working Group.
TypeScript 1344 CWE entries in this view (graph) are associated with the OWASP Top 10, as released in 2021.
TypeScript 1345 Weaknesses in this category are related to the A01 category "Broken Access Control" in the OWASP Top 10 2021.
TypeScript 1346 Weaknesses in this category are related to the A02 category "Cryptographic Failures" in the OWASP Top 10 2021.
TypeScript 1347 Weaknesses in this category are related to the A03 category "Injection" in the OWASP Top 10 2021.
TypeScript 1348 Weaknesses in this category are related to the A04 "Insecure Design" category in the OWASP Top 10 2021.
TypeScript 1349 Weaknesses in this category are related to the A05 category "Security Misconfiguration" in the OWASP Top 10 2021.
TypeScript 1350 CWE entries in this view are listed in the 2020 CWE Top 25 Most Dangerous Software Weaknesses.
TypeScript 1352 Weaknesses in this category are related to the A06 category "Vulnerable and Outdated Components" in the OWASP Top 10 2021.
TypeScript 1353 Weaknesses in this category are related to the A07 category "Identification and Authentication Failures" in the OWASP Top 10 2021.
TypeScript 1354 Weaknesses in this category are related to the A08 category "Software and Data Integrity Failures" in the OWASP Top 10 2021.
TypeScript 1355 Weaknesses in this category are related to the A09 category "Security Logging and Monitoring Failures" in the OWASP Top 10 2021.
TypeScript 1356 Weaknesses in this category are related to the A10 category "Server-Side Request Forgery (SSRF)" in the OWASP Top 10 2021.
TypeScript 1358 CWE entries in this view (graph) are associated with the Categories of Security Vulnerabilities in ICS, as published by the Securing Energy Infrastructure Executive Task Force (SEI ETF) in March 2022. Weaknesses and categories in this view are focused on issues that affect ICS (Industrial Control Systems) but have not been traditionally covered by CWE in the past due to its earlier emphasis on enterprise IT software. Note: weaknesses in this view are based on "Nearest IT Neighbor" recommendations and other suggestions by the CWE team. These relationships are likely to change in future CWE versions.
TypeScript 1359 Weaknesses in this category are related to the "ICS Communications" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.
TypeScript 1360 Weaknesses in this category are related to the "ICS Dependencies (& Architecture)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.
TypeScript 1361 Weaknesses in this category are related to the "ICS Supply Chain" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.
TypeScript 1362 Weaknesses in this category are related to the "ICS Engineering (Constructions/Deployment)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.
TypeScript 1363 Weaknesses in this category are related to the "ICS Operations (& Maintenance)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.
TypeScript 1364 Weaknesses in this category are related to the "Zone Boundary Failures" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Within an ICS system, for traffic that crosses through network zone boundaries, vulnerabilities arise when those boundaries were designed for safety or other purposes but are being repurposed for security." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
TypeScript 1366 Weaknesses in this category are related to the "Frail Security in Protocols" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Vulnerabilities arise as a result of mis-implementation or incomplete implementation of security in ICS implementations of communication protocols." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
TypeScript 1368 Weaknesses in this category are related to the "External Digital Systems" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Due to the highly interconnected technologies in use, an external dependency on another digital system could cause a confidentiality, integrity, or availability incident for the protected system." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
TypeScript 1369 Weaknesses in this category are related to the "IT/OT Convergence/Expansion" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "The increased penetration of DER devices and smart loads make emerging ICS networks more like IT networks and thus susceptible to vulnerabilities similar to those of IT networks." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
TypeScript 1370 Weaknesses in this category are related to the "Common Mode Frailties" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "At the component level, most ICS systems are assembled from common parts made by other companies. One or more of these common parts might contain a vulnerability that could result in a wide-spread incident." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
TypeScript 1371 Weaknesses in this category are related to the "Poorly Documented or Undocumented Features" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Undocumented capabilities and configurations pose a risk by not having a clear understanding of what the device is specifically supposed to do and only do. Therefore possibly opening up the attack surface and vulnerabilities." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
TypeScript 1372 Weaknesses in this category are related to the "OT Counterfeit and Malicious Corruption" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "In ICS, when this procurement process results in a vulnerability or component damage, it can have grid impacts or cause physical harm." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
TypeScript 1373 Weaknesses in this category are related to the "Trust Model Problems" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Assumptions made about the user during the design or construction phase may result in vulnerabilities after the system is installed if the user operates it using a different security approach or process than what was designed or built." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
TypeScript 1375 Weaknesses in this category are related to the "Gaps in Details/Data" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Highly complex systems are often operated by personnel who have years of experience in managing that particular facility or plant. Much of their knowledge is passed along through verbal or hands-on training but may not be fully documented in written practices and procedures." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
TypeScript 1382 Weaknesses in this category are related to the "Emerging Energy Technologies" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "With the rapid evolution of the energy system accelerated by the emergence of new technologies such as DERs, electric vehicles, advanced communications (5G+), novel and diverse challenges arise for secure and resilient operation of the system." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
TypeScript 1383 Weaknesses in this category are related to the "Compliance/Conformance with Regulatory Requirements" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "The ICS environment faces overlapping regulatory regimes and authorities with multiple focus areas (e.g., operational resiliency, physical safety, interoperability, and security) which can result in cyber security vulnerabilities when implemented as written due to gaps in considerations, outdatedness, or conflicting requirements." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
TypeScript 1387 CWE entries in this view are listed in the 2022 CWE Top 25 Most Dangerous Software Weaknesses.
TypeScript 1396 Weaknesses in this category are related to access control.
TypeScript 1397 Weaknesses in this category are related to comparison.
TypeScript 1398 Weaknesses in this category are related to component interaction.
TypeScript 1400 This view organizes weaknesses around categories that are of interest to large-scale software assurance research to support the elimination of weaknesses using tactics such as secure language development. It is also intended to help tracking weakness trends in publicly disclosed vulnerability data. This view is comprehensive in that every weakness must be contained in it, unlike most other views that only use a subset of weaknesses. This view is structured with categories at the top level, with a second level of only weaknesses. Relationships among the weaknesses presented under the research view (CWE-1000) are not shown. Each weakness is added to only one category. All categories are mutually exclusive; that is, no weakness can be a member of more than one category. While weaknesses defy strict categorization along only one characteristic, the forced bucketing into a single category can simplify certain kinds of analysis. Note that the size of each category can vary widely because (1) CWE is not as well fleshed-out in some areas compared to others; (2) abstraction of the CWEs in the grouping might go down to Variant level for some buckets, versus others.
TypeScript 1402 Weaknesses in this category are related to encryption.
TypeScript 1403 Weaknesses in this category are related to exposed resource.
TypeScript 1404 Weaknesses in this category are related to file handling.
TypeScript 1405 Weaknesses in this category are related to improper check or handling of exceptional conditions.
TypeScript 1406 Weaknesses in this category are related to improper input validation.
TypeScript 1407 Weaknesses in this category are related to improper neutralization.
TypeScript 1409 Weaknesses in this category are related to injection.
TypeScript 1410 Weaknesses in this category are related to insufficient control flow management.
TypeScript 1411 Weaknesses in this category are related to insufficient verification of data authenticity.
TypeScript 1412 Weaknesses in this category are related to poor coding practices.
TypeScript 1413 Weaknesses in this category are related to protection mechanism failure.
TypeScript 1414 Weaknesses in this category are related to randomness.
TypeScript 1415 Weaknesses in this category are related to resource control.
TypeScript 1416 Weaknesses in this category are related to resource lifecycle management.
TypeScript 1417 Weaknesses in this category are related to sensitive information exposure.
TypeScript 1418 Weaknesses in this category are related to violation of secure design principles.
