CWE Security Standards Supported by SAST

Language/Platform	CWE	Description
Apex	17	This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
Apex	18	This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
Apex	19	Weaknesses in this category are typically found in functionality that processes data. Data processing is the manipulation of input to retrieve or save information.
Apex	20	The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Apex	74	The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Apex	77	The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Apex	79	The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Apex	89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.
Apex	116	The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
Apex	137	Weaknesses in this category are related to the creation or neutralization of data using an incorrect format.
Apex	171	This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. Weaknesses in this category were related to improper handling of data within protection mechanisms that attempt to perform neutralization for untrusted data. These weaknesses can be found in other similar categories.
Apex	199	Weaknesses in this category are related to improper handling of sensitive information.
Apex	227	This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that involve the software using an API in a manner contrary to its intended use. According to the authors of the Seven Pernicious Kingdoms, "An API is a contract between a caller and a callee. The most common forms of API misuse occurs when the caller does not honor its end of this contract. For example, if a program does not call chdir() after calling chroot(), it violates the contract that specifies how to change the active root directory in a secure fashion. Another good example of library abuse is expecting the callee to return trustworthy DNS information to the caller. In this case, the caller misuses the callee API by making certain assumptions about its behavior (that the return value can be used for authentication purposes). One can also violate the caller-callee contract from the other side. For example, if a coder subclasses SecureRandom and returns a non-random value, the contract is violated."
Apex	242	The product calls a function that can never be guaranteed to work safely.
Apex	254	Software security is not security software. Here we're concerned with topics like authentication, access control, confidentiality, cryptography, and privilege management.
Apex	255	Weaknesses in this category are related to the management of credentials.
Apex	259	The product contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components.
Apex	264	Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control.
Apex	265	Weaknesses in this category occur with improper handling, assignment, or management of privileges. A privilege is a property of an agent, such as a user. It lets the agent do things that are not ordinarily allowed. For example, there are privileges which allow an agent to perform maintenance functions such as restart a computer.
Apex	269	The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Apex	274	The product does not handle or incorrectly handles when it has insufficient privileges to perform an operation, leading to resultant weaknesses.
Apex	284	The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Apex	287	When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Apex	310	Weaknesses in this category are related to the design and implementation of data confidentiality and integrity. Frequently these deal with the use of encoding techniques, encryption libraries, and hashing algorithms. The weaknesses in this category could lead to a degradation of the quality data if they are not addressed.
Apex	311	The product does not encrypt sensitive or critical information before storage or transmission.
Apex	319	The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.
Apex	320	Weaknesses in this category are related to errors in the management of cryptographic keys.
Apex	321	The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.
Apex	330	The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.
Apex	344	The product uses a constant value, name, or reference, but this value can (or should) vary across different environments.
Apex	345	The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
Apex	352	The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.
Apex	361	This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses related to the improper management of time and state in an environment that supports simultaneous or near-simultaneous computation by multiple systems, processes, or threads. According to the authors of the Seven Pernicious Kingdoms, "Distributed computation is about time and state. That is, in order for more than one component to communicate, state must be shared, and all that takes time. Most programmers anthropomorphize their work. They think about one thread of control carrying out the entire program in the same way they would if they had to do the job themselves. Modern computers, however, switch between tasks very quickly, and in multi-core, multi-CPU, or distributed systems, two events may take place at exactly the same time. Defects rush to fill the gap between the programmer's model of how a program executes and what happens in reality. These defects are related to unexpected interactions between threads, processes, time, and information. These interactions happen through shared state: semaphores, variables, the file system, and, basically, anything that can store information."
Apex	388	This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that occur when an application does not properly handle errors that occur during processing. According to the authors of the Seven Pernicious Kingdoms, "Errors and error handling represent a class of API. Errors related to error handling are so common that they deserve a special kingdom of their own. As with 'API Abuse,' there are two ways to introduce an error-related security vulnerability: the most common one is handling errors poorly (or not at all). The second is producing errors that either give out too much information (to possible attackers) or are difficult to handle."
Apex	389	This category includes weaknesses that occur if a function does not generate the correct return/status code, or if the application does not handle all possible return/status codes that could be generated by a function. This type of problem is most often found in conditions that are rarely encountered during the normal operation of the product. Presumably, most bugs related to common conditions are found and eliminated during development and testing. In some cases, the attacker can directly control or influence the environment to trigger the rare conditions.
Apex	442	This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
Apex	601	A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.
Apex	610	The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.
Apex	629	CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2007. This view is considered obsolete as a newer version of the OWASP Top 10 is available.
Apex	632	This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE.
Apex	635	CWE nodes in this view (slice) were used by NIST to categorize vulnerabilities within NVD, from 2008 to 2016. This original version has been used by many other projects.
Apex	657	The product violates well-established principles for secure design.
Apex	664	The product does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release.
Apex	671	The product uses security features in a way that prevents the product's administrator from tailoring security settings to reflect the environment in which the product is being used. This introduces resultant weaknesses or prevents it from operating at a level of security that is desired by the administrator.
Apex	693	The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.
Apex	699	This view organizes weaknesses around concepts that are frequently used or encountered in software development. This includes all aspects of the software development lifecycle including both architecture and implementation. Accordingly, this view can align closely with the perspectives of architects, developers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping.
Apex	700	This view (graph) organizes weaknesses using a hierarchical structure that is similar to that used by Seven Pernicious Kingdoms.
Apex	703	The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product.
Apex	707	The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component.
Apex	710	The product does not follow certain coding rules for development, which can lead to resultant weaknesses or increase the severity of the associated vulnerabilities.
Apex	711	CWE entries in this view (graph) are associated with the OWASP Top 10, as released in 2004, and as required for compliance with PCI DSS version 1.1. This view is considered obsolete as a newer version of the OWASP Top 10 is available.
Apex	712	Weaknesses in this category are related to the A1 category in the OWASP Top 10 2007.
Apex	713	Weaknesses in this category are related to the A2 category in the OWASP Top 10 2007.
Apex	716	Weaknesses in this category are related to the A5 category in the OWASP Top 10 2007.
Apex	718	Weaknesses in this category are related to the A7 category in the OWASP Top 10 2007.
Apex	719	Weaknesses in this category are related to the A8 category in the OWASP Top 10 2007.
Apex	720	Weaknesses in this category are related to the A9 category in the OWASP Top 10 2007.
Apex	722	Weaknesses in this category are related to the A1 category in the OWASP Top 10 2004.
Apex	723	Weaknesses in this category are related to the A2 category in the OWASP Top 10 2004.
Apex	724	Weaknesses in this category are related to the A3 category in the OWASP Top 10 2004.
Apex	725	Weaknesses in this category are related to the A4 category in the OWASP Top 10 2004.
Apex	727	Weaknesses in this category are related to the A6 category in the OWASP Top 10 2004.
Apex	728	Weaknesses in this category are related to the A7 category in the OWASP Top 10 2004.
Apex	729	Weaknesses in this category are related to the A8 category in the OWASP Top 10 2004.
Apex	734	CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT C Secure Coding Standard" published in 2008. This view is considered obsolete, as a newer version of the coding standard is available. This view statically represents the coding rules as they were in 2008.
Apex	738	Weaknesses in this category are related to the rules and recommendations in the Integers (INT) chapter of the CERT C Secure Coding Standard (2008).
Apex	742	Weaknesses in this category are related to the rules and recommendations in the Memory Management (MEM) chapter of the CERT C Secure Coding Standard (2008).
Apex	746	Weaknesses in this category are related to the rules and recommendations in the Error Handling (ERR) chapter of the CERT C Secure Coding Standard (2008).
Apex	747	Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) chapter of the CERT C Secure Coding Standard (2008).
Apex	748	Weaknesses in this category are related to the rules and recommendations in the POSIX (POS) appendix of the CERT C Secure Coding Standard (2008).
Apex	750	CWE entries in this view (graph) are listed in the 2009 CWE/SANS Top 25 Programming Errors. This view is considered obsolete as a newer version of the Top 25 is available.
Apex	751	Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2009 CWE/SANS Top 25 Programming Errors.
Apex	753	Weaknesses in this category are listed in the "Porous Defenses" section of the 2009 CWE/SANS Top 25 Programming Errors.
Apex	798	The product contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.
Apex	800	CWE entries in this view (graph) are listed in the 2010 CWE/SANS Top 25 Programming Errors. This view is considered obsolete as a newer version of the Top 25 is available.
Apex	801	Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2010 CWE/SANS Top 25 Programming Errors.
Apex	803	Weaknesses in this category are listed in the "Porous Defenses" section of the 2010 CWE/SANS Top 25 Programming Errors.
Apex	808	Weaknesses in this category are not part of the general Top 25, but they were part of the original nominee list from which the Top 25 was drawn.
Apex	809	CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2010. This view is considered obsolete as a newer version of the OWASP Top 10 is available.
Apex	810	Weaknesses in this category are related to the A1 category in the OWASP Top 10 2010.
Apex	811	Weaknesses in this category are related to the A2 category in the OWASP Top 10 2010.
Apex	812	Weaknesses in this category are related to the A3 category in the OWASP Top 10 2010.
Apex	814	Weaknesses in this category are related to the A5 category in the OWASP Top 10 2010.
Apex	816	Weaknesses in this category are related to the A7 category in the OWASP Top 10 2010.
Apex	818	Weaknesses in this category are related to the A9 category in the OWASP Top 10 2010.
Apex	819	Weaknesses in this category are related to the A10 category in the OWASP Top 10 2010.
Apex	844	CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT Oracle Secure Coding Standard for Java" published in 2011. This view is considered obsolete as a newer version of the coding standard is available.
Apex	845	Weaknesses in this category are related to rules in the Input Validation and Data Sanitization (IDS) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
Apex	851	Weaknesses in this category are related to rules in the Exceptional Behavior (ERR) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
Apex	858	Weaknesses in this category are related to rules in the Serialization (SER) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
Apex	859	Weaknesses in this category are related to rules in the Platform Security (SEC) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
Apex	861	Weaknesses in this category are related to rules in the Miscellaneous (MSC) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
Apex	864	Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.
Apex	866	Weaknesses in this category are listed in the "Porous Defenses" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.
Apex	867	Weaknesses in this category are not part of the general Top 25, but they were part of the original nominee list from which the Top 25 was drawn.
Apex	868	CWE entries in this view (graph) are fully or partially eliminated by following the SEI CERT C++ Coding Standard, as published in 2016. This view is no longer being actively maintained, since it statically represents the coding rules as they were in 2016.
Apex	872	Weaknesses in this category are related to rules in the Integers (INT) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
Apex	876	Weaknesses in this category are related to rules in the Memory Management (MEM) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
Apex	880	Weaknesses in this category are related to rules in the Exceptions and Error Handling (ERR) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
Apex	883	Weaknesses in this category are related to rules in the Miscellaneous (MSC) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
Apex	884	This view contains a selection of weaknesses that represent the variety of weaknesses that are captured in CWE, at a level of abstraction that is likely to be useful to most audiences. It can be used by researchers to determine how broad their theories, models, or tools are. It will also be used by the CWE content team in 2012 to focus quality improvement efforts for individual CWE entries.
Apex	887	This category identifies Software Fault Patterns (SFPs) within the API cluster (SFP3).
Apex	888	CWE identifiers in this view are associated with clusters of Software Fault Patterns (SFPs).
Apex	889	This category identifies Software Fault Patterns (SFPs) within the Exception Management cluster (SFP4, SFP5, SFP6).
Apex	892	This category identifies Software Fault Patterns (SFPs) within the Resource Management cluster (SFP37).
Apex	893	This category identifies Software Fault Patterns (SFPs) within the Path Resolution cluster (SFP16, SFP17, SFP18).
Apex	895	This category identifies Software Fault Patterns (SFPs) within the Information Leak cluster (SFP23).
Apex	896	This category identifies Software Fault Patterns (SFPs) within the Tainted Input cluster (SFP24, SFP25, SFP26, SFP27).
Apex	898	This category identifies Software Fault Patterns (SFPs) within the Authentication cluster (SFP29, SFP30, SFP31, SFP32, SFP33, SFP34).
Apex	899	This category identifies Software Fault Patterns (SFPs) within the Access Control cluster (SFP35).
Apex	900	CWE entries in this view (graph) are listed in the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.
Apex	901	This category identifies Software Fault Patterns (SFPs) within the Privilege cluster (SFP36).
Apex	905	This category identifies Software Fault Patterns (SFPs) within the Predictability cluster.
Apex	907	This category identifies Software Fault Patterns (SFPs) within the Other cluster.
Apex	917	The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.
Apex	928	CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2013. This view is considered obsolete as a newer version of the OWASP Top 10 is available.
Apex	929	Weaknesses in this category are related to the A1 category in the OWASP Top 10 2013.
Apex	930	Weaknesses in this category are related to the A2 category in the OWASP Top 10 2013.
Apex	931	Weaknesses in this category are related to the A3 category in the OWASP Top 10 2013.
Apex	934	Weaknesses in this category are related to the A6 category in the OWASP Top 10 2013.
Apex	935	Weaknesses in this category are related to the A7 category in the OWASP Top 10 2013.
Apex	936	Weaknesses in this category are related to the A8 category in the OWASP Top 10 2013.
Apex	938	Weaknesses in this category are related to the A10 category in the OWASP Top 10 2013.
Apex	943	The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query.
Apex	944	This category identifies Software Fault Patterns (SFPs) within the Access Management cluster.
Apex	947	This category identifies Software Fault Patterns (SFPs) within the Authentication Bypass cluster.
Apex	949	This category identifies Software Fault Patterns (SFPs) within the Faulty Endpoint Authentication cluster (SFP29).
Apex	950	This category identifies Software Fault Patterns (SFPs) within the Hardcoded Sensitive Data cluster (SFP33).
Apex	961	This category identifies Software Fault Patterns (SFPs) within the Incorrect Exception Behavior cluster (SFP6).
Apex	963	This category identifies Software Fault Patterns (SFPs) within the Exposed Data cluster (SFP23).
Apex	975	This category identifies Software Fault Patterns (SFPs) within the Architecture cluster.
Apex	978	This category identifies Software Fault Patterns (SFPs) within the Implementation cluster.
Apex	980	This category identifies Software Fault Patterns (SFPs) within the Link in Resource Name Resolution cluster (SFP18).
Apex	984	This category identifies Software Fault Patterns (SFPs) within the Life Cycle cluster.
Apex	990	This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Command cluster (SFP24).
Apex	992	This category identifies Software Fault Patterns (SFPs) within the Faulty Input Transformation cluster.
Apex	994	This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Variable cluster (SFP25).
Apex	1000	This view is intended to facilitate research into weaknesses, including their inter-dependencies, and can be leveraged to systematically identify theoretical gaps within CWE. It is mainly organized according to abstractions of behaviors instead of how they can be detected, where they appear in code, or when they are introduced in the development life cycle. By design, this view is expected to include every weakness within CWE.
Apex	1001	This category identifies Software Fault Patterns (SFPs) within the Use of an Improper API cluster (SFP3).
Apex	1003	CWE entries in this view (graph) may be used to categorize potential weaknesses within sources that handle public, third-party vulnerability information, such as the National Vulnerability Database (NVD). By design, this view is incomplete; it is limited to a small number of the most commonly-seen weaknesses, so that it is easier for humans to use. This view uses a shallow hierarchy of two levels in order to simplify the complex, category-oriented navigation of the entire CWE corpus.
Apex	1005	This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that exist when an application does not properly validate or represent input. According to the authors of the Seven Pernicious Kingdoms, "Input validation and representation problems are caused by metacharacters, alternate encodings and numeric representations. Security problems result from trusting input."
Apex	1006	Weaknesses in this category are related to coding practices that are deemed unsafe and increase the chances that an exploitable vulnerability will be present in the application. These weaknesses do not directly introduce a vulnerability, but indicate that the product has not been carefully developed or maintained. If a program is complex, difficult to maintain, not portable, or shows evidence of neglect, then there is a higher likelihood that weaknesses are buried in the code.
Apex	1008	This view organizes weaknesses according to common architectural security tactics. It is intended to assist architects in identifying potential mistakes that can be made when designing software.
Apex	1010	Weaknesses in this category are related to the design and architecture of authentication components of the system. Frequently these deal with verifying the entity is indeed who it claims to be. The weaknesses in this category could lead to a degradation of the quality of authentication if they are not addressed when designing or implementing a secure architecture.
Apex	1011	Weaknesses in this category are related to the design and architecture of a system's authorization components. Frequently these deal with enforcing that agents have the required permissions before performing certain operations, such as modifying data. The weaknesses in this category could lead to a degradation of quality of the authorization capability if they are not addressed when designing or implementing a secure architecture.
Apex	1012	Weaknesses in this category are related to the design and architecture of multiple security tactics and how they affect a system. For example, information exposure can impact the Limit Access and Limit Exposure security tactics. The weaknesses in this category could lead to a degradation of the quality of many capabilities if they are not addressed when designing or implementing a secure architecture.
Apex	1013	Weaknesses in this category are related to the design and architecture of data confidentiality in a system. Frequently these deal with the use of encryption libraries. The weaknesses in this category could lead to a degradation of the quality data encryption if they are not addressed when designing or implementing a secure architecture.
Apex	1014	Weaknesses in this category are related to the design and architecture of a system's identification management components. Frequently these deal with verifying that external agents provide inputs into the system. The weaknesses in this category could lead to a degradation of the quality of identification management if they are not addressed when designing or implementing a secure architecture.
Apex	1015	Weaknesses in this category are related to the design and architecture of system resources. Frequently these deal with restricting the amount of resources that are accessed by actors, such as memory, network connections, CPU or access points. The weaknesses in this category could lead to a degradation of the quality of authentication if they are not addressed when designing or implementing a secure architecture.
Apex	1019	Weaknesses in this category are related to the design and architecture of a system's input validation components. Frequently these deal with sanitizing, neutralizing and validating any externally provided inputs to minimize malformed data from entering the system and preventing code injection in the input data. The weaknesses in this category could lead to a degradation of the quality of data flow in a system if they are not addressed when designing or implementing a secure architecture.
Apex	1020	Weaknesses in this category are related to the design and architecture of a system's data integrity components. Frequently these deal with ensuring integrity of data, such as messages, resource files, deployment files, and configuration files. The weaknesses in this category could lead to a degradation of data integrity quality if they are not addressed when designing or implementing a secure architecture.
Apex	1026	CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2017.