VB.NET 2 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that are typically introduced during unexpected environmental conditions. According to the authors of the Seven Pernicious Kingdoms, "This section includes everything that is outside of the source code but is still critical to the security of the product that is being created. Because the issues covered by this kingdom are not directly related to source code, we separated it from the rest of the kingdoms."
VB.NET 4 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
VB.NET 5 Information sent over a network can be compromised while in transit. An attacker may be able to read or modify the contents if the data are sent in plaintext or are weakly encrypted.
VB.NET 16 Weaknesses in this category are typically introduced during the configuration of the software.
VB.NET 17 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
VB.NET 18 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
VB.NET 19 Weaknesses in this category are typically found in functionality that processes data. Data processing is the manipulation of input to retrieve or save information.
VB.NET 20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
VB.NET 21 This category has been deprecated. It was originally used for organizing weaknesses involving file names, which enabled access to files outside of a restricted directory (path traversal) or to perform operations on files that would otherwise be restricted (path equivalence). Consider using either the File Handling Issues category (CWE-1219) or the class Use of Incorrectly-Resolved Name or Reference (CWE-706).
VB.NET 22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
VB.NET 23 The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.
VB.NET 36 The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as "/abs/path" that can resolve to a location that is outside of that directory.
VB.NET 73 The product allows user input to control or influence paths or file names that are used in filesystem operations.
VB.NET 74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
VB.NET 77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
VB.NET 78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
VB.NET 79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
VB.NET 80 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.
VB.NET 82 The web application does not neutralize or incorrectly neutralizes scripting elements within attributes of HTML IMG tags, such as the src attribute.
VB.NET 83 The product does not neutralize or incorrectly neutralizes "javascript:" or other URIs from dangerous attributes within tags, such as onmouseover, onload, onerror, or style.
VB.NET 85 The web application does not filter user-controlled input for executable script disguised using doubling of the involved characters.
VB.NET 86 The product does not neutralize or incorrectly neutralizes invalid characters or byte sequences in the middle of tag names, URI schemes, and other identifiers.
VB.NET 87 The product does not neutralize or incorrectly neutralizes user-controlled input for alternate script syntax.
VB.NET 88 The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.
VB.NET 89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.
VB.NET 90 The product constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component.
VB.NET 91 The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.
VB.NET 94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
VB.NET 95 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").
VB.NET 116 The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
VB.NET 117 The product does not neutralize or incorrectly neutralizes output that is written to logs.
VB.NET 137 Weaknesses in this category are related to the creation or neutralization of data using an incorrect format.
VB.NET 138 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as control elements or syntactic markers when they are sent to a downstream component.
VB.NET 140 The product does not neutralize or incorrectly neutralizes delimiters.
VB.NET 141 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as parameter or argument delimiters when they are sent to a downstream component.
VB.NET 142 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as value delimiters when they are sent to a downstream component.
VB.NET 143 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as record delimiters when they are sent to a downstream component.
VB.NET 146 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as expression or command delimiters when they are sent to a downstream component.
VB.NET 149 Quotes injected into a product can be used to compromise a system. As data are parsed, an injected/absent/duplicate/malformed use of quotes may cause the process to take unexpected actions.
VB.NET 150 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component.
VB.NET 157 The product does not properly handle the characters that are used to mark the beginning and ending of a group of entities, such as parentheses, brackets, and braces.
VB.NET 171 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. Weaknesses in this category were related to improper handling of data within protection mechanisms that attempt to perform neutralization for untrusted data. These weaknesses can be found in other similar categories.
VB.NET 189 Weaknesses in this category are related to improper calculation or conversion of numbers.
VB.NET 199 Weaknesses in this category are related to improper handling of sensitive information.
VB.NET 200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
VB.NET 201 The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.
VB.NET 209 The product generates an error message that includes sensitive information about its environment, users, or associated data.
VB.NET 210 The product identifies an error condition and creates its own diagnostic or error messages that contain sensitive information.
VB.NET 211 The product performs an operation that triggers an external diagnostic or error message that is not directly generated or controlled by the product, such as an error generated by the programming language interpreter that a software application uses. The error can contain sensitive system information.
VB.NET 221 The product does not record, or improperly records, security-relevant information that leads to an incorrect decision or hampers later analysis.
VB.NET 223 The product does not record or display information that would be important for identifying the source or nature of an attack, or determining if an action is safe.
VB.NET 226 The product releases a resource such as memory or a file so that it can be made available for reuse, but it does not clear or "zeroize" the information contained in the resource before the product performs a critical state transition or makes the resource available for reuse by other entities.
VB.NET 227 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that involve the software using an API in a manner contrary to its intended use. According to the authors of the Seven Pernicious Kingdoms, "An API is a contract between a caller and a callee. The most common forms of API misuse occurs when the caller does not honor its end of this contract. For example, if a program does not call chdir() after calling chroot(), it violates the contract that specifies how to change the active root directory in a secure fashion. Another good example of library abuse is expecting the callee to return trustworthy DNS information to the caller. In this case, the caller misuses the callee API by making certain assumptions about its behavior (that the return value can be used for authentication purposes). One can also violate the caller-callee contract from the other side. For example, if a coder subclasses SecureRandom and returns a non-random value, the contract is violated."
VB.NET 249 This entry has been deprecated because of name confusion and an accidental combination of multiple weaknesses. Most of its content has been transferred to CWE-785.
VB.NET 254 Software security is not security software. Here we're concerned with topics like authentication, access control, confidentiality, cryptography, and privilege management.
VB.NET 255 Weaknesses in this category are related to the management of credentials.
VB.NET 256 Storing a password in plaintext may result in a system compromise.
VB.NET 257 The storage of passwords in a recoverable format makes them subject to password reuse attacks by malicious users. In fact, it should be noted that recoverable encrypted passwords provide no significant benefit over plaintext passwords since they are subject not only to reuse by malicious attackers but also by malicious insiders. If a system administrator can recover a password directly, or use a brute force search on the available information, the administrator can use the password on other accounts.
VB.NET 259 The product contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components.
VB.NET 264 Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control.
VB.NET 265 Weaknesses in this category occur with improper handling, assignment, or management of privileges. A privilege is a property of an agent, such as a user. It lets the agent do things that are not ordinarily allowed. For example, there are privileges which allow an agent to perform maintenance functions such as restart a computer.
VB.NET 284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
VB.NET 285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
VB.NET 287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
VB.NET 295 The product does not validate, or incorrectly validates, a certificate.
VB.NET 296 The product does not follow, or incorrectly follows, the chain of trust for a certificate back to a trusted root certificate, resulting in incorrect trust of any resource that is associated with that certificate.
VB.NET 299 The product does not check or incorrectly checks the revocation status of a certificate, which may cause it to use a certificate that has been compromised.
VB.NET 300 The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint.
VB.NET 304 The product implements an authentication technique, but it skips a step that weakens the technique.
VB.NET 306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
VB.NET 310 Weaknesses in this category are related to the design and implementation of data confidentiality and integrity. Frequently these deal with the use of encoding techniques, encryption libraries, and hashing algorithms. The weaknesses in this category could lead to a degradation of the quality data if they are not addressed.
VB.NET 311 The product does not encrypt sensitive or critical information before storage or transmission.
VB.NET 312 The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
VB.NET 313 The product stores sensitive information in cleartext in a file, or on disk.
VB.NET 314 The product stores sensitive information in cleartext in the registry.
VB.NET 315 The product stores sensitive information in cleartext in a cookie.
VB.NET 317 The product stores sensitive information in cleartext within the GUI.
VB.NET 318 The product stores sensitive information in cleartext in an executable.
VB.NET 319 The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.
VB.NET 320 Weaknesses in this category are related to errors in the management of cryptographic keys.
VB.NET 321 The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.
VB.NET 326 The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
VB.NET 327 The product uses a broken or risky cryptographic algorithm or protocol.
VB.NET 328 The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (2nd preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack).
VB.NET 330 The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.
VB.NET 338 The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.
VB.NET 344 The product uses a constant value, name, or reference, but this value can (or should) vary across different environments.
VB.NET 345 The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
VB.NET 352 The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.
VB.NET 353 The product uses a transmission protocol that does not include a mechanism for verifying the integrity of the data during transmission, such as a checksum.
VB.NET 355 Weaknesses in this category are related to or introduced in the User Interface (UI).
VB.NET 359 The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.
VB.NET 361 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses related to the improper management of time and state in an environment that supports simultaneous or near-simultaneous computation by multiple systems, processes, or threads. According to the authors of the Seven Pernicious Kingdoms, "Distributed computation is about time and state. That is, in order for more than one component to communicate, state must be shared, and all that takes time. Most programmers anthropomorphize their work. They think about one thread of control carrying out the entire program in the same way they would if they had to do the job themselves. Modern computers, however, switch between tasks very quickly, and in multi-core, multi-CPU, or distributed systems, two events may take place at exactly the same time. Defects rush to fill the gap between the programmer's model of how a program executes and what happens in reality. These defects are related to unexpected interactions between threads, processes, time, and information. These interactions happen through shared state: semaphores, variables, the file system, and, basically, anything that can store information."
VB.NET 369 The product divides a value by zero.
VB.NET 371 Weaknesses in this category are related to improper management of system state.
VB.NET 380 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
VB.NET 381 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
VB.NET 384 Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.
VB.NET 388 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that occur when an application does not properly handle errors that occur during processing. According to the authors of the Seven Pernicious Kingdoms, "Errors and error handling represent a class of API. Errors related to error handling are so common that they deserve a special kingdom of their own. As with 'API Abuse,' there are two ways to introduce an error-related security vulnerability: the most common one is handling errors poorly (or not at all). The second is producing errors that either give out too much information (to possible attackers) or are difficult to handle."
VB.NET 389 This category includes weaknesses that occur if a function does not generate the correct return/status code, or if the application does not handle all possible return/status codes that could be generated by a function. This type of problem is most often found in conditions that are rarely encountered during the normal operation of the product. Presumably, most bugs related to common conditions are found and eliminated during development and testing. In some cases, the attacker can directly control or influence the environment to trigger the rare conditions.
VB.NET 398 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that do not directly introduce a weakness or vulnerability, but indicate that the product has not been carefully developed or maintained. According to the authors of the Seven Pernicious Kingdoms, "Poor code quality leads to unpredictable behavior. From a user's perspective that often manifests itself as poor usability. For an adversary it provides an opportunity to stress the system in unexpected ways."
VB.NET 399 Weaknesses in this category are related to improper management of system resources.
VB.NET 402 The product makes resources available to untrusted parties when those resources are only intended to be accessed by the product.
VB.NET 403 A process does not close sensitive file descriptors before invoking a child process, which allows the child to perform unauthorized I/O operations using those descriptors.
VB.NET 404 The product does not release or incorrectly releases a resource before it is made available for re-use.
VB.NET 405 The product does not properly control situations in which an adversary can cause the product to consume or produce excessive resources without requiring the adversary to invest equivalent work or otherwise prove authorization, i.e., the adversary's influence is "asymmetric."
VB.NET 409 The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.
VB.NET 435 An interaction error occurs when two entities have correct behavior when running independently of each other, but when they are integrated as components in a larger system or process, they introduce incorrect behaviors that may cause resultant weaknesses.
VB.NET 436 Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.
VB.NET 438 Weaknesses in this category are related to unexpected behaviors from code that an application uses.
VB.NET 442 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
VB.NET 452 Weaknesses in this category occur in behaviors that are used for initialization and breakdown.
VB.NET 459 The product does not properly "clean up" and remove temporary or supporting resources after they have been used.
VB.NET 465 Weaknesses in this category are related to improper handling of pointers.
VB.NET 470 The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code.
VB.NET 476 A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.
VB.NET 485 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that occur when the product does not sufficiently encapsulate critical data or functionality. According to the authors of the Seven Pernicious Kingdoms, "Encapsulation is about drawing strong boundaries. In a web browser that might mean ensuring that your mobile code cannot be abused by other mobile code. On the server it might mean differentiation between validated data and unvalidated data, between one user's data and another's, or between data users are allowed to see and data that they are not."
VB.NET 497 The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does.
VB.NET 502 The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
VB.NET 505 This category has been deprecated as it was originally used for organizing the Development View (CWE-699), but it introduced unnecessary complexity and depth to the resulting tree.
VB.NET 522 The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
VB.NET 523 Login pages do not use adequate measures to protect the user name and password while they are in transit from the client to the server.
VB.NET 526 The product uses an environment variable to store unencrypted sensitive information.
VB.NET 532 Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.
VB.NET 536 A servlet error message indicates that there exists an unhandled exception in your web application code and may provide useful information to an attacker.
VB.NET 538 The product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the sensitive information.
VB.NET 539 The web application uses persistent cookies, but the cookies contain sensitive information.
VB.NET 540 Source code on a web server or repository often contains sensitive information and should generally not be accessible to users.
VB.NET 543 The product uses the singleton pattern when creating a resource within a multithreaded environment.
VB.NET 550 Certain conditions, such as network failure, will cause a server error message to be displayed.
VB.NET 552 The product makes files or directories accessible to unauthorized actors, even though they should not be.
VB.NET 557 Weaknesses in this category are related to concurrent use of shared resources.
VB.NET 559 This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
VB.NET 561 The product contains dead code, which can never be executed.
VB.NET 566 The product uses a database table that includes records that should not be accessible to an actor, but it executes a SQL statement with a primary key that can be controlled by that actor.
VB.NET 573 The product does not follow or incorrectly follows the specifications as required by the implementation language, environment, framework, protocol, or platform.
VB.NET 601 A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.
VB.NET 610 The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.
VB.NET 611 The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
VB.NET 615 While adding general comments is very useful, some programmers tend to leave important data, such as: filenames related to the web application, old links or links which were not meant to be browsed by users, old code fragments, etc.
VB.NET 624 The product uses a regular expression that either (1) contains an executable component with user-controlled inputs, or (2) allows a user to enable execution by inserting pattern modifiers.
VB.NET 628 The product calls a function, procedure, or routine with arguments that are not correctly specified, leading to always-incorrect behavior and resultant weaknesses.
VB.NET 629 CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2007. This view is considered obsolete as a newer version of the OWASP Top 10 is available.
VB.NET 632 This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE.
VB.NET 633 This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE.
VB.NET 634 This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE.
VB.NET 635 CWE nodes in this view (slice) were used by NIST to categorize vulnerabilities within NVD, from 2008 to 2016. This original version has been used by many other projects.
VB.NET 639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
VB.NET 642 The product stores security-critical state information about its users, or the product itself, in a location that is accessible to unauthorized actors.
VB.NET 643 The product uses external input to dynamically construct an XPath expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query.
VB.NET 644 The product does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers, such as Flash.
VB.NET 657 The product violates well-established principles for secure design.
VB.NET 662 The product utilizes multiple threads or processes to allow temporary access to a shared resource that can only be exclusive to one process at a time, but it does not properly synchronize these actions, which might cause simultaneous accesses of this resource by multiple threads or processes.
VB.NET 664 The product does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release.
VB.NET 668 The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
VB.NET 669 The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource.
VB.NET 671 The product uses security features in a way that prevents the product's administrator from tailoring security settings to reflect the environment in which the product is being used. This introduces resultant weaknesses or prevents it from operating at a level of security that is desired by the administrator.
VB.NET 674 The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.
VB.NET 682 The product performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management.
VB.NET 683 The product calls a function, procedure, or routine, but the caller specifies the arguments in an incorrect order, leading to resultant weaknesses.