Apex	1027	Weaknesses in this category are related to the A1 category in the OWASP Top 10 2017.
Apex	1028	Weaknesses in this category are related to the A2 category in the OWASP Top 10 2017.
Apex	1029	Weaknesses in this category are related to the A3 category in the OWASP Top 10 2017.
Apex	1031	Weaknesses in this category are related to the A5 category in the OWASP Top 10 2017.
Apex	1033	Weaknesses in this category are related to the A7 category in the OWASP Top 10 2017.
Apex	1128	This view outlines the most important software quality issues as identified by the Consortium for Information & Software Quality (CISQ) Automated Quality Characteristic Measures, released in 2016. These measures are derived from Object Management Group (OMG) standards.
Apex	1131	Weaknesses in this category are related to the CISQ Quality Measures for Security, as documented in 2016 with the Automated Source Code Security Measure (ASCSM) Specification 1.0. Presence of these weaknesses could reduce the security of the software.
Apex	1133	CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT Oracle Coding Standard for Java.
Apex	1134	Weaknesses in this category are related to the rules and recommendations in the Input Validation and Data Sanitization (IDS) section of the SEI CERT Oracle Secure Coding Standard for Java.
Apex	1141	Weaknesses in this category are related to the rules and recommendations in the Exceptional Behavior (ERR) section of the SEI CERT Oracle Secure Coding Standard for Java.
Apex	1147	Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) section of the SEI CERT Oracle Secure Coding Standard for Java.
Apex	1148	Weaknesses in this category are related to the rules and recommendations in the Serialization (SER) section of the SEI CERT Oracle Secure Coding Standard for Java.
Apex	1152	Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT Oracle Secure Coding Standard for Java.
Apex	1154	CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT C Coding Standard.
Apex	1163	Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) section of the SEI CERT C Coding Standard.
Apex	1169	Weaknesses in this category are related to the rules and recommendations in the Concurrency (CON) section of the SEI CERT C Coding Standard.
Apex	1170	Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT C Coding Standard.
Apex	1171	Weaknesses in this category are related to the rules and recommendations in the POSIX (POS) section of the SEI CERT C Coding Standard.
Apex	1172	Weaknesses in this category are related to the rules and recommendations in the Microsoft Windows (WIN) section of the SEI CERT C Coding Standard.
Apex	1178	CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT Perl Coding Standard.
Apex	1179	Weaknesses in this category are related to the rules and recommendations in the Input Validation and Data Sanitization (IDS) section of the SEI CERT Perl Coding Standard.
Apex	1194	This view organizes weaknesses around concepts that are frequently used or encountered in hardware design. Accordingly, this view can align closely with the perspectives of designers, manufacturers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping.
Apex	1200	CWE entries in this view are listed in the 2019 CWE Top 25 Most Dangerous Software Errors.
Apex	1207	Weaknesses in this category are related to hardware debug and test interfaces such as JTAG and scan chain.
Apex	1213	Weaknesses in this category are related to a software system's random number generation.
Apex	1228	Weaknesses in this category are related to the use of built-in functions or external APIs.
Apex	1305	This view outlines the most important software quality issues as identified by the Consortium for Information & Software Quality (CISQ) Automated Quality Characteristic Measures, released in 2020. These measures are derived from Object Management Group (OMG) standards.
Apex	1306	Weaknesses in this category are related to the CISQ Quality Measures for Reliability. Presence of these weaknesses could reduce the reliability of the software.
Apex	1308	Weaknesses in this category are related to the CISQ Quality Measures for Security. Presence of these weaknesses could reduce the security of the software.
Apex	1337	CWE entries in this view are listed in the 2021 CWE Top 25 Most Dangerous Software Weaknesses.
Apex	1340	This view outlines the SMM representation of the Automated Source Code Data Protection Measurement specifications, as identified by the Consortium for Information & Software Quality (CISQ) Working Group.
Apex	1344	CWE entries in this view (graph) are associated with the OWASP Top 10, as released in 2021.
Apex	1345	Weaknesses in this category are related to the A01 category "Broken Access Control" in the OWASP Top 10 2021.
Apex	1346	Weaknesses in this category are related to the A02 category "Cryptographic Failures" in the OWASP Top 10 2021.
Apex	1347	Weaknesses in this category are related to the A03 category "Injection" in the OWASP Top 10 2021.
Apex	1348	Weaknesses in this category are related to the A04 "Insecure Design" category in the OWASP Top 10 2021.
Apex	1350	CWE entries in this view are listed in the 2020 CWE Top 25 Most Dangerous Software Weaknesses.
Apex	1353	Weaknesses in this category are related to the A07 category "Identification and Authentication Failures" in the OWASP Top 10 2021.
Apex	1354	Weaknesses in this category are related to the A08 category "Software and Data Integrity Failures" in the OWASP Top 10 2021.
Apex	1358	CWE entries in this view (graph) are associated with the Categories of Security Vulnerabilities in ICS, as published by the Securing Energy Infrastructure Executive Task Force (SEI ETF) in March 2022. Weaknesses and categories in this view are focused on issues that affect ICS (Industrial Control Systems) but have not been traditionally covered by CWE in the past due to its earlier emphasis on enterprise IT software. Note: weaknesses in this view are based on "Nearest IT Neighbor" recommendations and other suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Apex	1360	Weaknesses in this category are related to the "ICS Dependencies (& Architecture)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.
Apex	1361	Weaknesses in this category are related to the "ICS Supply Chain" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.
Apex	1362	Weaknesses in this category are related to the "ICS Engineering (Constructions/Deployment)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.
Apex	1363	Weaknesses in this category are related to the "ICS Operations (& Maintenance)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.
Apex	1368	Weaknesses in this category are related to the "External Digital Systems" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Due to the highly interconnected technologies in use, an external dependency on another digital system could cause a confidentiality, integrity, or availability incident for the protected system." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Apex	1369	Weaknesses in this category are related to the "IT/OT Convergence/Expansion" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "The increased penetration of DER devices and smart loads make emerging ICS networks more like IT networks and thus susceptible to vulnerabilities similar to those of IT networks." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Apex	1370	Weaknesses in this category are related to the "Common Mode Frailties" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "At the component level, most ICS systems are assembled from common parts made by other companies. One or more of these common parts might contain a vulnerability that could result in a wide-spread incident." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Apex	1372	Weaknesses in this category are related to the "OT Counterfeit and Malicious Corruption" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "In ICS, when this procurement process results in a vulnerability or component damage, it can have grid impacts or cause physical harm." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Apex	1373	Weaknesses in this category are related to the "Trust Model Problems" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Assumptions made about the user during the design or construction phase may result in vulnerabilities after the system is installed if the user operates it using a different security approach or process than what was designed or built." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Apex	1375	Weaknesses in this category are related to the "Gaps in Details/Data" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Highly complex systems are often operated by personnel who have years of experience in managing that particular facility or plant. Much of their knowledge is passed along through verbal or hands-on training but may not be fully documented in written practices and procedures." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Apex	1382	Weaknesses in this category are related to the "Emerging Energy Technologies" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "With the rapid evolution of the energy system accelerated by the emergence of new technologies such as DERs, electric vehicles, advanced communications (5G+), novel and diverse challenges arise for secure and resilient operation of the system." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Apex	1383	Weaknesses in this category are related to the "Compliance/Conformance with Regulatory Requirements" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "The ICS environment faces overlapping regulatory regimes and authorities with multiple focus areas (e.g., operational resiliency, physical safety, interoperability, and security) which can result in cyber security vulnerabilities when implemented as written due to gaps in considerations, outdatedness, or conflicting requirements." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.
Apex	1387	CWE entries in this view are listed in the 2022 CWE Top 25 Most Dangerous Software Weaknesses.
Apex	1396	Weaknesses in this category are related to access control.
Apex	1400	This view organizes weaknesses around categories that are of interest to large-scale software assurance research to support the elimination of weaknesses using tactics such as secure language development. It is also intended to help tracking weakness trends in publicly disclosed vulnerability data. This view is comprehensive in that every weakness must be contained in it, unlike most other views that only use a subset of weaknesses. This view is structured with categories at the top level, with a second level of only weaknesses. Relationships among the weaknesses presented under the research view (CWE-1000) are not shown. Each weakness is added to only one category. All categories are mutually exclusive; that is, no weakness can be a member of more than one category. While weaknesses defy strict categorization along only one characteristic, the forced bucketing into a single category can simplify certain kinds of analysis. Note that the size of each category can vary widely because (1) CWE is not as well fleshed-out in some areas compared to others; (2) abstraction of the CWEs in the grouping might go down to Variant level for some buckets, versus others.
Apex	1402	Weaknesses in this category are related to encryption.
Apex	1405	Weaknesses in this category are related to improper check or handling of exceptional conditions.
Apex	1406	Weaknesses in this category are related to improper input validation.
Apex	1407	Weaknesses in this category are related to improper neutralization.
Apex	1409	Weaknesses in this category are related to injection.
Apex	1411	Weaknesses in this category are related to insufficient verification of data authenticity.
Apex	1412	Weaknesses in this category are related to poor coding practices.
Apex	1413	Weaknesses in this category are related to protection mechanism failure.
Apex	1414	Weaknesses in this category are related to randomness.
Apex	1416	Weaknesses in this category are related to resource lifecycle management.
Apex	1418	Weaknesses in this category are related to violation of secure design principles.
C#	2	This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that are typically introduced during unexpected environmental conditions. According to the authors of the Seven Pernicious Kingdoms, "This section includes everything that is outside of the source code but is still critical to the security of the product that is being created. Because the issues covered by this kingdom are not directly related to source code, we separated it from the rest of the kingdoms."
C#	4	This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
C#	5	Information sent over a network can be compromised while in transit. An attacker may be able to read or modify the contents if the data are sent in plaintext or are weakly encrypted.
C#	10	This category has been deprecated. It added unnecessary depth and complexity to its associated views.
C#	11	Debugging messages help attackers learn about the system and plan a form of attack.
C#	16	Weaknesses in this category are typically introduced during the configuration of the software.
C#	17	This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
C#	18	This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
C#	19	Weaknesses in this category are typically found in functionality that processes data. Data processing is the manipulation of input to retrieve or save information.
C#	20	The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
C#	21	This category has been deprecated. It was originally used for organizing weaknesses involving file names, which enabled access to files outside of a restricted directory (path traversal) or to perform operations on files that would otherwise be restricted (path equivalence). Consider using either the File Handling Issues category (CWE-1219) or the class Use of Incorrectly-Resolved Name or Reference (CWE-706).
C#	22	The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
C#	23	The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.
C#	36	The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as "/abs/path" that can resolve to a location that is outside of that directory.
C#	73	The product allows user input to control or influence paths or file names that are used in filesystem operations.
C#	74	The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
C#	77	The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
C#	78	The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
C#	79	The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
C#	80	The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.
C#	82	The web application does not neutralize or incorrectly neutralizes scripting elements within attributes of HTML IMG tags, such as the src attribute.
C#	83	The product does not neutralize or incorrectly neutralizes "javascript:" or other URIs from dangerous attributes within tags, such as onmouseover, onload, onerror, or style.
C#	85	The web application does not filter user-controlled input for executable script disguised using doubling of the involved characters.
C#	86	The product does not neutralize or incorrectly neutralizes invalid characters or byte sequences in the middle of tag names, URI schemes, and other identifiers.
C#	87	The product does not neutralize or incorrectly neutralizes user-controlled input for alternate script syntax.
C#	88	The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.
C#	89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.
C#	90	The product constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component.
C#	91	The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.
C#	94	The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
C#	95	The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").
C#	116	The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
C#	117	The product does not neutralize or incorrectly neutralizes output that is written to logs.
C#	133	Weaknesses in this category are related to the creation and modification of strings.
C#	137	Weaknesses in this category are related to the creation or neutralization of data using an incorrect format.
C#	138	The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as control elements or syntactic markers when they are sent to a downstream component.
C#	140	The product does not neutralize or incorrectly neutralizes delimiters.
C#	141	The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as parameter or argument delimiters when they are sent to a downstream component.
C#	142	The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as value delimiters when they are sent to a downstream component.
C#	143	The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as record delimiters when they are sent to a downstream component.
C#	146	The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as expression or command delimiters when they are sent to a downstream component.
C#	149	Quotes injected into a product can be used to compromise a system. As data are parsed, an injected/absent/duplicate/malformed use of quotes may cause the process to take unexpected actions.
C#	150	The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component.
C#	157	The product does not properly handle the characters that are used to mark the beginning and ending of a group of entities, such as parentheses, brackets, and braces.
C#	171	This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. Weaknesses in this category were related to improper handling of data within protection mechanisms that attempt to perform neutralization for untrusted data. These weaknesses can be found in other similar categories.
C#	183	The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is too permissive - that is, it allows an input that is unsafe, leading to resultant weaknesses.
C#	189	Weaknesses in this category are related to improper calculation or conversion of numbers.
C#	190	The product performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control.
C#	199	Weaknesses in this category are related to improper handling of sensitive information.
C#	200	The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
C#	201	The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.
C#	209	The product generates an error message that includes sensitive information about its environment, users, or associated data.
C#	210	The product identifies an error condition and creates its own diagnostic or error messages that contain sensitive information.
C#	211	The product performs an operation that triggers an external diagnostic or error message that is not directly generated or controlled by the product, such as an error generated by the programming language interpreter that a software application uses. The error can contain sensitive system information.
C#	215	The product inserts sensitive information into debugging code, which could expose this information if the debugging code is not disabled in production.
C#	221	The product does not record, or improperly records, security-relevant information that leads to an incorrect decision or hampers later analysis.
C#	223	The product does not record or display information that would be important for identifying the source or nature of an attack, or determining if an action is safe.
C#	226	The product releases a resource such as memory or a file so that it can be made available for reuse, but it does not clear or "zeroize" the information contained in the resource before the product performs a critical state transition or makes the resource available for reuse by other entities.
C#	227	This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that involve the software using an API in a manner contrary to its intended use. According to the authors of the Seven Pernicious Kingdoms, "An API is a contract between a caller and a callee. The most common forms of API misuse occurs when the caller does not honor its end of this contract. For example, if a program does not call chdir() after calling chroot(), it violates the contract that specifies how to change the active root directory in a secure fashion. Another good example of library abuse is expecting the callee to return trustworthy DNS information to the caller. In this case, the caller misuses the callee API by making certain assumptions about its behavior (that the return value can be used for authentication purposes). One can also violate the caller-callee contract from the other side. For example, if a coder subclasses SecureRandom and returns a non-random value, the contract is violated."
C#	248	An exception is thrown from a function, but it is not caught.
C#	249	This entry has been deprecated because of name confusion and an accidental combination of multiple weaknesses. Most of its content has been transferred to CWE-785.
C#	252	The product does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions.
C#	254	Software security is not security software. Here we're concerned with topics like authentication, access control, confidentiality, cryptography, and privilege management.
C#	255	Weaknesses in this category are related to the management of credentials.
C#	256	Storing a password in plaintext may result in a system compromise.
C#	257	The storage of passwords in a recoverable format makes them subject to password reuse attacks by malicious users. In fact, it should be noted that recoverable encrypted passwords provide no significant benefit over plaintext passwords since they are subject not only to reuse by malicious attackers but also by malicious insiders. If a system administrator can recover a password directly, or use a brute force search on the available information, the administrator can use the password on other accounts.
C#	258	Using an empty string as a password is insecure.
C#	259	The product contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components.
C#	260	The product stores a password in a configuration file that might be accessible to actors who do not know the password.
C#	264	Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control.
C#	265	Weaknesses in this category occur with improper handling, assignment, or management of privileges. A privilege is a property of an agent, such as a user. It lets the agent do things that are not ordinarily allowed. For example, there are privileges which allow an agent to perform maintenance functions such as restart a computer.
C#	275	Weaknesses in this category are related to improper assignment or handling of permissions.
C#	284	The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
C#	285	The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
C#	287	When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
C#	295	The product does not validate, or incorrectly validates, a certificate.
C#	296	The product does not follow, or incorrectly follows, the chain of trust for a certificate back to a trusted root certificate, resulting in incorrect trust of any resource that is associated with that certificate.
C#	299	The product does not check or incorrectly checks the revocation status of a certificate, which may cause it to use a certificate that has been compromised.
C#	300	The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint.
C#	304	The product implements an authentication technique, but it skips a step that weakens the technique.
C#	306	The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
C#	310	Weaknesses in this category are related to the design and implementation of data confidentiality and integrity. Frequently these deal with the use of encoding techniques, encryption libraries, and hashing algorithms. The weaknesses in this category could lead to a degradation of the quality data if they are not addressed.
C#	311	The product does not encrypt sensitive or critical information before storage or transmission.
C#	312	The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
C#	313	The product stores sensitive information in cleartext in a file, or on disk.
C#	314	The product stores sensitive information in cleartext in the registry.
C#	315	The product stores sensitive information in cleartext in a cookie.
C#	317	The product stores sensitive information in cleartext within the GUI.
C#	318	The product stores sensitive information in cleartext in an executable.
C#	319	The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.
C#	320	Weaknesses in this category are related to errors in the management of cryptographic keys.
C#	321	The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.
C#	326	The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
C#	327	The product uses a broken or risky cryptographic algorithm or protocol.
C#	328	The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (2nd preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack).
C#	330	The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.
C#	338	The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.
C#	344	The product uses a constant value, name, or reference, but this value can (or should) vary across different environments.