VB.NET 691 The code does not sufficiently manage its control flow during execution, creating conditions in which the control flow can be modified in unexpected ways.
VB.NET 692 The product uses a denylist-based protection mechanism to defend against XSS attacks, but the denylist is incomplete, allowing XSS variants to succeed.
VB.NET 693 The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.
VB.NET 699 This view organizes weaknesses around concepts that are frequently used or encountered in software development. This includes all aspects of the software development lifecycle including both architecture and implementation. Accordingly, this view can align closely with the perspectives of architects, developers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping.
VB.NET 700 This view (graph) organizes weaknesses using a hierarchical structure that is similar to that used by Seven Pernicious Kingdoms.
VB.NET 703 The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product.
VB.NET 706 The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.
VB.NET 707 The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component.
VB.NET 710 The product does not follow certain coding rules for development, which can lead to resultant weaknesses or increase the severity of the associated vulnerabilities.
VB.NET 711 CWE entries in this view (graph) are associated with the OWASP Top 10, as released in 2004, and as required for compliance with PCI DSS version 1.1. This view is considered obsolete as a newer version of the OWASP Top 10 is available.
VB.NET 712 Weaknesses in this category are related to the A1 category in the OWASP Top 10 2007.
VB.NET 713 Weaknesses in this category are related to the A2 category in the OWASP Top 10 2007.
VB.NET 714 Weaknesses in this category are related to the A3 category in the OWASP Top 10 2007.
VB.NET 715 Weaknesses in this category are related to the A4 category in the OWASP Top 10 2007.
VB.NET 716 Weaknesses in this category are related to the A5 category in the OWASP Top 10 2007.
VB.NET 717 Weaknesses in this category are related to the A6 category in the OWASP Top 10 2007.
VB.NET 718 Weaknesses in this category are related to the A7 category in the OWASP Top 10 2007.
VB.NET 719 Weaknesses in this category are related to the A8 category in the OWASP Top 10 2007.
VB.NET 720 Weaknesses in this category are related to the A9 category in the OWASP Top 10 2007.
VB.NET 721 Weaknesses in this category are related to the A10 category in the OWASP Top 10 2007.
VB.NET 722 Weaknesses in this category are related to the A1 category in the OWASP Top 10 2004.
VB.NET 723 Weaknesses in this category are related to the A2 category in the OWASP Top 10 2004.
VB.NET 724 Weaknesses in this category are related to the A3 category in the OWASP Top 10 2004.
VB.NET 725 Weaknesses in this category are related to the A4 category in the OWASP Top 10 2004.
VB.NET 727 Weaknesses in this category are related to the A6 category in the OWASP Top 10 2004.
VB.NET 728 Weaknesses in this category are related to the A7 category in the OWASP Top 10 2004.
VB.NET 729 Weaknesses in this category are related to the A8 category in the OWASP Top 10 2004.
VB.NET 730 Weaknesses in this category are related to the A9 category in the OWASP Top 10 2004.
VB.NET 731 Weaknesses in this category are related to the A10 category in the OWASP Top 10 2004.
VB.NET 734 CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT C Secure Coding Standard" published in 2008. This view is considered obsolete, as a newer version of the coding standard is available. This view statically represents the coding rules as they were in 2008.
VB.NET 736 Weaknesses in this category are related to the rules and recommendations in the Declarations and Initialization (DCL) chapter of the CERT C Secure Coding Standard (2008).
VB.NET 737 Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) chapter of the CERT C Secure Coding Standard (2008).
VB.NET 738 Weaknesses in this category are related to the rules and recommendations in the Integers (INT) chapter of the CERT C Secure Coding Standard (2008).
VB.NET 739 Weaknesses in this category are related to the rules and recommendations in the Floating Point (FLP) chapter of the CERT C Secure Coding Standard (2008).
VB.NET 741 Weaknesses in this category are related to the rules and recommendations in the Characters and Strings (STR) chapter of the CERT C Secure Coding Standard (2008).
VB.NET 742 Weaknesses in this category are related to the rules and recommendations in the Memory Management (MEM) chapter of the CERT C Secure Coding Standard (2008).
VB.NET 743 Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) chapter of the CERT C Secure Coding Standard (2008).
VB.NET 744 Weaknesses in this category are related to the rules and recommendations in the Environment (ENV) chapter of the CERT C Secure Coding Standard (2008).
VB.NET 745 Weaknesses in this category are related to the rules and recommendations in the Signals (SIG) chapter of the CERT C Secure Coding Standard (2008).
VB.NET 746 Weaknesses in this category are related to the rules and recommendations in the Error Handling (ERR) chapter of the CERT C Secure Coding Standard (2008).
VB.NET 747 Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) chapter of the CERT C Secure Coding Standard (2008).
VB.NET 750 CWE entries in this view (graph) are listed in the 2009 CWE/SANS Top 25 Programming Errors. This view is considered obsolete as a newer version of the Top 25 is available.
VB.NET 751 Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2009 CWE/SANS Top 25 Programming Errors.
VB.NET 752 Weaknesses in this category are listed in the "Risky Resource Management" section of the 2009 CWE/SANS Top 25 Programming Errors.
VB.NET 753 Weaknesses in this category are listed in the "Porous Defenses" section of the 2009 CWE/SANS Top 25 Programming Errors.
VB.NET 755 The product does not handle or incorrectly handles an exceptional condition.
VB.NET 759 The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product does not also use a salt as part of the input.
VB.NET 760 The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product uses a predictable salt as part of the input.
VB.NET 776 The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.
VB.NET 778 When a security-critical event occurs, the product either does not record the event or omits important details about the event when logging it.
VB.NET 798 The product contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.
VB.NET 800 CWE entries in this view (graph) are listed in the 2010 CWE/SANS Top 25 Programming Errors. This view is considered obsolete as a newer version of the Top 25 is available.
VB.NET 801 Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2010 CWE/SANS Top 25 Programming Errors.
VB.NET 802 Weaknesses in this category are listed in the "Risky Resource Management" section of the 2010 CWE/SANS Top 25 Programming Errors.
VB.NET 803 Weaknesses in this category are listed in the "Porous Defenses" section of the 2010 CWE/SANS Top 25 Programming Errors.
VB.NET 808 Weaknesses in this category are not part of the general Top 25, but they were part of the original nominee list from which the Top 25 was drawn.
VB.NET 809 CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2010. This view is considered obsolete as a newer version of the OWASP Top 10 is available.
VB.NET 810 Weaknesses in this category are related to the A1 category in the OWASP Top 10 2010.
VB.NET 811 Weaknesses in this category are related to the A2 category in the OWASP Top 10 2010.
VB.NET 812 Weaknesses in this category are related to the A3 category in the OWASP Top 10 2010.
VB.NET 813 Weaknesses in this category are related to the A4 category in the OWASP Top 10 2010.
VB.NET 814 Weaknesses in this category are related to the A5 category in the OWASP Top 10 2010.
VB.NET 815 Weaknesses in this category are related to the A6 category in the OWASP Top 10 2010.
VB.NET 816 Weaknesses in this category are related to the A7 category in the OWASP Top 10 2010.
VB.NET 817 Weaknesses in this category are related to the A8 category in the OWASP Top 10 2010.
VB.NET 818 Weaknesses in this category are related to the A9 category in the OWASP Top 10 2010.
VB.NET 819 Weaknesses in this category are related to the A10 category in the OWASP Top 10 2010.
VB.NET 820 The product utilizes a shared resource in a concurrent manner but does not attempt to synchronize access to the resource.
VB.NET 827 The product does not restrict a reference to a Document Type Definition (DTD) to the intended control sphere. This might allow attackers to reference arbitrary DTDs, possibly causing the product to expose files, consume excessive system resources, or execute arbitrary http requests on behalf of the attacker.
VB.NET 829 The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.
VB.NET 834 The product performs an iteration or loop without sufficiently limiting the number of times that the loop is executed.
VB.NET 835 The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.
VB.NET 840 Weaknesses in this category identify some of the underlying problems that commonly allow attackers to manipulate the business logic of an application. Errors in business logic can be devastating to an entire application. They can be difficult to find automatically, since they typically involve legitimate use of the application's functionality. However, many business logic errors can exhibit patterns that are similar to well-understood implementation and design weaknesses.
VB.NET 844 CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT Oracle Secure Coding Standard for Java" published in 2011. This view is considered obsolete as a newer version of the coding standard is available.
VB.NET 845 Weaknesses in this category are related to rules in the Input Validation and Data Sanitization (IDS) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
VB.NET 848 Weaknesses in this category are related to rules in the Numeric Types and Operations (NUM) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
VB.NET 850 Weaknesses in this category are related to rules in the Methods (MET) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
VB.NET 851 Weaknesses in this category are related to rules in the Exceptional Behavior (ERR) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
VB.NET 852 Weaknesses in this category are related to rules in the Visibility and Atomicity (VNA) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
VB.NET 853 Weaknesses in this category are related to rules in the Locking (LCK) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
VB.NET 855 Weaknesses in this category are related to rules in the Thread Pools (TPS) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
VB.NET 857 Weaknesses in this category are related to rules in the Input Output (FIO) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
VB.NET 858 Weaknesses in this category are related to rules in the Serialization (SER) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
VB.NET 859 Weaknesses in this category are related to rules in the Platform Security (SEC) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
VB.NET 861 Weaknesses in this category are related to rules in the Miscellaneous (MSC) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
VB.NET 862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
VB.NET 864 Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.
VB.NET 865 Weaknesses in this category are listed in the "Risky Resource Management" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.
VB.NET 866 Weaknesses in this category are listed in the "Porous Defenses" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.
VB.NET 867 Weaknesses in this category are not part of the general Top 25, but they were part of the original nominee list from which the Top 25 was drawn.
VB.NET 868 CWE entries in this view (graph) are fully or partially eliminated by following the SEI CERT C++ Coding Standard, as published in 2016. This view is no longer being actively maintained, since it statically represents the coding rules as they were in 2016.
VB.NET 871 Weaknesses in this category are related to rules in the Expressions (EXP) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
VB.NET 872 Weaknesses in this category are related to rules in the Integers (INT) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
VB.NET 873 Weaknesses in this category are related to rules in the Floating Point Arithmetic (FLP) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
VB.NET 875 Weaknesses in this category are related to rules in the Characters and Strings (STR) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
VB.NET 876 Weaknesses in this category are related to rules in the Memory Management (MEM) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
VB.NET 877 Weaknesses in this category are related to rules in the Input Output (FIO) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
VB.NET 878 Weaknesses in this category are related to rules in the Environment (ENV) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
VB.NET 879 Weaknesses in this category are related to rules in the Signals (SIG) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
VB.NET 880 Weaknesses in this category are related to rules in the Exceptions and Error Handling (ERR) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
VB.NET 881 Weaknesses in this category are related to rules in the Object Oriented Programming (OOP) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
VB.NET 882 Weaknesses in this category are related to rules in the Concurrency (CON) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
VB.NET 883 Weaknesses in this category are related to rules in the Miscellaneous (MSC) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
VB.NET 884 This view contains a selection of weaknesses that represent the variety of weaknesses that are captured in CWE, at a level of abstraction that is likely to be useful to most audiences. It can be used by researchers to determine how broad their theories, models, or tools are. It will also be used by the CWE content team in 2012 to focus quality improvement efforts for individual CWE entries.
VB.NET 885 This category identifies Software Fault Patterns (SFPs) within the Risky Values cluster (SFP1).
VB.NET 886 This category identifies Software Fault Patterns (SFPs) within the Unused entities cluster (SFP2).
VB.NET 887 This category identifies Software Fault Patterns (SFPs) within the API cluster (SFP3).
VB.NET 888 CWE identifiers in this view are associated with clusters of Software Fault Patterns (SFPs).
VB.NET 889 This category identifies Software Fault Patterns (SFPs) within the Exception Management cluster (SFP4, SFP5, SFP6).
VB.NET 890 This category identifies Software Fault Patterns (SFPs) within the Memory Access cluster (SFP7, SFP8).
VB.NET 892 This category identifies Software Fault Patterns (SFPs) within the Resource Management cluster (SFP37).
VB.NET 893 This category identifies Software Fault Patterns (SFPs) within the Path Resolution cluster (SFP16, SFP17, SFP18).
VB.NET 894 This category identifies Software Fault Patterns (SFPs) within the Synchronization cluster (SFP19, SFP20, SFP21, SFP22).
VB.NET 895 This category identifies Software Fault Patterns (SFPs) within the Information Leak cluster (SFP23).
VB.NET 896 This category identifies Software Fault Patterns (SFPs) within the Tainted Input cluster (SFP24, SFP25, SFP26, SFP27).
VB.NET 898 This category identifies Software Fault Patterns (SFPs) within the Authentication cluster (SFP29, SFP30, SFP31, SFP32, SFP33, SFP34).
VB.NET 899 This category identifies Software Fault Patterns (SFPs) within the Access Control cluster (SFP35).
VB.NET 900 CWE entries in this view (graph) are listed in the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.
VB.NET 902 This category identifies Software Fault Patterns (SFPs) within the Channel cluster.
VB.NET 903 This category identifies Software Fault Patterns (SFPs) within the Cryptography cluster.
VB.NET 905 This category identifies Software Fault Patterns (SFPs) within the Predictability cluster.
VB.NET 906 This category identifies Software Fault Patterns (SFPs) within the UI cluster.
VB.NET 907 This category identifies Software Fault Patterns (SFPs) within the Other cluster.
VB.NET 913 The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements.
VB.NET 915 The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.
VB.NET 916 The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive.
VB.NET 922 The product stores sensitive information without properly limiting read or write access by unauthorized actors.
VB.NET 923 The product establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that it is communicating with the correct endpoint.
VB.NET 928 CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2013. This view is considered obsolete as a newer version of the OWASP Top 10 is available.
VB.NET 929 Weaknesses in this category are related to the A1 category in the OWASP Top 10 2013.
VB.NET 930 Weaknesses in this category are related to the A2 category in the OWASP Top 10 2013.
VB.NET 931 Weaknesses in this category are related to the A3 category in the OWASP Top 10 2013.
VB.NET 932 Weaknesses in this category are related to the A4 category in the OWASP Top 10 2013.
VB.NET 933 Weaknesses in this category are related to the A5 category in the OWASP Top 10 2013.
VB.NET 934 Weaknesses in this category are related to the A6 category in the OWASP Top 10 2013.
VB.NET 935 Weaknesses in this category are related to the A7 category in the OWASP Top 10 2013.
VB.NET 936 Weaknesses in this category are related to the A8 category in the OWASP Top 10 2013.
VB.NET 938 Weaknesses in this category are related to the A10 category in the OWASP Top 10 2013.
VB.NET 943 The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query.
VB.NET 944 This category identifies Software Fault Patterns (SFPs) within the Access Management cluster.
VB.NET 945 This category identifies Software Fault Patterns (SFPs) within the Insecure Resource Access cluster (SFP35).
VB.NET 947 This category identifies Software Fault Patterns (SFPs) within the Authentication Bypass cluster.
VB.NET 948 This category identifies Software Fault Patterns (SFPs) within the Digital Certificate cluster.
VB.NET 949 This category identifies Software Fault Patterns (SFPs) within the Faulty Endpoint Authentication cluster (SFP29).