C#	345	The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
C#	346	The product does not properly verify that the source of data or communication is valid.
C#	352	The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.
C#	353	The product uses a transmission protocol that does not include a mechanism for verifying the integrity of the data during transmission, such as a checksum.
C#	355	Weaknesses in this category are related to or introduced in the User Interface (UI).
C#	359	The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.
C#	361	This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses related to the improper management of time and state in an environment that supports simultaneous or near-simultaneous computation by multiple systems, processes, or threads. According to the authors of the Seven Pernicious Kingdoms, "Distributed computation is about time and state. That is, in order for more than one component to communicate, state must be shared, and all that takes time. Most programmers anthropomorphize their work. They think about one thread of control carrying out the entire program in the same way they would if they had to do the job themselves. Modern computers, however, switch between tasks very quickly, and in multi-core, multi-CPU, or distributed systems, two events may take place at exactly the same time. Defects rush to fill the gap between the programmer's model of how a program executes and what happens in reality. These defects are related to unexpected interactions between threads, processes, time, and information. These interactions happen through shared state: semaphores, variables, the file system, and, basically, anything that can store information."
C#	362	The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.
C#	366	If two threads of execution use a resource simultaneously, there exists the possibility that resources may be used while invalid, in turn making the state of execution undefined.
C#	369	The product divides a value by zero.
C#	371	Weaknesses in this category are related to improper management of system state.
C#	376	This category has been deprecated. It was originally used for organizing the Development View (CWE-699), but it introduced unnecessary complexity and depth to the resulting tree. Consider using the File Handling Issues category (CWE-1219).
C#	377	Creating and using insecure temporary files can leave application and system data vulnerable to attack.
C#	379	The product creates a temporary file in a directory whose permissions allow unintended actors to determine the file's existence or otherwise access that file.
C#	380	This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
C#	381	This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
C#	384	Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.
C#	388	This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that occur when an application does not properly handle errors that occur during processing. According to the authors of the Seven Pernicious Kingdoms, "Errors and error handling represent a class of API. Errors related to error handling are so common that they deserve a special kingdom of their own. As with 'API Abuse,' there are two ways to introduce an error-related security vulnerability: the most common one is handling errors poorly (or not at all). The second is producing errors that either give out too much information (to possible attackers) or are difficult to handle."
C#	389	This category includes weaknesses that occur if a function does not generate the correct return/status code, or if the application does not handle all possible return/status codes that could be generated by a function. This type of problem is most often found in conditions that are rarely encountered during the normal operation of the product. Presumably, most bugs related to common conditions are found and eliminated during development and testing. In some cases, the attacker can directly control or influence the environment to trigger the rare conditions.
C#	390	The product detects a specific error, but takes no actions to handle the error.
C#	398	This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that do not directly introduce a weakness or vulnerability, but indicate that the product has not been carefully developed or maintained. According to the authors of the Seven Pernicious Kingdoms, "Poor code quality leads to unpredictable behavior. From a user's perspective that often manifests itself as poor usability. For an adversary it provides an opportunity to stress the system in unexpected ways."
C#	399	Weaknesses in this category are related to improper management of system resources.
C#	400	The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.
C#	402	The product makes resources available to untrusted parties when those resources are only intended to be accessed by the product.
C#	403	A process does not close sensitive file descriptors before invoking a child process, which allows the child to perform unauthorized I/O operations using those descriptors.
C#	404	The product does not release or incorrectly releases a resource before it is made available for re-use.
C#	405	The product does not properly control situations in which an adversary can cause the product to consume or produce excessive resources without requiring the adversary to invest equivalent work or otherwise prove authorization, i.e., the adversary's influence is "asymmetric."
C#	409	The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.
C#	411	Weaknesses in this category are related to improper handling of locks that are used to control access to resources.
C#	417	Weaknesses in this category are related to improper handling of communication channels and access paths. These weaknesses include problems in creating, managing, or removing alternate channels and alternate paths. Some of these can overlap virtual file problems and are commonly used in "bypass" attacks, such as those that exploit authentication errors.
C#	427	The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.
C#	435	An interaction error occurs when two entities have correct behavior when running independently of each other, but when they are integrated as components in a larger system or process, they introduce incorrect behaviors that may cause resultant weaknesses.
C#	436	Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.
C#	438	Weaknesses in this category are related to unexpected behaviors from code that an application uses.
C#	442	This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
C#	452	Weaknesses in this category occur in behaviors that are used for initialization and breakdown.
C#	459	The product does not properly "clean up" and remove temporary or supporting resources after they have been used.
C#	461	This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
C#	463	The accidental deletion of a data-structure sentinel can cause serious programming logic problems.
C#	465	Weaknesses in this category are related to improper handling of pointers.
C#	470	The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code.
C#	476	A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.
C#	480	The product accidentally uses the wrong operator, which changes the logic in security-relevant ways.
C#	483	The code does not explicitly delimit a block that is intended to contain 2 or more statements, creating a logic error.
C#	485	This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that occur when the product does not sufficiently encapsulate critical data or functionality. According to the authors of the Seven Pernicious Kingdoms, "Encapsulation is about drawing strong boundaries. In a web browser that might mean ensuring that your mobile code cannot be abused by other mobile code. On the server it might mean differentiation between validated data and unvalidated data, between one user's data and another's, or between data users are allowed to see and data that they are not."
C#	489	The product is deployed to unauthorized actors with debugging code still enabled or active, which can create unintended entry points or expose sensitive information.
C#	497	The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does.
C#	502	The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
C#	505	This category has been deprecated as it was originally used for organizing the Development View (CWE-699), but it introduced unnecessary complexity and depth to the resulting tree.
C#	519	This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
C#	521	The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts.
C#	522	The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
C#	523	Login pages do not use adequate measures to protect the user name and password while they are in transit from the client to the server.
C#	526	The product uses an environment variable to store unencrypted sensitive information.
C#	532	Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.
C#	536	A servlet error message indicates that there exists an unhandled exception in your web application code and may provide useful information to an attacker.
C#	538	The product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the sensitive information.
C#	539	The web application uses persistent cookies, but the cookies contain sensitive information.
C#	540	Source code on a web server or repository often contains sensitive information and should generally not be accessible to users.
C#	543	The product uses the singleton pattern when creating a resource within a multithreaded environment.
C#	550	Certain conditions, such as network failure, will cause a server error message to be displayed.
C#	552	The product makes files or directories accessible to unauthorized actors, even though they should not be.
C#	557	Weaknesses in this category are related to concurrent use of shared resources.
C#	558	The product uses the getlogin() function in a multithreaded context, potentially causing it to return incorrect values.
C#	559	This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.
C#	561	The product contains dead code, which can never be executed.
C#	563	The variable's value is assigned but never used, making it a dead store.
C#	566	The product uses a database table that includes records that should not be accessible to an actor, but it executes a SQL statement with a primary key that can be controlled by that actor.
C#	567	The product does not properly synchronize shared data, such as static variables across threads, which can lead to undefined behavior and unpredictable data changes.
C#	569	Weaknesses in this category are related to incorrectly written expressions within code.
C#	570	The product contains an expression that will always evaluate to false.
C#	573	The product does not follow or incorrectly follows the specifications as required by the implementation language, environment, framework, protocol, or platform.
C#	595	The product compares object references instead of the contents of the objects themselves, preventing it from detecting equivalent objects.
C#	601	A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.
C#	610	The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.
C#	611	The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
C#	614	The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session.
C#	615	While adding general comments is very useful, some programmers tend to leave important data, such as: filenames related to the web application, old links or links which were not meant to be browsed by users, old code fragments, etc.
C#	624	The product uses a regular expression that either (1) contains an executable component with user-controlled inputs, or (2) allows a user to enable execution by inserting pattern modifiers.
C#	628	The product calls a function, procedure, or routine with arguments that are not correctly specified, leading to always-incorrect behavior and resultant weaknesses.
C#	629	CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2007. This view is considered obsolete as a newer version of the OWASP Top 10 is available.
C#	632	This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE.
C#	633	This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE.
C#	634	This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE.
C#	635	CWE nodes in this view (slice) were used by NIST to categorize vulnerabilities within NVD, from 2008 to 2016. This original version has been used by many other projects.
C#	639	The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
C#	642	The product stores security-critical state information about its users, or the product itself, in a location that is accessible to unauthorized actors.
C#	643	The product uses external input to dynamically construct an XPath expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query.
C#	644	The product does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers, such as Flash.
C#	657	The product violates well-established principles for secure design.
C#	662	The product utilizes multiple threads or processes to allow temporary access to a shared resource that can only be exclusive to one process at a time, but it does not properly synchronize these actions, which might cause simultaneous accesses of this resource by multiple threads or processes.
C#	663	The product calls a non-reentrant function in a concurrent context in which a competing code sequence (e.g. thread or signal handler) may have an opportunity to call the same function or otherwise influence its state.
C#	664	The product does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release.
C#	667	The product does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors.
C#	668	The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
C#	669	The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource.
C#	670	The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated.
C#	671	The product uses security features in a way that prevents the product's administrator from tailoring security settings to reflect the environment in which the product is being used. This introduces resultant weaknesses or prevents it from operating at a level of security that is desired by the administrator.
C#	674	The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.
C#	682	The product performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management.
C#	683	The product calls a function, procedure, or routine, but the caller specifies the arguments in an incorrect order, leading to resultant weaknesses.
C#	691	The code does not sufficiently manage its control flow during execution, creating conditions in which the control flow can be modified in unexpected ways.
C#	692	The product uses a denylist-based protection mechanism to defend against XSS attacks, but the denylist is incomplete, allowing XSS variants to succeed.
C#	693	The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.
C#	697	The product compares two entities in a security-relevant context, but the comparison is incorrect, which may lead to resultant weaknesses.
C#	699	This view organizes weaknesses around concepts that are frequently used or encountered in software development. This includes all aspects of the software development lifecycle including both architecture and implementation. Accordingly, this view can align closely with the perspectives of architects, developers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping.
C#	700	This view (graph) organizes weaknesses using a hierarchical structure that is similar to that used by Seven Pernicious Kingdoms.
C#	703	The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product.
C#	705	The product does not properly return control flow to the proper location after it has completed a task or detected an unusual condition.
C#	706	The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.
C#	707	The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component.
C#	710	The product does not follow certain coding rules for development, which can lead to resultant weaknesses or increase the severity of the associated vulnerabilities.
C#	711	CWE entries in this view (graph) are associated with the OWASP Top 10, as released in 2004, and as required for compliance with PCI DSS version 1.1. This view is considered obsolete as a newer version of the OWASP Top 10 is available.
C#	712	Weaknesses in this category are related to the A1 category in the OWASP Top 10 2007.
C#	713	Weaknesses in this category are related to the A2 category in the OWASP Top 10 2007.
C#	714	Weaknesses in this category are related to the A3 category in the OWASP Top 10 2007.
C#	715	Weaknesses in this category are related to the A4 category in the OWASP Top 10 2007.
C#	716	Weaknesses in this category are related to the A5 category in the OWASP Top 10 2007.
C#	717	Weaknesses in this category are related to the A6 category in the OWASP Top 10 2007.
C#	718	Weaknesses in this category are related to the A7 category in the OWASP Top 10 2007.
C#	719	Weaknesses in this category are related to the A8 category in the OWASP Top 10 2007.
C#	720	Weaknesses in this category are related to the A9 category in the OWASP Top 10 2007.
C#	721	Weaknesses in this category are related to the A10 category in the OWASP Top 10 2007.
C#	722	Weaknesses in this category are related to the A1 category in the OWASP Top 10 2004.
C#	723	Weaknesses in this category are related to the A2 category in the OWASP Top 10 2004.
C#	724	Weaknesses in this category are related to the A3 category in the OWASP Top 10 2004.
C#	725	Weaknesses in this category are related to the A4 category in the OWASP Top 10 2004.
C#	727	Weaknesses in this category are related to the A6 category in the OWASP Top 10 2004.
C#	728	Weaknesses in this category are related to the A7 category in the OWASP Top 10 2004.
C#	729	Weaknesses in this category are related to the A8 category in the OWASP Top 10 2004.
C#	730	Weaknesses in this category are related to the A9 category in the OWASP Top 10 2004.
C#	731	Weaknesses in this category are related to the A10 category in the OWASP Top 10 2004.
C#	732	The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.
C#	734	CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT C Secure Coding Standard" published in 2008. This view is considered obsolete, as a newer version of the coding standard is available. This view statically represents the coding rules as they were in 2008.
C#	736	Weaknesses in this category are related to the rules and recommendations in the Declarations and Initialization (DCL) chapter of the CERT C Secure Coding Standard (2008).
C#	737	Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) chapter of the CERT C Secure Coding Standard (2008).
C#	738	Weaknesses in this category are related to the rules and recommendations in the Integers (INT) chapter of the CERT C Secure Coding Standard (2008).
C#	739	Weaknesses in this category are related to the rules and recommendations in the Floating Point (FLP) chapter of the CERT C Secure Coding Standard (2008).
C#	741	Weaknesses in this category are related to the rules and recommendations in the Characters and Strings (STR) chapter of the CERT C Secure Coding Standard (2008).
C#	742	Weaknesses in this category are related to the rules and recommendations in the Memory Management (MEM) chapter of the CERT C Secure Coding Standard (2008).
C#	743	Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) chapter of the CERT C Secure Coding Standard (2008).
C#	744	Weaknesses in this category are related to the rules and recommendations in the Environment (ENV) chapter of the CERT C Secure Coding Standard (2008).
C#	745	Weaknesses in this category are related to the rules and recommendations in the Signals (SIG) chapter of the CERT C Secure Coding Standard (2008).
C#	746	Weaknesses in this category are related to the rules and recommendations in the Error Handling (ERR) chapter of the CERT C Secure Coding Standard (2008).
C#	747	Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) chapter of the CERT C Secure Coding Standard (2008).
C#	748	Weaknesses in this category are related to the rules and recommendations in the POSIX (POS) appendix of the CERT C Secure Coding Standard (2008).
C#	749	The product provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted.
C#	750	CWE entries in this view (graph) are listed in the 2009 CWE/SANS Top 25 Programming Errors. This view is considered obsolete as a newer version of the Top 25 is available.
C#	751	Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2009 CWE/SANS Top 25 Programming Errors.
C#	752	Weaknesses in this category are listed in the "Risky Resource Management" section of the 2009 CWE/SANS Top 25 Programming Errors.
C#	753	Weaknesses in this category are listed in the "Porous Defenses" section of the 2009 CWE/SANS Top 25 Programming Errors.
C#	754	The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.
C#	755	The product does not handle or incorrectly handles an exceptional condition.
C#	759	The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product does not also use a salt as part of the input.
C#	760	The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product uses a predictable salt as part of the input.
C#	776	The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.
C#	778	When a security-critical event occurs, the product either does not record the event or omits important details about the event when logging it.
C#	780	The product uses the RSA algorithm but does not incorporate Optimal Asymmetric Encryption Padding (OAEP), which might weaken the encryption.
C#	783	The product uses an expression in which operator precedence causes incorrect logic to be used.
C#	798	The product contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.
C#	800	CWE entries in this view (graph) are listed in the 2010 CWE/SANS Top 25 Programming Errors. This view is considered obsolete as a newer version of the Top 25 is available.
C#	801	Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2010 CWE/SANS Top 25 Programming Errors.
C#	802	Weaknesses in this category are listed in the "Risky Resource Management" section of the 2010 CWE/SANS Top 25 Programming Errors.
C#	803	Weaknesses in this category are listed in the "Porous Defenses" section of the 2010 CWE/SANS Top 25 Programming Errors.
C#	808	Weaknesses in this category are not part of the general Top 25, but they were part of the original nominee list from which the Top 25 was drawn.
C#	809	CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2010. This view is considered obsolete as a newer version of the OWASP Top 10 is available.
C#	810	Weaknesses in this category are related to the A1 category in the OWASP Top 10 2010.
C#	811	Weaknesses in this category are related to the A2 category in the OWASP Top 10 2010.
C#	812	Weaknesses in this category are related to the A3 category in the OWASP Top 10 2010.
C#	813	Weaknesses in this category are related to the A4 category in the OWASP Top 10 2010.
C#	814	Weaknesses in this category are related to the A5 category in the OWASP Top 10 2010.
C#	815	Weaknesses in this category are related to the A6 category in the OWASP Top 10 2010.
C#	816	Weaknesses in this category are related to the A7 category in the OWASP Top 10 2010.
C#	817	Weaknesses in this category are related to the A8 category in the OWASP Top 10 2010.
C#	818	Weaknesses in this category are related to the A9 category in the OWASP Top 10 2010.
C#	819	Weaknesses in this category are related to the A10 category in the OWASP Top 10 2010.
C#	820	The product utilizes a shared resource in a concurrent manner but does not attempt to synchronize access to the resource.
C#	827	The product does not restrict a reference to a Document Type Definition (DTD) to the intended control sphere. This might allow attackers to reference arbitrary DTDs, possibly causing the product to expose files, consume excessive system resources, or execute arbitrary http requests on behalf of the attacker.
C#	829	The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.
C#	833	The product contains multiple threads or executable segments that are waiting for each other to release a necessary lock, resulting in deadlock.
C#	834	The product performs an iteration or loop without sufficiently limiting the number of times that the loop is executed.
C#	835	The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.
C#	840	Weaknesses in this category identify some of the underlying problems that commonly allow attackers to manipulate the business logic of an application. Errors in business logic can be devastating to an entire application. They can be difficult to find automatically, since they typically involve legitimate use of the application's functionality. However, many business logic errors can exhibit patterns that are similar to well-understood implementation and design weaknesses.
C#	844	CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT Oracle Secure Coding Standard for Java" published in 2011. This view is considered obsolete as a newer version of the coding standard is available.