VB.NET 950 This category identifies Software Fault Patterns (SFPs) within the Hardcoded Sensitive Data cluster (SFP33).
VB.NET 952 This category identifies Software Fault Patterns (SFPs) within the Missing Authentication cluster.
VB.NET 956 This category identifies Software Fault Patterns (SFPs) within the Channel Attack cluster.
VB.NET 957 This category identifies Software Fault Patterns (SFPs) within the Protocol Error cluster.
VB.NET 958 This category identifies Software Fault Patterns (SFPs) within the Broken Cryptography cluster.
VB.NET 959 This category identifies Software Fault Patterns (SFPs) within the Weak Cryptography cluster.
VB.NET 961 This category identifies Software Fault Patterns (SFPs) within the Incorrect Exception Behavior cluster (SFP6).
VB.NET 962 This category identifies Software Fault Patterns (SFPs) within the Unchecked Status Condition cluster (SFP4).
VB.NET 963 This category identifies Software Fault Patterns (SFPs) within the Exposed Data cluster (SFP23).
VB.NET 966 This category identifies Software Fault Patterns (SFPs) within the Other Exposures cluster.
VB.NET 971 This category identifies Software Fault Patterns (SFPs) within the Faulty Pointer Use cluster (SFP7).
VB.NET 975 This category identifies Software Fault Patterns (SFPs) within the Architecture cluster.
VB.NET 977 This category identifies Software Fault Patterns (SFPs) within the Design cluster.
VB.NET 978 This category identifies Software Fault Patterns (SFPs) within the Implementation cluster.
VB.NET 980 This category identifies Software Fault Patterns (SFPs) within the Link in Resource Name Resolution cluster (SFP18).
VB.NET 981 This category identifies Software Fault Patterns (SFPs) within the Path Traversal cluster (SFP16).
VB.NET 982 This category identifies Software Fault Patterns (SFPs) within the Failure to Release Resource cluster (SFP14).
VB.NET 984 This category identifies Software Fault Patterns (SFPs) within the Life Cycle cluster.
VB.NET 985 This category identifies Software Fault Patterns (SFPs) within the Unrestricted Consumption cluster (SFP13).
VB.NET 986 This category identifies Software Fault Patterns (SFPs) within the Missing Lock cluster (SFP19).
VB.NET 990 This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Command cluster (SFP24).
VB.NET 991 This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Environment cluster (SFP27).
VB.NET 992 This category identifies Software Fault Patterns (SFPs) within the Faulty Input Transformation cluster.
VB.NET 994 This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Variable cluster (SFP25).
VB.NET 997 This category identifies Software Fault Patterns (SFPs) within the Information Loss cluster.
VB.NET 998 This category identifies Software Fault Patterns (SFPs) within the Glitch in Computation cluster (SFP1).
VB.NET 1000 This view is intended to facilitate research into weaknesses, including their inter-dependencies, and can be leveraged to systematically identify theoretical gaps within CWE. It is mainly organized according to abstractions of behaviors instead of how they can be detected, where they appear in code, or when they are introduced in the development life cycle. By design, this view is expected to include every weakness within CWE.
VB.NET 1001 This category identifies Software Fault Patterns (SFPs) within the Use of an Improper API cluster (SFP3).
VB.NET 1003 CWE entries in this view (graph) may be used to categorize potential weaknesses within sources that handle public, third-party vulnerability information, such as the National Vulnerability Database (NVD). By design, this view is incomplete; it is limited to a small number of the most commonly-seen weaknesses, so that it is easier for humans to use. This view uses a shallow hierarchy of two levels in order to simplify the complex, category-oriented navigation of the entire CWE corpus.
VB.NET 1005 This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that exist when an application does not properly validate or represent input. According to the authors of the Seven Pernicious Kingdoms, "Input validation and representation problems are caused by metacharacters, alternate encodings and numeric representations. Security problems result from trusting input."
VB.NET 1006 Weaknesses in this category are related to coding practices that are deemed unsafe and increase the chances that an exploitable vulnerability will be present in the application. These weaknesses do not directly introduce a vulnerability, but indicate that the product has not been carefully developed or maintained. If a program is complex, difficult to maintain, not portable, or shows evidence of neglect, then there is a higher likelihood that weaknesses are buried in the code.
VB.NET 1008 This view organizes weaknesses according to common architectural security tactics. It is intended to assist architects in identifying potential mistakes that can be made when designing software.
VB.NET 1009 Weaknesses in this category are related to the design and architecture of audit-based components of the system. Frequently these deal with logging user activities in order to identify attackers and modifications to the system. The weaknesses in this category could lead to a degradation of the quality of the audit capability if they are not addressed when designing or implementing a secure architecture.
VB.NET 1010 Weaknesses in this category are related to the design and architecture of authentication components of the system. Frequently these deal with verifying the entity is indeed who it claims to be. The weaknesses in this category could lead to a degradation of the quality of authentication if they are not addressed when designing or implementing a secure architecture.
VB.NET 1011 Weaknesses in this category are related to the design and architecture of a system's authorization components. Frequently these deal with enforcing that agents have the required permissions before performing certain operations, such as modifying data. The weaknesses in this category could lead to a degradation of quality of the authorization capability if they are not addressed when designing or implementing a secure architecture.
VB.NET 1012 Weaknesses in this category are related to the design and architecture of multiple security tactics and how they affect a system. For example, information exposure can impact the Limit Access and Limit Exposure security tactics. The weaknesses in this category could lead to a degradation of the quality of many capabilities if they are not addressed when designing or implementing a secure architecture.
VB.NET 1013 Weaknesses in this category are related to the design and architecture of data confidentiality in a system. Frequently these deal with the use of encryption libraries. The weaknesses in this category could lead to a degradation of the quality data encryption if they are not addressed when designing or implementing a secure architecture.
VB.NET 1014 Weaknesses in this category are related to the design and architecture of a system's identification management components. Frequently these deal with verifying that external agents provide inputs into the system. The weaknesses in this category could lead to a degradation of the quality of identification management if they are not addressed when designing or implementing a secure architecture.
VB.NET 1015 Weaknesses in this category are related to the design and architecture of system resources. Frequently these deal with restricting the amount of resources that are accessed by actors, such as memory, network connections, CPU or access points. The weaknesses in this category could lead to a degradation of the quality of authentication if they are not addressed when designing or implementing a secure architecture.
VB.NET 1016 Weaknesses in this category are related to the design and architecture of the entry points to a system. Frequently these deal with minimizing the attack surface through designing the system with the least needed amount of entry points. The weaknesses in this category could lead to a degradation of a system's defenses if they are not addressed when designing or implementing a secure architecture.
VB.NET 1018 Weaknesses in this category are related to the design and architecture of session management. Frequently these deal with the information or status about each user and their access rights for the duration of multiple requests. The weaknesses in this category could lead to a degradation of the quality of session management if they are not addressed when designing or implementing a secure architecture.
VB.NET 1019 Weaknesses in this category are related to the design and architecture of a system's input validation components. Frequently these deal with sanitizing, neutralizing and validating any externally provided inputs to minimize malformed data from entering the system and preventing code injection in the input data. The weaknesses in this category could lead to a degradation of the quality of data flow in a system if they are not addressed when designing or implementing a secure architecture.
VB.NET 1020 Weaknesses in this category are related to the design and architecture of a system's data integrity components. Frequently these deal with ensuring integrity of data, such as messages, resource files, deployment files, and configuration files. The weaknesses in this category could lead to a degradation of data integrity quality if they are not addressed when designing or implementing a secure architecture.
VB.NET 1026 CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2017.
VB.NET 1027 Weaknesses in this category are related to the A1 category in the OWASP Top 10 2017.
VB.NET 1028 Weaknesses in this category are related to the A2 category in the OWASP Top 10 2017.
VB.NET 1029 Weaknesses in this category are related to the A3 category in the OWASP Top 10 2017.
VB.NET 1030 Weaknesses in this category are related to the A4 category in the OWASP Top 10 2017.
VB.NET 1031 Weaknesses in this category are related to the A5 category in the OWASP Top 10 2017.
VB.NET 1032 Weaknesses in this category are related to the A6 category in the OWASP Top 10 2017.
VB.NET 1033 Weaknesses in this category are related to the A7 category in the OWASP Top 10 2017.
VB.NET 1034 Weaknesses in this category are related to the A8 category in the OWASP Top 10 2017.
VB.NET 1036 Weaknesses in this category are related to the A10 category in the OWASP Top 10 2017.
VB.NET 1041 The product has multiple functions, methods, procedures, macros, etc. that contain the same code.
VB.NET 1128 This view outlines the most important software quality issues as identified by the Consortium for Information & Software Quality (CISQ) Automated Quality Characteristic Measures, released in 2016. These measures are derived from Object Management Group (OMG) standards.
VB.NET 1129 Weaknesses in this category are related to the CISQ Quality Measures for Reliability, as documented in 2016 with the Automated Source Code CISQ Reliability Measure (ASCRM) Specification 1.0. Presence of these weaknesses could reduce the reliability of the software.
VB.NET 1130 Weaknesses in this category are related to the CISQ Quality Measures for Maintainability, as documented in 2016 with the Automated Source Code Maintainability Measure (ASCMM) Specification 1.0. Presence of these weaknesses could reduce the maintainability of the software.
VB.NET 1131 Weaknesses in this category are related to the CISQ Quality Measures for Security, as documented in 2016 with the Automated Source Code Security Measure (ASCSM) Specification 1.0. Presence of these weaknesses could reduce the security of the software.
VB.NET 1133 CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT Oracle Coding Standard for Java.
VB.NET 1134 Weaknesses in this category are related to the rules and recommendations in the Input Validation and Data Sanitization (IDS) section of the SEI CERT Oracle Secure Coding Standard for Java.
VB.NET 1136 Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) section of the SEI CERT Oracle Secure Coding Standard for Java.
VB.NET 1137 Weaknesses in this category are related to the rules and recommendations in the Numeric Types and Operations (NUM) section of the SEI CERT Oracle Secure Coding Standard for Java.
VB.NET 1140 Weaknesses in this category are related to the rules and recommendations in the Methods (MET) section of the SEI CERT Oracle Secure Coding Standard for Java.
VB.NET 1141 Weaknesses in this category are related to the rules and recommendations in the Exceptional Behavior (ERR) section of the SEI CERT Oracle Secure Coding Standard for Java.
VB.NET 1142 Weaknesses in this category are related to the rules and recommendations in the Visibility and Atomicity (VNA) section of the SEI CERT Oracle Secure Coding Standard for Java.
VB.NET 1143 Weaknesses in this category are related to the rules and recommendations in the Locking (LCK) section of the SEI CERT Oracle Secure Coding Standard for Java.
VB.NET 1145 Weaknesses in this category are related to the rules and recommendations in the Thread Pools (TPS) section of the SEI CERT Oracle Secure Coding Standard for Java.
VB.NET 1147 Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) section of the SEI CERT Oracle Secure Coding Standard for Java.
VB.NET 1148 Weaknesses in this category are related to the rules and recommendations in the Serialization (SER) section of the SEI CERT Oracle Secure Coding Standard for Java.
VB.NET 1152 Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT Oracle Secure Coding Standard for Java.
VB.NET 1154 CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT C Coding Standard.
VB.NET 1157 Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) section of the SEI CERT C Coding Standard.
VB.NET 1158 Weaknesses in this category are related to the rules and recommendations in the Integers (INT) section of the SEI CERT C Coding Standard.
VB.NET 1159 Weaknesses in this category are related to the rules and recommendations in the Floating Point (FLP) section of the SEI CERT C Coding Standard.
VB.NET 1162 Weaknesses in this category are related to the rules and recommendations in the Memory Management (MEM) section of the SEI CERT C Coding Standard.
VB.NET 1163 Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) section of the SEI CERT C Coding Standard.
VB.NET 1164 The product contains code that is not essential for execution, i.e. makes no state changes and has no side effects that alter data or control flow, such that removal of the code would have no impact to functionality or correctness.
VB.NET 1165 Weaknesses in this category are related to the rules and recommendations in the Environment (ENV) section of the SEI CERT C Coding Standard.
VB.NET 1166 Weaknesses in this category are related to the rules and recommendations in the Signals (SIG) section of the SEI CERT C Coding Standard.
VB.NET 1169 Weaknesses in this category are related to the rules and recommendations in the Concurrency (CON) section of the SEI CERT C Coding Standard.
VB.NET 1170 Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT C Coding Standard.
VB.NET 1172 Weaknesses in this category are related to the rules and recommendations in the Microsoft Windows (WIN) section of the SEI CERT C Coding Standard.
VB.NET 1178 CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT Perl Coding Standard.
VB.NET 1179 Weaknesses in this category are related to the rules and recommendations in the Input Validation and Data Sanitization (IDS) section of the SEI CERT Perl Coding Standard.
VB.NET 1180 Weaknesses in this category are related to the rules and recommendations in the Declarations and Initialization (DCL) section of the SEI CERT Perl Coding Standard.
VB.NET 1181 Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) section of the SEI CERT Perl Coding Standard.
VB.NET 1182 Weaknesses in this category are related to the rules and recommendations in the Integers (INT) section of the SEI CERT Perl Coding Standard.
VB.NET 1186 Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT Perl Coding Standard.
VB.NET 1194 This view organizes weaknesses around concepts that are frequently used or encountered in hardware design. Accordingly, this view can align closely with the perspectives of designers, manufacturers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping.
VB.NET 1200 CWE entries in this view are listed in the 2019 CWE Top 25 Most Dangerous Software Errors.
VB.NET 1202 Weaknesses in this category are typically associated with memory (e.g., DRAM, SRAM) and storage technologies (e.g., NAND Flash, OTP, EEPROM, and eMMC).
VB.NET 1207 Weaknesses in this category are related to hardware debug and test interfaces such as JTAG and scan chain.
VB.NET 1210 Weaknesses in this category are related to audit-based components of a software system. Frequently these deal with logging user activities in order to identify undesired access and modifications to the system. The weaknesses in this category could lead to a degradation of the quality of the audit capability if they are not addressed.
VB.NET 1211 Weaknesses in this category are related to authentication components of a system. Frequently these deal with the ability to verify that an entity is indeed who it claims to be. If not addressed when designing or implementing a software system, these weaknesses could lead to a degradation of the quality of the authentication capability.
VB.NET 1212 Weaknesses in this category are related to authorization components of a system. Frequently these deal with the ability to enforce that agents have the required permissions before performing certain operations, such as modifying data. If not addressed when designing or implementing a software system, these weaknesses could lead to a degradation of the quality of the authorization capability.
VB.NET 1213 Weaknesses in this category are related to a software system's random number generation.
VB.NET 1214 Weaknesses in this category are related to a software system's data integrity components. Frequently these deal with the ability to ensure the integrity of data, such as messages, resource files, deployment files, and configuration files. The weaknesses in this category could lead to a degradation of data integrity quality if they are not addressed.
VB.NET 1219 Weaknesses in this category are related to the handling of files within a software system. Files, directories, and folders are so central to information technology that many different weaknesses and variants have been discovered.
VB.NET 1305 This view outlines the most important software quality issues as identified by the Consortium for Information & Software Quality (CISQ) Automated Quality Characteristic Measures, released in 2020. These measures are derived from Object Management Group (OMG) standards.
VB.NET 1306 Weaknesses in this category are related to the CISQ Quality Measures for Reliability. Presence of these weaknesses could reduce the reliability of the software.