Apex

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

Apex

18

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

Apex

19

Weaknesses in this category are typically found in functionality that processes data. Data processing is the manipulation of input to retrieve or save information.

Apex

20

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Apex

74

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Apex

77

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

Apex

79

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Apex

89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.

Apex

116

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

Apex

137

Weaknesses in this category are related to the creation or neutralization of data using an incorrect format.

Apex

171

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. Weaknesses in this category were related to improper handling of data within protection mechanisms that attempt to perform neutralization for untrusted data. These weaknesses can be found in other similar categories.

Apex

199

Weaknesses in this category are related to improper handling of sensitive information.

Apex

227

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that involve the software using an API in a manner contrary to its intended use. According to the authors of the Seven Pernicious Kingdoms, "An API is a contract between a caller and a callee. The most common forms of API misuse occurs when the caller does not honor its end of this contract. For example, if a program does not call chdir() after calling chroot(), it violates the contract that specifies how to change the active root directory in a secure fashion. Another good example of library abuse is expecting the callee to return trustworthy DNS information to the caller. In this case, the caller misuses the callee API by making certain assumptions about its behavior (that the return value can be used for authentication purposes). One can also violate the caller-callee contract from the other side. For example, if a coder subclasses SecureRandom and returns a non-random value, the contract is violated."

Apex

242

The product calls a function that can never be guaranteed to work safely.

Apex

254

Software security is not security software. Here we're concerned with topics like authentication, access control, confidentiality, cryptography, and privilege management.

Apex

255

Weaknesses in this category are related to the management of credentials.

Apex

259

The product contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components.

Apex

264

Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control.

Apex

265

Weaknesses in this category occur with improper handling, assignment, or management of privileges. A privilege is a property of an agent, such as a user. It lets the agent do things that are not ordinarily allowed. For example, there are privileges which allow an agent to perform maintenance functions such as restart a computer.

Apex

269

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Apex

274

The product does not handle or incorrectly handles when it has insufficient privileges to perform an operation, leading to resultant weaknesses.

Apex

284

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Apex

287

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Apex

310

Weaknesses in this category are related to the design and implementation of data confidentiality and integrity. Frequently these deal with the use of encoding techniques, encryption libraries, and hashing algorithms. The weaknesses in this category could lead to a degradation of the quality data if they are not addressed.

Apex

311

The product does not encrypt sensitive or critical information before storage or transmission.

Apex

319

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

Apex

320

Weaknesses in this category are related to errors in the management of cryptographic keys.

Apex

321

The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.

Apex

330

The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.

Apex

344

The product uses a constant value, name, or reference, but this value can (or should) vary across different environments.

Apex

345

The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

Apex

352

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

Apex

361

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses related to the improper management of time and state in an environment that supports simultaneous or near-simultaneous computation by multiple systems, processes, or threads. According to the authors of the Seven Pernicious Kingdoms, "Distributed computation is about time and state. That is, in order for more than one component to communicate, state must be shared, and all that takes time. Most programmers anthropomorphize their work. They think about one thread of control carrying out the entire program in the same way they would if they had to do the job themselves. Modern computers, however, switch between tasks very quickly, and in multi-core, multi-CPU, or distributed systems, two events may take place at exactly the same time. Defects rush to fill the gap between the programmer's model of how a program executes and what happens in reality. These defects are related to unexpected interactions between threads, processes, time, and information. These interactions happen through shared state: semaphores, variables, the file system, and, basically, anything that can store information."

Apex

388

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that occur when an application does not properly handle errors that occur during processing. According to the authors of the Seven Pernicious Kingdoms, "Errors and error handling represent a class of API. Errors related to error handling are so common that they deserve a special kingdom of their own. As with 'API Abuse,' there are two ways to introduce an error-related security vulnerability: the most common one is handling errors poorly (or not at all). The second is producing errors that either give out too much information (to possible attackers) or are difficult to handle."

Apex

389

This category includes weaknesses that occur if a function does not generate the correct return/status code, or if the application does not handle all possible return/status codes that could be generated by a function. This type of problem is most often found in conditions that are rarely encountered during the normal operation of the product. Presumably, most bugs related to common conditions are found and eliminated during development and testing. In some cases, the attacker can directly control or influence the environment to trigger the rare conditions.

Apex

442

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

Apex

601

A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.

Apex

610

The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.

Apex

629

CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2007. This view is considered obsolete as a newer version of the OWASP Top 10 is available.

Apex

632

This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE.

Apex

635

CWE nodes in this view (slice) were used by NIST to categorize vulnerabilities within NVD, from 2008 to 2016. This original version has been used by many other projects.

Apex

657

The product violates well-established principles for secure design.

Apex

664

The product does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release.

Apex

671

The product uses security features in a way that prevents the product's administrator from tailoring security settings to reflect the environment in which the product is being used. This introduces resultant weaknesses or prevents it from operating at a level of security that is desired by the administrator.

Apex

693

The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.

Apex

699

This view organizes weaknesses around concepts that are frequently used or encountered in software development. This includes all aspects of the software development lifecycle including both architecture and implementation. Accordingly, this view can align closely with the perspectives of architects, developers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping.

Apex

700

This view (graph) organizes weaknesses using a hierarchical structure that is similar to that used by Seven Pernicious Kingdoms.

Apex

703

The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product.

Apex

707

The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component.

Apex

710

The product does not follow certain coding rules for development, which can lead to resultant weaknesses or increase the severity of the associated vulnerabilities.

Apex

711

CWE entries in this view (graph) are associated with the OWASP Top 10, as released in 2004, and as required for compliance with PCI DSS version 1.1. This view is considered obsolete as a newer version of the OWASP Top 10 is available.

Apex

712

Weaknesses in this category are related to the A1 category in the OWASP Top 10 2007.

Apex

713

Weaknesses in this category are related to the A2 category in the OWASP Top 10 2007.

Apex

716

Weaknesses in this category are related to the A5 category in the OWASP Top 10 2007.

Apex

718

Weaknesses in this category are related to the A7 category in the OWASP Top 10 2007.

Apex

719

Weaknesses in this category are related to the A8 category in the OWASP Top 10 2007.

Apex

720

Weaknesses in this category are related to the A9 category in the OWASP Top 10 2007.

Apex

722

Weaknesses in this category are related to the A1 category in the OWASP Top 10 2004.

Apex

723

Weaknesses in this category are related to the A2 category in the OWASP Top 10 2004.

Apex

724

Weaknesses in this category are related to the A3 category in the OWASP Top 10 2004.

Apex

725

Weaknesses in this category are related to the A4 category in the OWASP Top 10 2004.

Apex

727

Weaknesses in this category are related to the A6 category in the OWASP Top 10 2004.

Apex

728

Weaknesses in this category are related to the A7 category in the OWASP Top 10 2004.

Apex

729

Weaknesses in this category are related to the A8 category in the OWASP Top 10 2004.

Apex

734

CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT C Secure Coding Standard" published in 2008. This view is considered obsolete, as a newer version of the coding standard is available. This view statically represents the coding rules as they were in 2008.

Apex

738

Weaknesses in this category are related to the rules and recommendations in the Integers (INT) chapter of the CERT C Secure Coding Standard (2008).

Apex

742

Weaknesses in this category are related to the rules and recommendations in the Memory Management (MEM) chapter of the CERT C Secure Coding Standard (2008).

Apex

746

Weaknesses in this category are related to the rules and recommendations in the Error Handling (ERR) chapter of the CERT C Secure Coding Standard (2008).

Apex

747

Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) chapter of the CERT C Secure Coding Standard (2008).

Apex

748

Weaknesses in this category are related to the rules and recommendations in the POSIX (POS) appendix of the CERT C Secure Coding Standard (2008).

Apex

750

CWE entries in this view (graph) are listed in the 2009 CWE/SANS Top 25 Programming Errors. This view is considered obsolete as a newer version of the Top 25 is available.

Apex

751

Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2009 CWE/SANS Top 25 Programming Errors.

Apex

753

Weaknesses in this category are listed in the "Porous Defenses" section of the 2009 CWE/SANS Top 25 Programming Errors.

Apex

798

The product contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.

Apex

800

CWE entries in this view (graph) are listed in the 2010 CWE/SANS Top 25 Programming Errors. This view is considered obsolete as a newer version of the Top 25 is available.

Apex

801

Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2010 CWE/SANS Top 25 Programming Errors.

Apex

803

Weaknesses in this category are listed in the "Porous Defenses" section of the 2010 CWE/SANS Top 25 Programming Errors.

Apex

808

Weaknesses in this category are not part of the general Top 25, but they were part of the original nominee list from which the Top 25 was drawn.

Apex

809

CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2010. This view is considered obsolete as a newer version of the OWASP Top 10 is available.

Apex

810

Weaknesses in this category are related to the A1 category in the OWASP Top 10 2010.

Apex

811

Weaknesses in this category are related to the A2 category in the OWASP Top 10 2010.

Apex

812

Weaknesses in this category are related to the A3 category in the OWASP Top 10 2010.

Apex

814

Weaknesses in this category are related to the A5 category in the OWASP Top 10 2010.

Apex

816

Weaknesses in this category are related to the A7 category in the OWASP Top 10 2010.

Apex

818

Weaknesses in this category are related to the A9 category in the OWASP Top 10 2010.

Apex

819

Weaknesses in this category are related to the A10 category in the OWASP Top 10 2010.

Apex

844

CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT Oracle Secure Coding Standard for Java" published in 2011. This view is considered obsolete as a newer version of the coding standard is available.

Apex

845

Weaknesses in this category are related to rules in the Input Validation and Data Sanitization (IDS) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

Apex

851

Weaknesses in this category are related to rules in the Exceptional Behavior (ERR) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

Apex

858

Weaknesses in this category are related to rules in the Serialization (SER) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

Apex

859

Weaknesses in this category are related to rules in the Platform Security (SEC) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

Apex

861

Weaknesses in this category are related to rules in the Miscellaneous (MSC) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

Apex

864

Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.

Apex

866

Weaknesses in this category are listed in the "Porous Defenses" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.

Apex

867

Weaknesses in this category are not part of the general Top 25, but they were part of the original nominee list from which the Top 25 was drawn.

Apex

868

CWE entries in this view (graph) are fully or partially eliminated by following the SEI CERT C++ Coding Standard, as published in 2016. This view is no longer being actively maintained, since it statically represents the coding rules as they were in 2016.

Apex

872

Weaknesses in this category are related to rules in the Integers (INT) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

Apex

876

Weaknesses in this category are related to rules in the Memory Management (MEM) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

Apex

880

Weaknesses in this category are related to rules in the Exceptions and Error Handling (ERR) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

Apex

883

Weaknesses in this category are related to rules in the Miscellaneous (MSC) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

Apex

884

This view contains a selection of weaknesses that represent the variety of weaknesses that are captured in CWE, at a level of abstraction that is likely to be useful to most audiences. It can be used by researchers to determine how broad their theories, models, or tools are. It will also be used by the CWE content team in 2012 to focus quality improvement efforts for individual CWE entries.

Apex

887

This category identifies Software Fault Patterns (SFPs) within the API cluster (SFP3).

Apex

888

CWE identifiers in this view are associated with clusters of Software Fault Patterns (SFPs).

Apex

889

This category identifies Software Fault Patterns (SFPs) within the Exception Management cluster (SFP4, SFP5, SFP6).

Apex

892

This category identifies Software Fault Patterns (SFPs) within the Resource Management cluster (SFP37).

Apex

893

This category identifies Software Fault Patterns (SFPs) within the Path Resolution cluster (SFP16, SFP17, SFP18).

Apex

895

This category identifies Software Fault Patterns (SFPs) within the Information Leak cluster (SFP23).

Apex

896

This category identifies Software Fault Patterns (SFPs) within the Tainted Input cluster (SFP24, SFP25, SFP26, SFP27).

Apex

898

This category identifies Software Fault Patterns (SFPs) within the Authentication cluster (SFP29, SFP30, SFP31, SFP32, SFP33, SFP34).

Apex

899

This category identifies Software Fault Patterns (SFPs) within the Access Control cluster (SFP35).

Apex

900

CWE entries in this view (graph) are listed in the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.

Apex

901

This category identifies Software Fault Patterns (SFPs) within the Privilege cluster (SFP36).

Apex

905

This category identifies Software Fault Patterns (SFPs) within the Predictability cluster.

Apex

907

This category identifies Software Fault Patterns (SFPs) within the Other cluster.

Apex

917

The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.

Apex

928

CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2013. This view is considered obsolete as a newer version of the OWASP Top 10 is available.

Apex

929

Weaknesses in this category are related to the A1 category in the OWASP Top 10 2013.

Apex

930

Weaknesses in this category are related to the A2 category in the OWASP Top 10 2013.

Apex

931

Weaknesses in this category are related to the A3 category in the OWASP Top 10 2013.

Apex

934

Weaknesses in this category are related to the A6 category in the OWASP Top 10 2013.

Apex

935

Weaknesses in this category are related to the A7 category in the OWASP Top 10 2013.

Apex

936

Weaknesses in this category are related to the A8 category in the OWASP Top 10 2013.

Apex

938

Weaknesses in this category are related to the A10 category in the OWASP Top 10 2013.

Apex

943

The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query.

Apex

944

This category identifies Software Fault Patterns (SFPs) within the Access Management cluster.

Apex

947

This category identifies Software Fault Patterns (SFPs) within the Authentication Bypass cluster.

Apex

949

This category identifies Software Fault Patterns (SFPs) within the Faulty Endpoint Authentication cluster (SFP29).

Apex

950

This category identifies Software Fault Patterns (SFPs) within the Hardcoded Sensitive Data cluster (SFP33).

Apex

961

This category identifies Software Fault Patterns (SFPs) within the Incorrect Exception Behavior cluster (SFP6).

Apex

963

This category identifies Software Fault Patterns (SFPs) within the Exposed Data cluster (SFP23).

Apex

975

This category identifies Software Fault Patterns (SFPs) within the Architecture cluster.

Apex

978

This category identifies Software Fault Patterns (SFPs) within the Implementation cluster.

Apex

980

This category identifies Software Fault Patterns (SFPs) within the Link in Resource Name Resolution cluster (SFP18).

Apex

984

This category identifies Software Fault Patterns (SFPs) within the Life Cycle cluster.

Apex

990

This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Command cluster (SFP24).

Apex

992

This category identifies Software Fault Patterns (SFPs) within the Faulty Input Transformation cluster.

Apex

994

This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Variable cluster (SFP25).

Apex

1000

This view is intended to facilitate research into weaknesses, including their inter-dependencies, and can be leveraged to systematically identify theoretical gaps within CWE. It is mainly organized according to abstractions of behaviors instead of how they can be detected, where they appear in code, or when they are introduced in the development life cycle. By design, this view is expected to include every weakness within CWE.

Apex

1001

This category identifies Software Fault Patterns (SFPs) within the Use of an Improper API cluster (SFP3).

Apex

1003

CWE entries in this view (graph) may be used to categorize potential weaknesses within sources that handle public, third-party vulnerability information, such as the National Vulnerability Database (NVD). By design, this view is incomplete; it is limited to a small number of the most commonly-seen weaknesses, so that it is easier for humans to use. This view uses a shallow hierarchy of two levels in order to simplify the complex, category-oriented navigation of the entire CWE corpus.

Apex

1005

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that exist when an application does not properly validate or represent input. According to the authors of the Seven Pernicious Kingdoms, "Input validation and representation problems are caused by metacharacters, alternate encodings and numeric representations. Security problems result from trusting input."

Apex

1006

Weaknesses in this category are related to coding practices that are deemed unsafe and increase the chances that an exploitable vulnerability will be present in the application. These weaknesses do not directly introduce a vulnerability, but indicate that the product has not been carefully developed or maintained. If a program is complex, difficult to maintain, not portable, or shows evidence of neglect, then there is a higher likelihood that weaknesses are buried in the code.

Apex

1008

This view organizes weaknesses according to common architectural security tactics. It is intended to assist architects in identifying potential mistakes that can be made when designing software.

Apex

1010

Weaknesses in this category are related to the design and architecture of authentication components of the system. Frequently these deal with verifying the entity is indeed who it claims to be. The weaknesses in this category could lead to a degradation of the quality of authentication if they are not addressed when designing or implementing a secure architecture.

Apex

1011

Weaknesses in this category are related to the design and architecture of a system's authorization components. Frequently these deal with enforcing that agents have the required permissions before performing certain operations, such as modifying data. The weaknesses in this category could lead to a degradation of quality of the authorization capability if they are not addressed when designing or implementing a secure architecture.

Apex

1012

Weaknesses in this category are related to the design and architecture of multiple security tactics and how they affect a system. For example, information exposure can impact the Limit Access and Limit Exposure security tactics. The weaknesses in this category could lead to a degradation of the quality of many capabilities if they are not addressed when designing or implementing a secure architecture.

Apex

1013

Weaknesses in this category are related to the design and architecture of data confidentiality in a system. Frequently these deal with the use of encryption libraries. The weaknesses in this category could lead to a degradation of the quality data encryption if they are not addressed when designing or implementing a secure architecture.

Apex

1014

Weaknesses in this category are related to the design and architecture of a system's identification management components. Frequently these deal with verifying that external agents provide inputs into the system. The weaknesses in this category could lead to a degradation of the quality of identification management if they are not addressed when designing or implementing a secure architecture.

Apex

1015

Weaknesses in this category are related to the design and architecture of system resources. Frequently these deal with restricting the amount of resources that are accessed by actors, such as memory, network connections, CPU or access points. The weaknesses in this category could lead to a degradation of the quality of authentication if they are not addressed when designing or implementing a secure architecture.

Apex

1019

Weaknesses in this category are related to the design and architecture of a system's input validation components. Frequently these deal with sanitizing, neutralizing and validating any externally provided inputs to minimize malformed data from entering the system and preventing code injection in the input data. The weaknesses in this category could lead to a degradation of the quality of data flow in a system if they are not addressed when designing or implementing a secure architecture.

Apex

1020

Weaknesses in this category are related to the design and architecture of a system's data integrity components. Frequently these deal with ensuring integrity of data, such as messages, resource files, deployment files, and configuration files. The weaknesses in this category could lead to a degradation of data integrity quality if they are not addressed when designing or implementing a secure architecture.

Apex

1026

CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2017.

Apex

1027

Weaknesses in this category are related to the A1 category in the OWASP Top 10 2017.

Apex

1028

Weaknesses in this category are related to the A2 category in the OWASP Top 10 2017.

Apex

1029

Weaknesses in this category are related to the A3 category in the OWASP Top 10 2017.

Apex

1031

Weaknesses in this category are related to the A5 category in the OWASP Top 10 2017.

Apex

1033

Weaknesses in this category are related to the A7 category in the OWASP Top 10 2017.

Apex

1128

This view outlines the most important software quality issues as identified by the Consortium for Information & Software Quality (CISQ) Automated Quality Characteristic Measures, released in 2016. These measures are derived from Object Management Group (OMG) standards.

Apex

1131

Weaknesses in this category are related to the CISQ Quality Measures for Security, as documented in 2016 with the Automated Source Code Security Measure (ASCSM) Specification 1.0. Presence of these weaknesses could reduce the security of the software.

Apex

1133

CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT Oracle Coding Standard for Java.

Apex

1134

Weaknesses in this category are related to the rules and recommendations in the Input Validation and Data Sanitization (IDS) section of the SEI CERT Oracle Secure Coding Standard for Java.

Apex

1141

Weaknesses in this category are related to the rules and recommendations in the Exceptional Behavior (ERR) section of the SEI CERT Oracle Secure Coding Standard for Java.