VB.NET 1307 Weaknesses in this category are related to the CISQ Quality Measures for Maintainability. Presence of these weaknesses could reduce the maintainability of the software.
VB.NET 1308 Weaknesses in this category are related to the CISQ Quality Measures for Security. Presence of these weaknesses could reduce the security of the software.
VB.NET 1309 Weaknesses in this category are related to the CISQ Quality Measures for Efficiency. Presence of these weaknesses could reduce the efficiency of the software.
VB.NET 1337 CWE entries in this view are listed in the 2021 CWE Top 25 Most Dangerous Software Weaknesses.
VB.NET 1340 This view outlines the SMM representation of the Automated Source Code Data Protection Measurement specifications, as identified by the Consortium for Information & Software Quality (CISQ) Working Group.
VB.NET 1344 CWE entries in this view (graph) are associated with the OWASP Top 10, as released in 2021.
VB.NET 1345 Weaknesses in this category are related to the A01 category "Broken Access Control" in the OWASP Top 10 2021.
VB.NET 1346 Weaknesses in this category are related to the A02 category "Cryptographic Failures" in the OWASP Top 10 2021.
VB.NET 1347 Weaknesses in this category are related to the A03 category "Injection" in the OWASP Top 10 2021.
VB.NET 1348 Weaknesses in this category are related to the A04 "Insecure Design" category in the OWASP Top 10 2021.
VB.NET 1349 Weaknesses in this category are related to the A05 category "Security Misconfiguration" in the OWASP Top 10 2021.
VB.NET 1350 CWE entries in this view are listed in the 2020 CWE Top 25 Most Dangerous Software Weaknesses.
VB.NET 1353 Weaknesses in this category are related to the A07 category "Identification and Authentication Failures" in the OWASP Top 10 2021.
VB.NET 1354 Weaknesses in this category are related to the A08 category "Software and Data Integrity Failures" in the OWASP Top 10 2021.
VB.NET 1355 Weaknesses in this category are related to the A09 category "Security Logging and Monitoring Failures" in the OWASP Top 10 2021.
VB.NET 1358 CWE entries in this view (graph) are associated with the Categories of Security Vulnerabilities in ICS, as published by the Securing Energy Infrastructure Executive Task Force (SEI ETF) in March 2022. Weaknesses and categories in this view are focused on issues that affect ICS (Industrial Control Systems) but have not been traditionally covered by CWE in the past due to its earlier emphasis on enterprise IT software. Note: weaknesses in this view are based on "Nearest IT Neighbor" recommendations and other suggestions by the CWE team. These relationships are likely to change in future CWE versions.
VB.NET 1359 Weaknesses in this category are related to the "ICS Communications" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.
VB.NET 1360 Weaknesses in this category are related to the "ICS Dependencies (& Architecture)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.
VB.NET 1361 Weaknesses in this category are related to the "ICS Supply Chain" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.
VB.NET 1362 Weaknesses in this category are related to the "ICS Engineering (Constructions/Deployment)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.
VB.NET 1363 Weaknesses in this category are related to the "ICS Operations (& Maintenance)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.
VB.NET 1364 Weaknesses in this category are related to the "Zone Boundary Failures" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Within an ICS system, for traffic that crosses through network zone boundaries, vulnerabilities arise when those boundaries were designed for safety or other purposes but are being repurposed for security." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
VB.NET 1366 Weaknesses in this category are related to the "Frail Security in Protocols" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Vulnerabilities arise as a result of mis-implementation or incomplete implementation of security in ICS implementations of communication protocols." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
VB.NET 1368 Weaknesses in this category are related to the "External Digital Systems" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Due to the highly interconnected technologies in use, an external dependency on another digital system could cause a confidentiality, integrity, or availability incident for the protected system." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
VB.NET 1369 Weaknesses in this category are related to the "IT/OT Convergence/Expansion" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "The increased penetration of DER devices and smart loads make emerging ICS networks more like IT networks and thus susceptible to vulnerabilities similar to those of IT networks." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
VB.NET 1370 Weaknesses in this category are related to the "Common Mode Frailties" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "At the component level, most ICS systems are assembled from common parts made by other companies. One or more of these common parts might contain a vulnerability that could result in a wide-spread incident." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
VB.NET 1372 Weaknesses in this category are related to the "OT Counterfeit and Malicious Corruption" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "In ICS, when this procurement process results in a vulnerability or component damage, it can have grid impacts or cause physical harm." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
VB.NET 1375 Weaknesses in this category are related to the "Gaps in Details/Data" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Highly complex systems are often operated by personnel who have years of experience in managing that particular facility or plant. Much of their knowledge is passed along through verbal or hands-on training but may not be fully documented in written practices and procedures." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
VB.NET 1382 Weaknesses in this category are related to the "Emerging Energy Technologies" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "With the rapid evolution of the energy system accelerated by the emergence of new technologies such as DERs, electric vehicles, advanced communications (5G+), novel and diverse challenges arise for secure and resilient operation of the system." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
VB.NET 1383 Weaknesses in this category are related to the "Compliance/Conformance with Regulatory Requirements" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "The ICS environment faces overlapping regulatory regimes and authorities with multiple focus areas (e.g., operational resiliency, physical safety, interoperability, and security) which can result in cyber security vulnerabilities when implemented as written due to gaps in considerations, outdatedness, or conflicting requirements." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
VB.NET 1387 CWE entries in this view are listed in the 2022 CWE Top 25 Most Dangerous Software Weaknesses.
VB.NET 1396 Weaknesses in this category are related to access control.
VB.NET 1398 Weaknesses in this category are related to component interaction.
VB.NET 1400 This view organizes weaknesses around categories that are of interest to large-scale software assurance research to support the elimination of weaknesses using tactics such as secure language development. It is also intended to help tracking weakness trends in publicly disclosed vulnerability data. This view is comprehensive in that every weakness must be contained in it, unlike most other views that only use a subset of weaknesses. This view is structured with categories at the top level, with a second level of only weaknesses. Relationships among the weaknesses presented under the research view (CWE-1000) are not shown. Each weakness is added to only one category. All categories are mutually exclusive; that is, no weakness can be a member of more than one category. While weaknesses defy strict categorization along only one characteristic, the forced bucketing into a single category can simplify certain kinds of analysis. Note that the size of each category can vary widely because (1) CWE is not as well fleshed-out in some areas compared to others; (2) abstraction of the CWEs in the grouping might go down to Variant level for some buckets, versus others.
VB.NET 1401 Weaknesses in this category are related to concurrency.
VB.NET 1402 Weaknesses in this category are related to encryption.
VB.NET 1403 Weaknesses in this category are related to exposed resource.
VB.NET 1404 Weaknesses in this category are related to file handling.
VB.NET 1405 Weaknesses in this category are related to improper check or handling of exceptional conditions.
VB.NET 1406 Weaknesses in this category are related to improper input validation.
VB.NET 1407 Weaknesses in this category are related to improper neutralization.
VB.NET 1408 Weaknesses in this category are related to incorrect calculation.
VB.NET 1409 Weaknesses in this category are related to injection.
VB.NET 1410 Weaknesses in this category are related to insufficient control flow management.
VB.NET 1411 Weaknesses in this category are related to insufficient verification of data authenticity.
VB.NET 1412 Weaknesses in this category are related to poor coding practices.
VB.NET 1413 Weaknesses in this category are related to protection mechanism failure.
VB.NET 1414 Weaknesses in this category are related to randomness.
VB.NET 1415 Weaknesses in this category are related to resource control.
VB.NET 1416 Weaknesses in this category are related to resource lifecycle management.
VB.NET 1417 Weaknesses in this category are related to sensitive information exposure.
VB.NET 1418 Weaknesses in this category are related to violation of secure design principles.