Apex

1147

Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) section of the SEI CERT Oracle Secure Coding Standard for Java.

Apex

1148

Weaknesses in this category are related to the rules and recommendations in the Serialization (SER) section of the SEI CERT Oracle Secure Coding Standard for Java.

Apex

1152

Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT Oracle Secure Coding Standard for Java.

Apex

1154

CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT C Coding Standard.

Apex

1163

Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) section of the SEI CERT C Coding Standard.

Apex

1169

Weaknesses in this category are related to the rules and recommendations in the Concurrency (CON) section of the SEI CERT C Coding Standard.

Apex

1170

Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT C Coding Standard.

Apex

1171

Weaknesses in this category are related to the rules and recommendations in the POSIX (POS) section of the SEI CERT C Coding Standard.

Apex

1172

Weaknesses in this category are related to the rules and recommendations in the Microsoft Windows (WIN) section of the SEI CERT C Coding Standard.

Apex

1178

CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT Perl Coding Standard.

Apex

1179

Weaknesses in this category are related to the rules and recommendations in the Input Validation and Data Sanitization (IDS) section of the SEI CERT Perl Coding Standard.

Apex

1194

This view organizes weaknesses around concepts that are frequently used or encountered in hardware design. Accordingly, this view can align closely with the perspectives of designers, manufacturers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping.

Apex

1200

CWE entries in this view are listed in the 2019 CWE Top 25 Most Dangerous Software Errors.

Apex

1207

Weaknesses in this category are related to hardware debug and test interfaces such as JTAG and scan chain.

Apex

1213

Weaknesses in this category are related to a software system's random number generation.

Apex

1228

Weaknesses in this category are related to the use of built-in functions or external APIs.

Apex

1305

This view outlines the most important software quality issues as identified by the Consortium for Information & Software Quality (CISQ) Automated Quality Characteristic Measures, released in 2020. These measures are derived from Object Management Group (OMG) standards.

Apex

1306

Weaknesses in this category are related to the CISQ Quality Measures for Reliability. Presence of these weaknesses could reduce the reliability of the software.

Apex

1308

Weaknesses in this category are related to the CISQ Quality Measures for Security. Presence of these weaknesses could reduce the security of the software.

Apex

1337

CWE entries in this view are listed in the 2021 CWE Top 25 Most Dangerous Software Weaknesses.

Apex

1340

This view outlines the SMM representation of the Automated Source Code Data Protection Measurement specifications, as identified by the Consortium for Information & Software Quality (CISQ) Working Group.

Apex

1344

CWE entries in this view (graph) are associated with the OWASP Top 10, as released in 2021.

Apex

1345

Weaknesses in this category are related to the A01 category "Broken Access Control" in the OWASP Top 10 2021.

Apex

1346

Weaknesses in this category are related to the A02 category "Cryptographic Failures" in the OWASP Top 10 2021.

Apex

1347

Weaknesses in this category are related to the A03 category "Injection" in the OWASP Top 10 2021.

Apex

1348

Weaknesses in this category are related to the A04 "Insecure Design" category in the OWASP Top 10 2021.

Apex

1350

CWE entries in this view are listed in the 2020 CWE Top 25 Most Dangerous Software Weaknesses.

Apex

1353

Weaknesses in this category are related to the A07 category "Identification and Authentication Failures" in the OWASP Top 10 2021.

Apex

1354

Weaknesses in this category are related to the A08 category "Software and Data Integrity Failures" in the OWASP Top 10 2021.

Apex

1358

CWE entries in this view (graph) are associated with the Categories of Security Vulnerabilities in ICS, as published by the Securing Energy Infrastructure Executive Task Force (SEI ETF) in March 2022. Weaknesses and categories in this view are focused on issues that affect ICS (Industrial Control Systems) but have not been traditionally covered by CWE in the past due to its earlier emphasis on enterprise IT software. Note: weaknesses in this view are based on "Nearest IT Neighbor" recommendations and other suggestions by the CWE team. These relationships are likely to change in future CWE versions.

Apex

1360

Weaknesses in this category are related to the "ICS Dependencies (& Architecture)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.

Apex

1361

Weaknesses in this category are related to the "ICS Supply Chain" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.

Apex

1362

Weaknesses in this category are related to the "ICS Engineering (Constructions/Deployment)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.

Apex

1363

Weaknesses in this category are related to the "ICS Operations (& Maintenance)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.

Apex

1368

Weaknesses in this category are related to the "External Digital Systems" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Due to the highly interconnected technologies in use, an external dependency on another digital system could cause a confidentiality, integrity, or availability incident for the protected system." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

Apex

1369

Weaknesses in this category are related to the "IT/OT Convergence/Expansion" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "The increased penetration of DER devices and smart loads make emerging ICS networks more like IT networks and thus susceptible to vulnerabilities similar to those of IT networks." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

Apex

1370

Weaknesses in this category are related to the "Common Mode Frailties" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "At the component level, most ICS systems are assembled from common parts made by other companies. One or more of these common parts might contain a vulnerability that could result in a wide-spread incident." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

Apex

1372

Weaknesses in this category are related to the "OT Counterfeit and Malicious Corruption" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "In ICS, when this procurement process results in a vulnerability or component damage, it can have grid impacts or cause physical harm." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

Apex

1373

Weaknesses in this category are related to the "Trust Model Problems" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Assumptions made about the user during the design or construction phase may result in vulnerabilities after the system is installed if the user operates it using a different security approach or process than what was designed or built." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

Apex

1375

Weaknesses in this category are related to the "Gaps in Details/Data" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Highly complex systems are often operated by personnel who have years of experience in managing that particular facility or plant. Much of their knowledge is passed along through verbal or hands-on training but may not be fully documented in written practices and procedures." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

Apex

1382

Weaknesses in this category are related to the "Emerging Energy Technologies" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "With the rapid evolution of the energy system accelerated by the emergence of new technologies such as DERs, electric vehicles, advanced communications (5G+), novel and diverse challenges arise for secure and resilient operation of the system." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

Apex

1383

Weaknesses in this category are related to the "Compliance/Conformance with Regulatory Requirements" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "The ICS environment faces overlapping regulatory regimes and authorities with multiple focus areas (e.g., operational resiliency, physical safety, interoperability, and security) which can result in cyber security vulnerabilities when implemented as written due to gaps in considerations, outdatedness, or conflicting requirements." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

Apex

1387

CWE entries in this view are listed in the 2022 CWE Top 25 Most Dangerous Software Weaknesses.

Apex

1396

Weaknesses in this category are related to access control.

Apex

1400

This view organizes weaknesses around categories that are of interest to large-scale software assurance research to support the elimination of weaknesses using tactics such as secure language development. It is also intended to help tracking weakness trends in publicly disclosed vulnerability data. This view is comprehensive in that every weakness must be contained in it, unlike most other views that only use a subset of weaknesses. This view is structured with categories at the top level, with a second level of only weaknesses. Relationships among the weaknesses presented under the research view (CWE-1000) are not shown. Each weakness is added to only one category. All categories are mutually exclusive; that is, no weakness can be a member of more than one category. While weaknesses defy strict categorization along only one characteristic, the forced bucketing into a single category can simplify certain kinds of analysis. Note that the size of each category can vary widely because (1) CWE is not as well fleshed-out in some areas compared to others; (2) abstraction of the CWEs in the grouping might go down to Variant level for some buckets, versus others.

Apex

1402

Weaknesses in this category are related to encryption.

Apex

1405

Weaknesses in this category are related to improper check or handling of exceptional conditions.

Apex

1406

Weaknesses in this category are related to improper input validation.

Apex

1407

Weaknesses in this category are related to improper neutralization.

Apex

1409

Weaknesses in this category are related to injection.

Apex

1411

Weaknesses in this category are related to insufficient verification of data authenticity.

Apex

1412

Weaknesses in this category are related to poor coding practices.

Apex

1413

Weaknesses in this category are related to protection mechanism failure.

Apex

1414

Weaknesses in this category are related to randomness.

Apex

1416

Weaknesses in this category are related to resource lifecycle management.

Apex

1418

Weaknesses in this category are related to violation of secure design principles.

C#

2

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that are typically introduced during unexpected environmental conditions. According to the authors of the Seven Pernicious Kingdoms, "This section includes everything that is outside of the source code but is still critical to the security of the product that is being created. Because the issues covered by this kingdom are not directly related to source code, we separated it from the rest of the kingdoms."

C#

4

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

C#

5

Information sent over a network can be compromised while in transit. An attacker may be able to read or modify the contents if the data are sent in plaintext or are weakly encrypted.

C#

10

This category has been deprecated. It added unnecessary depth and complexity to its associated views.

C#

11

Debugging messages help attackers learn about the system and plan a form of attack.

C#

16

Weaknesses in this category are typically introduced during the configuration of the software.

C#

17

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

C#

18

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

C#

19

Weaknesses in this category are typically found in functionality that processes data. Data processing is the manipulation of input to retrieve or save information.

C#

20

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

C#

21

This category has been deprecated. It was originally used for organizing weaknesses involving file names, which enabled access to files outside of a restricted directory (path traversal) or to perform operations on files that would otherwise be restricted (path equivalence). Consider using either the File Handling Issues category (CWE-1219) or the class Use of Incorrectly-Resolved Name or Reference (CWE-706).

C#

22

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

C#

23

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.

C#

36

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as "/abs/path" that can resolve to a location that is outside of that directory.

C#

73

The product allows user input to control or influence paths or file names that are used in filesystem operations.

C#

74

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

C#

77

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

C#

78

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

C#

79

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

C#

80

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.

C#

82

The web application does not neutralize or incorrectly neutralizes scripting elements within attributes of HTML IMG tags, such as the src attribute.

C#

83

The product does not neutralize or incorrectly neutralizes "javascript:" or other URIs from dangerous attributes within tags, such as onmouseover, onload, onerror, or style.

C#

85

The web application does not filter user-controlled input for executable script disguised using doubling of the involved characters.

C#

86

The product does not neutralize or incorrectly neutralizes invalid characters or byte sequences in the middle of tag names, URI schemes, and other identifiers.

C#

87

The product does not neutralize or incorrectly neutralizes user-controlled input for alternate script syntax.

C#

88

The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.

C#

89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.

C#

90

The product constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component.

C#

91

The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.

C#

94

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

C#

95

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").

C#

116

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

C#

117

The product does not neutralize or incorrectly neutralizes output that is written to logs.

C#

133

Weaknesses in this category are related to the creation and modification of strings.

C#

137

Weaknesses in this category are related to the creation or neutralization of data using an incorrect format.

C#

138

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as control elements or syntactic markers when they are sent to a downstream component.

C#

140

The product does not neutralize or incorrectly neutralizes delimiters.

C#

141

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as parameter or argument delimiters when they are sent to a downstream component.

C#

142

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as value delimiters when they are sent to a downstream component.

C#

143

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as record delimiters when they are sent to a downstream component.

C#

146

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as expression or command delimiters when they are sent to a downstream component.

C#

149

Quotes injected into a product can be used to compromise a system. As data are parsed, an injected/absent/duplicate/malformed use of quotes may cause the process to take unexpected actions.

C#

150

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component.

C#

157

The product does not properly handle the characters that are used to mark the beginning and ending of a group of entities, such as parentheses, brackets, and braces.

C#

171

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. Weaknesses in this category were related to improper handling of data within protection mechanisms that attempt to perform neutralization for untrusted data. These weaknesses can be found in other similar categories.

C#

183

The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is too permissive - that is, it allows an input that is unsafe, leading to resultant weaknesses.

C#

189

Weaknesses in this category are related to improper calculation or conversion of numbers.

C#

190

The product performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control.

C#

199

Weaknesses in this category are related to improper handling of sensitive information.

C#

200

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

C#

201

The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.

C#

209

The product generates an error message that includes sensitive information about its environment, users, or associated data.

C#

210

The product identifies an error condition and creates its own diagnostic or error messages that contain sensitive information.

C#

211

The product performs an operation that triggers an external diagnostic or error message that is not directly generated or controlled by the product, such as an error generated by the programming language interpreter that a software application uses. The error can contain sensitive system information.

C#

215

The product inserts sensitive information into debugging code, which could expose this information if the debugging code is not disabled in production.

C#

221

The product does not record, or improperly records, security-relevant information that leads to an incorrect decision or hampers later analysis.

C#

223

The product does not record or display information that would be important for identifying the source or nature of an attack, or determining if an action is safe.

C#

226

The product releases a resource such as memory or a file so that it can be made available for reuse, but it does not clear or "zeroize" the information contained in the resource before the product performs a critical state transition or makes the resource available for reuse by other entities.

C#

227

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that involve the software using an API in a manner contrary to its intended use. According to the authors of the Seven Pernicious Kingdoms, "An API is a contract between a caller and a callee. The most common forms of API misuse occurs when the caller does not honor its end of this contract. For example, if a program does not call chdir() after calling chroot(), it violates the contract that specifies how to change the active root directory in a secure fashion. Another good example of library abuse is expecting the callee to return trustworthy DNS information to the caller. In this case, the caller misuses the callee API by making certain assumptions about its behavior (that the return value can be used for authentication purposes). One can also violate the caller-callee contract from the other side. For example, if a coder subclasses SecureRandom and returns a non-random value, the contract is violated."

C#

248

An exception is thrown from a function, but it is not caught.

C#

249

This entry has been deprecated because of name confusion and an accidental combination of multiple weaknesses. Most of its content has been transferred to CWE-785.

C#

252

The product does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions.

C#

254

Software security is not security software. Here we're concerned with topics like authentication, access control, confidentiality, cryptography, and privilege management.

C#

255

Weaknesses in this category are related to the management of credentials.

C#

256

Storing a password in plaintext may result in a system compromise.

C#

257

The storage of passwords in a recoverable format makes them subject to password reuse attacks by malicious users. In fact, it should be noted that recoverable encrypted passwords provide no significant benefit over plaintext passwords since they are subject not only to reuse by malicious attackers but also by malicious insiders. If a system administrator can recover a password directly, or use a brute force search on the available information, the administrator can use the password on other accounts.

C#

258

Using an empty string as a password is insecure.

C#

259

The product contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components.

C#

260

The product stores a password in a configuration file that might be accessible to actors who do not know the password.

C#

264

Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control.

C#

265

Weaknesses in this category occur with improper handling, assignment, or management of privileges. A privilege is a property of an agent, such as a user. It lets the agent do things that are not ordinarily allowed. For example, there are privileges which allow an agent to perform maintenance functions such as restart a computer.

C#

275

Weaknesses in this category are related to improper assignment or handling of permissions.

C#

284

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

C#

285

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

C#

287

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

C#

295

The product does not validate, or incorrectly validates, a certificate.

C#

296

The product does not follow, or incorrectly follows, the chain of trust for a certificate back to a trusted root certificate, resulting in incorrect trust of any resource that is associated with that certificate.

C#

299

The product does not check or incorrectly checks the revocation status of a certificate, which may cause it to use a certificate that has been compromised.

C#

300

The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint.

C#

304

The product implements an authentication technique, but it skips a step that weakens the technique.

C#

306

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

C#

310

Weaknesses in this category are related to the design and implementation of data confidentiality and integrity. Frequently these deal with the use of encoding techniques, encryption libraries, and hashing algorithms. The weaknesses in this category could lead to a degradation of the quality data if they are not addressed.

C#

311

The product does not encrypt sensitive or critical information before storage or transmission.

C#

312

The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

C#

313

The product stores sensitive information in cleartext in a file, or on disk.

C#

314

The product stores sensitive information in cleartext in the registry.

C#

315

The product stores sensitive information in cleartext in a cookie.

C#

317

The product stores sensitive information in cleartext within the GUI.

C#

318

The product stores sensitive information in cleartext in an executable.

C#

319

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

C#

320

Weaknesses in this category are related to errors in the management of cryptographic keys.

C#

321

The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.

C#

326

The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

C#

327

The product uses a broken or risky cryptographic algorithm or protocol.

C#

328

The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (2nd preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack).

C#

330

The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.

C#

338

The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.

C#

344

The product uses a constant value, name, or reference, but this value can (or should) vary across different environments.

C#

345

The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

C#

346

The product does not properly verify that the source of data or communication is valid.

C#

352

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

C#

353

The product uses a transmission protocol that does not include a mechanism for verifying the integrity of the data during transmission, such as a checksum.

C#

355

Weaknesses in this category are related to or introduced in the User Interface (UI).

C#

359

The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.

C#

361

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses related to the improper management of time and state in an environment that supports simultaneous or near-simultaneous computation by multiple systems, processes, or threads. According to the authors of the Seven Pernicious Kingdoms, "Distributed computation is about time and state. That is, in order for more than one component to communicate, state must be shared, and all that takes time. Most programmers anthropomorphize their work. They think about one thread of control carrying out the entire program in the same way they would if they had to do the job themselves. Modern computers, however, switch between tasks very quickly, and in multi-core, multi-CPU, or distributed systems, two events may take place at exactly the same time. Defects rush to fill the gap between the programmer's model of how a program executes and what happens in reality. These defects are related to unexpected interactions between threads, processes, time, and information. These interactions happen through shared state: semaphores, variables, the file system, and, basically, anything that can store information."

C#

362

The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.

C#

366

If two threads of execution use a resource simultaneously, there exists the possibility that resources may be used while invalid, in turn making the state of execution undefined.

C#

369

The product divides a value by zero.

C#

371

Weaknesses in this category are related to improper management of system state.

C#

376

This category has been deprecated. It was originally used for organizing the Development View (CWE-699), but it introduced unnecessary complexity and depth to the resulting tree. Consider using the File Handling Issues category (CWE-1219).

C#

377

Creating and using insecure temporary files can leave application and system data vulnerable to attack.

C#

379

The product creates a temporary file in a directory whose permissions allow unintended actors to determine the file's existence or otherwise access that file.

C#

380

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

C#

381

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

C#

384

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

C#

388

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that occur when an application does not properly handle errors that occur during processing. According to the authors of the Seven Pernicious Kingdoms, "Errors and error handling represent a class of API. Errors related to error handling are so common that they deserve a special kingdom of their own. As with 'API Abuse,' there are two ways to introduce an error-related security vulnerability: the most common one is handling errors poorly (or not at all). The second is producing errors that either give out too much information (to possible attackers) or are difficult to handle."

C#

389

This category includes weaknesses that occur if a function does not generate the correct return/status code, or if the application does not handle all possible return/status codes that could be generated by a function. This type of problem is most often found in conditions that are rarely encountered during the normal operation of the product. Presumably, most bugs related to common conditions are found and eliminated during development and testing. In some cases, the attacker can directly control or influence the environment to trigger the rare conditions.

C#

390

The product detects a specific error, but takes no actions to handle the error.

C#

398

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that do not directly introduce a weakness or vulnerability, but indicate that the product has not been carefully developed or maintained. According to the authors of the Seven Pernicious Kingdoms, "Poor code quality leads to unpredictable behavior. From a user's perspective that often manifests itself as poor usability. For an adversary it provides an opportunity to stress the system in unexpected ways."

C#

399

Weaknesses in this category are related to improper management of system resources.

C#

400

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

C#

402

The product makes resources available to untrusted parties when those resources are only intended to be accessed by the product.

C#

403

A process does not close sensitive file descriptors before invoking a child process, which allows the child to perform unauthorized I/O operations using those descriptors.

C#

404

The product does not release or incorrectly releases a resource before it is made available for re-use.

C#

405

The product does not properly control situations in which an adversary can cause the product to consume or produce excessive resources without requiring the adversary to invest equivalent work or otherwise prove authorization, i.e., the adversary's influence is "asymmetric."

C#

409

The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.

C#

411

Weaknesses in this category are related to improper handling of locks that are used to control access to resources.

C#

417

Weaknesses in this category are related to improper handling of communication channels and access paths. These weaknesses include problems in creating, managing, or removing alternate channels and alternate paths. Some of these can overlap virtual file problems and are commonly used in "bypass" attacks, such as those that exploit authentication errors.

C#

427

The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.

C#

435

An interaction error occurs when two entities have correct behavior when running independently of each other, but when they are integrated as components in a larger system or process, they introduce incorrect behaviors that may cause resultant weaknesses.

C#

436

Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.

C#

438

Weaknesses in this category are related to unexpected behaviors from code that an application uses.

C#

442

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

C#

452

Weaknesses in this category occur in behaviors that are used for initialization and breakdown.

C#

459

The product does not properly "clean up" and remove temporary or supporting resources after they have been used.

C#

461

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

C#

463

The accidental deletion of a data-structure sentinel can cause serious programming logic problems.

C#

465

Weaknesses in this category are related to improper handling of pointers.

C#

470

The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code.

C#

476

A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.

C#

480

The product accidentally uses the wrong operator, which changes the logic in security-relevant ways.

C#

483

The code does not explicitly delimit a block that is intended to contain 2 or more statements, creating a logic error.

C#

485

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that occur when the product does not sufficiently encapsulate critical data or functionality. According to the authors of the Seven Pernicious Kingdoms, "Encapsulation is about drawing strong boundaries. In a web browser that might mean ensuring that your mobile code cannot be abused by other mobile code. On the server it might mean differentiation between validated data and unvalidated data, between one user's data and another's, or between data users are allowed to see and data that they are not."

C#

489

The product is deployed to unauthorized actors with debugging code still enabled or active, which can create unintended entry points or expose sensitive information.

C#

497

The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does.

C#

502

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

C#

505

This category has been deprecated as it was originally used for organizing the Development View (CWE-699), but it introduced unnecessary complexity and depth to the resulting tree.

C#

519

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

C#

521

The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts.

C#

522

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

C#

523

Login pages do not use adequate measures to protect the user name and password while they are in transit from the client to the server.

C#

526

The product uses an environment variable to store unencrypted sensitive information.

C#

532

Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.

C#

536

A servlet error message indicates that there exists an unhandled exception in your web application code and may provide useful information to an attacker.

C#

538

The product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the sensitive information.

C#

539

The web application uses persistent cookies, but the cookies contain sensitive information.

C#

540

Source code on a web server or repository often contains sensitive information and should generally not be accessible to users.

C#

543

The product uses the singleton pattern when creating a resource within a multithreaded environment.

C#

550

Certain conditions, such as network failure, will cause a server error message to be displayed.

C#

552

The product makes files or directories accessible to unauthorized actors, even though they should not be.

C#

557

Weaknesses in this category are related to concurrent use of shared resources.

C#

558

The product uses the getlogin() function in a multithreaded context, potentially causing it to return incorrect values.

C#

559

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

C#

561

The product contains dead code, which can never be executed.

C#

563

The variable's value is assigned but never used, making it a dead store.

C#

566

The product uses a database table that includes records that should not be accessible to an actor, but it executes a SQL statement with a primary key that can be controlled by that actor.

C#

567

The product does not properly synchronize shared data, such as static variables across threads, which can lead to undefined behavior and unpredictable data changes.

C#

569

Weaknesses in this category are related to incorrectly written expressions within code.

C#

570

The product contains an expression that will always evaluate to false.

C#

573

The product does not follow or incorrectly follows the specifications as required by the implementation language, environment, framework, protocol, or platform.

C#

595

The product compares object references instead of the contents of the objects themselves, preventing it from detecting equivalent objects.

C#

601

A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.

C#

610

The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.

C#

611

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

C#

614

The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session.

C#

615

While adding general comments is very useful, some programmers tend to leave important data, such as: filenames related to the web application, old links or links which were not meant to be browsed by users, old code fragments, etc.

C#

624

The product uses a regular expression that either (1) contains an executable component with user-controlled inputs, or (2) allows a user to enable execution by inserting pattern modifiers.

C#

628

The product calls a function, procedure, or routine with arguments that are not correctly specified, leading to always-incorrect behavior and resultant weaknesses.

C#

629

CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2007. This view is considered obsolete as a newer version of the OWASP Top 10 is available.

C#

632

This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE.

C#

633

This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE.

C#

634

This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE.

C#

635

CWE nodes in this view (slice) were used by NIST to categorize vulnerabilities within NVD, from 2008 to 2016. This original version has been used by many other projects.

C#

639

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

C#

642

The product stores security-critical state information about its users, or the product itself, in a location that is accessible to unauthorized actors.

C#

643

The product uses external input to dynamically construct an XPath expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query.

C#

644

The product does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers, such as Flash.

C#

657

The product violates well-established principles for secure design.

C#

662

The product utilizes multiple threads or processes to allow temporary access to a shared resource that can only be exclusive to one process at a time, but it does not properly synchronize these actions, which might cause simultaneous accesses of this resource by multiple threads or processes.

C#

663

The product calls a non-reentrant function in a concurrent context in which a competing code sequence (e.g. thread or signal handler) may have an opportunity to call the same function or otherwise influence its state.

C#

664

The product does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release.

C#

667

The product does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors.

C#

668

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

C#

669

The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource.

C#

670

The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated.

C#

671

The product uses security features in a way that prevents the product's administrator from tailoring security settings to reflect the environment in which the product is being used. This introduces resultant weaknesses or prevents it from operating at a level of security that is desired by the administrator.

C#

674

The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.

C#

682

The product performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management.

C#

683

The product calls a function, procedure, or routine, but the caller specifies the arguments in an incorrect order, leading to resultant weaknesses.

C#

691

The code does not sufficiently manage its control flow during execution, creating conditions in which the control flow can be modified in unexpected ways.

C#

692

The product uses a denylist-based protection mechanism to defend against XSS attacks, but the denylist is incomplete, allowing XSS variants to succeed.

C#

693

The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.

C#

697

The product compares two entities in a security-relevant context, but the comparison is incorrect, which may lead to resultant weaknesses.

C#

699

This view organizes weaknesses around concepts that are frequently used or encountered in software development. This includes all aspects of the software development lifecycle including both architecture and implementation. Accordingly, this view can align closely with the perspectives of architects, developers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping.

C#

700

This view (graph) organizes weaknesses using a hierarchical structure that is similar to that used by Seven Pernicious Kingdoms.

C#

703

The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product.

C#

705

The product does not properly return control flow to the proper location after it has completed a task or detected an unusual condition.

C#

706

The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.

C#

707

The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component.

C#

710

The product does not follow certain coding rules for development, which can lead to resultant weaknesses or increase the severity of the associated vulnerabilities.

C#

711

CWE entries in this view (graph) are associated with the OWASP Top 10, as released in 2004, and as required for compliance with PCI DSS version 1.1. This view is considered obsolete as a newer version of the OWASP Top 10 is available.

C#

712

Weaknesses in this category are related to the A1 category in the OWASP Top 10 2007.

C#

713

Weaknesses in this category are related to the A2 category in the OWASP Top 10 2007.

C#

714

Weaknesses in this category are related to the A3 category in the OWASP Top 10 2007.

C#

715

Weaknesses in this category are related to the A4 category in the OWASP Top 10 2007.

C#

716

Weaknesses in this category are related to the A5 category in the OWASP Top 10 2007.

C#

717

Weaknesses in this category are related to the A6 category in the OWASP Top 10 2007.

C#

718

Weaknesses in this category are related to the A7 category in the OWASP Top 10 2007.

C#

719

Weaknesses in this category are related to the A8 category in the OWASP Top 10 2007.

C#

720

Weaknesses in this category are related to the A9 category in the OWASP Top 10 2007.

C#

721

Weaknesses in this category are related to the A10 category in the OWASP Top 10 2007.

C#

722

Weaknesses in this category are related to the A1 category in the OWASP Top 10 2004.

C#

723

Weaknesses in this category are related to the A2 category in the OWASP Top 10 2004.

C#

724

Weaknesses in this category are related to the A3 category in the OWASP Top 10 2004.

C#

725

Weaknesses in this category are related to the A4 category in the OWASP Top 10 2004.

C#

727

Weaknesses in this category are related to the A6 category in the OWASP Top 10 2004.

C#

728

Weaknesses in this category are related to the A7 category in the OWASP Top 10 2004.

C#

729

Weaknesses in this category are related to the A8 category in the OWASP Top 10 2004.

C#

730

Weaknesses in this category are related to the A9 category in the OWASP Top 10 2004.

C#

731

Weaknesses in this category are related to the A10 category in the OWASP Top 10 2004.

C#

732

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

C#

734

CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT C Secure Coding Standard" published in 2008. This view is considered obsolete, as a newer version of the coding standard is available. This view statically represents the coding rules as they were in 2008.

C#

736

Weaknesses in this category are related to the rules and recommendations in the Declarations and Initialization (DCL) chapter of the CERT C Secure Coding Standard (2008).

C#

737

Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) chapter of the CERT C Secure Coding Standard (2008).

C#

738

Weaknesses in this category are related to the rules and recommendations in the Integers (INT) chapter of the CERT C Secure Coding Standard (2008).

C#

739

Weaknesses in this category are related to the rules and recommendations in the Floating Point (FLP) chapter of the CERT C Secure Coding Standard (2008).

C#

741

Weaknesses in this category are related to the rules and recommendations in the Characters and Strings (STR) chapter of the CERT C Secure Coding Standard (2008).

C#

742

Weaknesses in this category are related to the rules and recommendations in the Memory Management (MEM) chapter of the CERT C Secure Coding Standard (2008).

C#

743

Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) chapter of the CERT C Secure Coding Standard (2008).

C#

744

Weaknesses in this category are related to the rules and recommendations in the Environment (ENV) chapter of the CERT C Secure Coding Standard (2008).

C#

745

Weaknesses in this category are related to the rules and recommendations in the Signals (SIG) chapter of the CERT C Secure Coding Standard (2008).

C#

746

Weaknesses in this category are related to the rules and recommendations in the Error Handling (ERR) chapter of the CERT C Secure Coding Standard (2008).

C#

747

Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) chapter of the CERT C Secure Coding Standard (2008).

C#

748

Weaknesses in this category are related to the rules and recommendations in the POSIX (POS) appendix of the CERT C Secure Coding Standard (2008).

C#

749

The product provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted.

C#

750

CWE entries in this view (graph) are listed in the 2009 CWE/SANS Top 25 Programming Errors. This view is considered obsolete as a newer version of the Top 25 is available.

C#

751

Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2009 CWE/SANS Top 25 Programming Errors.

C#

752

Weaknesses in this category are listed in the "Risky Resource Management" section of the 2009 CWE/SANS Top 25 Programming Errors.

C#

753

Weaknesses in this category are listed in the "Porous Defenses" section of the 2009 CWE/SANS Top 25 Programming Errors.

C#

754

The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.

C#

755

The product does not handle or incorrectly handles an exceptional condition.

C#

759

The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product does not also use a salt as part of the input.

C#

760

The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product uses a predictable salt as part of the input.

C#

776

The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.

C#

778

When a security-critical event occurs, the product either does not record the event or omits important details about the event when logging it.

C#

780

The product uses the RSA algorithm but does not incorporate Optimal Asymmetric Encryption Padding (OAEP), which might weaken the encryption.

C#

783

The product uses an expression in which operator precedence causes incorrect logic to be used.

C#

798

The product contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.

C#

800

CWE entries in this view (graph) are listed in the 2010 CWE/SANS Top 25 Programming Errors. This view is considered obsolete as a newer version of the Top 25 is available.

C#

801

Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2010 CWE/SANS Top 25 Programming Errors.

C#

802

Weaknesses in this category are listed in the "Risky Resource Management" section of the 2010 CWE/SANS Top 25 Programming Errors.

C#

803

Weaknesses in this category are listed in the "Porous Defenses" section of the 2010 CWE/SANS Top 25 Programming Errors.

C#

808

Weaknesses in this category are not part of the general Top 25, but they were part of the original nominee list from which the Top 25 was drawn.

C#

809

CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2010. This view is considered obsolete as a newer version of the OWASP Top 10 is available.

C#

810

Weaknesses in this category are related to the A1 category in the OWASP Top 10 2010.

C#

811

Weaknesses in this category are related to the A2 category in the OWASP Top 10 2010.

C#

812

Weaknesses in this category are related to the A3 category in the OWASP Top 10 2010.

C#

813

Weaknesses in this category are related to the A4 category in the OWASP Top 10 2010.

C#

814

Weaknesses in this category are related to the A5 category in the OWASP Top 10 2010.

C#

815

Weaknesses in this category are related to the A6 category in the OWASP Top 10 2010.

C#

816

Weaknesses in this category are related to the A7 category in the OWASP Top 10 2010.

C#

817

Weaknesses in this category are related to the A8 category in the OWASP Top 10 2010.

C#

818

Weaknesses in this category are related to the A9 category in the OWASP Top 10 2010.

C#

819

Weaknesses in this category are related to the A10 category in the OWASP Top 10 2010.

C#

820

The product utilizes a shared resource in a concurrent manner but does not attempt to synchronize access to the resource.

C#

827

The product does not restrict a reference to a Document Type Definition (DTD) to the intended control sphere. This might allow attackers to reference arbitrary DTDs, possibly causing the product to expose files, consume excessive system resources, or execute arbitrary http requests on behalf of the attacker.

C#

829

The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.

C#

833

The product contains multiple threads or executable segments that are waiting for each other to release a necessary lock, resulting in deadlock.

C#

834

The product performs an iteration or loop without sufficiently limiting the number of times that the loop is executed.

C#

835

The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.

C#

840

Weaknesses in this category identify some of the underlying problems that commonly allow attackers to manipulate the business logic of an application. Errors in business logic can be devastating to an entire application. They can be difficult to find automatically, since they typically involve legitimate use of the application's functionality. However, many business logic errors can exhibit patterns that are similar to well-understood implementation and design weaknesses.

C#

844

CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT Oracle Secure Coding Standard for Java" published in 2011. This view is considered obsolete as a newer version of the coding standard is available.

C#

845

Weaknesses in this category are related to rules in the Input Validation and Data Sanitization (IDS) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

C#

847

Weaknesses in this category are related to rules in the Expressions (EXP) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

C#

848

Weaknesses in this category are related to rules in the Numeric Types and Operations (NUM) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

C#

850

Weaknesses in this category are related to rules in the Methods (MET) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

C#

851

Weaknesses in this category are related to rules in the Exceptional Behavior (ERR) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

C#

852

Weaknesses in this category are related to rules in the Visibility and Atomicity (VNA) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

C#

853

Weaknesses in this category are related to rules in the Locking (LCK) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

C#

854

Weaknesses in this category are related to rules in the Thread APIs (THI) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

C#

855

Weaknesses in this category are related to rules in the Thread Pools (TPS) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

C#

857

Weaknesses in this category are related to rules in the Input Output (FIO) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

C#

858

Weaknesses in this category are related to rules in the Serialization (SER) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

C#

859

Weaknesses in this category are related to rules in the Platform Security (SEC) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

C#

860

Weaknesses in this category are related to rules in the Runtime Environment (ENV) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

C#

861

Weaknesses in this category are related to rules in the Miscellaneous (MSC) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

C#

862

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

C#

863

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

C#

864

Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.

C#

865

Weaknesses in this category are listed in the "Risky Resource Management" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.

C#

866

Weaknesses in this category are listed in the "Porous Defenses" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.

C#

867

Weaknesses in this category are not part of the general Top 25, but they were part of the original nominee list from which the Top 25 was drawn.

C#

868

CWE entries in this view (graph) are fully or partially eliminated by following the SEI CERT C++ Coding Standard, as published in 2016. This view is no longer being actively maintained, since it statically represents the coding rules as they were in 2016.

C#

871

Weaknesses in this category are related to rules in the Expressions (EXP) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

C#

872

Weaknesses in this category are related to rules in the Integers (INT) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

C#

873

Weaknesses in this category are related to rules in the Floating Point Arithmetic (FLP) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

C#

875

Weaknesses in this category are related to rules in the Characters and Strings (STR) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

C#

876

Weaknesses in this category are related to rules in the Memory Management (MEM) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

C#

877

Weaknesses in this category are related to rules in the Input Output (FIO) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

C#

878

Weaknesses in this category are related to rules in the Environment (ENV) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

C#

879

Weaknesses in this category are related to rules in the Signals (SIG) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

C#

880

Weaknesses in this category are related to rules in the Exceptions and Error Handling (ERR) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

C#

881

Weaknesses in this category are related to rules in the Object Oriented Programming (OOP) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

C#

882

Weaknesses in this category are related to rules in the Concurrency (CON) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

C#

883

Weaknesses in this category are related to rules in the Miscellaneous (MSC) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

C#

884

This view contains a selection of weaknesses that represent the variety of weaknesses that are captured in CWE, at a level of abstraction that is likely to be useful to most audiences. It can be used by researchers to determine how broad their theories, models, or tools are. It will also be used by the CWE content team in 2012 to focus quality improvement efforts for individual CWE entries.

C#

885

This category identifies Software Fault Patterns (SFPs) within the Risky Values cluster (SFP1).

C#

886

This category identifies Software Fault Patterns (SFPs) within the Unused entities cluster (SFP2).

C#

887

This category identifies Software Fault Patterns (SFPs) within the API cluster (SFP3).

C#

888

CWE identifiers in this view are associated with clusters of Software Fault Patterns (SFPs).

C#

889

This category identifies Software Fault Patterns (SFPs) within the Exception Management cluster (SFP4, SFP5, SFP6).

C#

890

This category identifies Software Fault Patterns (SFPs) within the Memory Access cluster (SFP7, SFP8).

C#

892

This category identifies Software Fault Patterns (SFPs) within the Resource Management cluster (SFP37).

C#

893

This category identifies Software Fault Patterns (SFPs) within the Path Resolution cluster (SFP16, SFP17, SFP18).

C#

894

This category identifies Software Fault Patterns (SFPs) within the Synchronization cluster (SFP19, SFP20, SFP21, SFP22).

C#

895

This category identifies Software Fault Patterns (SFPs) within the Information Leak cluster (SFP23).

C#

896

This category identifies Software Fault Patterns (SFPs) within the Tainted Input cluster (SFP24, SFP25, SFP26, SFP27).

C#

897

This category identifies Software Fault Patterns (SFPs) within the Entry Points cluster (SFP28).

C#

898

This category identifies Software Fault Patterns (SFPs) within the Authentication cluster (SFP29, SFP30, SFP31, SFP32, SFP33, SFP34).

C#

899

This category identifies Software Fault Patterns (SFPs) within the Access Control cluster (SFP35).

C#

900

CWE entries in this view (graph) are listed in the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.

C#

902

This category identifies Software Fault Patterns (SFPs) within the Channel cluster.

C#

903

This category identifies Software Fault Patterns (SFPs) within the Cryptography cluster.

C#

905

This category identifies Software Fault Patterns (SFPs) within the Predictability cluster.

C#

906

This category identifies Software Fault Patterns (SFPs) within the UI cluster.

C#

907

This category identifies Software Fault Patterns (SFPs) within the Other cluster.

C#

913

The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements.

C#

915

The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.

C#

916

The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive.

C#

922

The product stores sensitive information without properly limiting read or write access by unauthorized actors.

C#

923

The product establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that it is communicating with the correct endpoint.

C#

928

CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2013. This view is considered obsolete as a newer version of the OWASP Top 10 is available.

C#

929

Weaknesses in this category are related to the A1 category in the OWASP Top 10 2013.

C#

930

Weaknesses in this category are related to the A2 category in the OWASP Top 10 2013.

C#

931

Weaknesses in this category are related to the A3 category in the OWASP Top 10 2013.

C#

932

Weaknesses in this category are related to the A4 category in the OWASP Top 10 2013.

C#

933

Weaknesses in this category are related to the A5 category in the OWASP Top 10 2013.

C#

934

Weaknesses in this category are related to the A6 category in the OWASP Top 10 2013.

C#

935

Weaknesses in this category are related to the A7 category in the OWASP Top 10 2013.

C#

936

Weaknesses in this category are related to the A8 category in the OWASP Top 10 2013.

C#

938

Weaknesses in this category are related to the A10 category in the OWASP Top 10 2013.

C#

942

The product uses a cross-domain policy file that includes domains that should not be trusted.

C#

943

The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query.

C#

944

This category identifies Software Fault Patterns (SFPs) within the Access Management cluster.

C#

945

This category identifies Software Fault Patterns (SFPs) within the Insecure Resource Access cluster (SFP35).

C#

946

This category identifies Software Fault Patterns (SFPs) within the Insecure Resource Permissions cluster.

C#

947

This category identifies Software Fault Patterns (SFPs) within the Authentication Bypass cluster.

C#

948

This category identifies Software Fault Patterns (SFPs) within the Digital Certificate cluster.

C#

949

This category identifies Software Fault Patterns (SFPs) within the Faulty Endpoint Authentication cluster (SFP29).

C#

950

This category identifies Software Fault Patterns (SFPs) within the Hardcoded Sensitive Data cluster (SFP33).

C#

951

This category identifies Software Fault Patterns (SFPs) within the Insecure Authentication Policy cluster.

C#

952

This category identifies Software Fault Patterns (SFPs) within the Missing Authentication cluster.

C#

956

This category identifies Software Fault Patterns (SFPs) within the Channel Attack cluster.

C#

957

This category identifies Software Fault Patterns (SFPs) within the Protocol Error cluster.

C#

958

This category identifies Software Fault Patterns (SFPs) within the Broken Cryptography cluster.

C#

959

This category identifies Software Fault Patterns (SFPs) within the Weak Cryptography cluster.

C#

961

This category identifies Software Fault Patterns (SFPs) within the Incorrect Exception Behavior cluster (SFP6).

C#

962

This category identifies Software Fault Patterns (SFPs) within the Unchecked Status Condition cluster (SFP4).

C#

963

This category identifies Software Fault Patterns (SFPs) within the Exposed Data cluster (SFP23).

C#

964

This category identifies Software Fault Patterns (SFPs) within the Exposure Temporary File cluster.

C#

966

This category identifies Software Fault Patterns (SFPs) within the Other Exposures cluster.

C#

971

This category identifies Software Fault Patterns (SFPs) within the Faulty Pointer Use cluster (SFP7).

C#

975

This category identifies Software Fault Patterns (SFPs) within the Architecture cluster.

C#

977

This category identifies Software Fault Patterns (SFPs) within the Design cluster.

C#

978

This category identifies Software Fault Patterns (SFPs) within the Implementation cluster.

C#

980

This category identifies Software Fault Patterns (SFPs) within the Link in Resource Name Resolution cluster (SFP18).

C#

981

This category identifies Software Fault Patterns (SFPs) within the Path Traversal cluster (SFP16).

C#

982

This category identifies Software Fault Patterns (SFPs) within the Failure to Release Resource cluster (SFP14).

C#

984

This category identifies Software Fault Patterns (SFPs) within the Life Cycle cluster.

C#

985

This category identifies Software Fault Patterns (SFPs) within the Unrestricted Consumption cluster (SFP13).

C#

986

This category identifies Software Fault Patterns (SFPs) within the Missing Lock cluster (SFP19).

C#

988

This category identifies Software Fault Patterns (SFPs) within the Race Condition Window cluster (SFP20).

C#

990

This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Command cluster (SFP24).

C#

991

This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Environment cluster (SFP27).

C#

992

This category identifies Software Fault Patterns (SFPs) within the Faulty Input Transformation cluster.

C#

994

This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Variable cluster (SFP25).

C#

997

This category identifies Software Fault Patterns (SFPs) within the Information Loss cluster.

C#

998

This category identifies Software Fault Patterns (SFPs) within the Glitch in Computation cluster (SFP1).

C#

1000

This view is intended to facilitate research into weaknesses, including their inter-dependencies, and can be leveraged to systematically identify theoretical gaps within CWE. It is mainly organized according to abstractions of behaviors instead of how they can be detected, where they appear in code, or when they are introduced in the development life cycle. By design, this view is expected to include every weakness within CWE.

C#

1001

This category identifies Software Fault Patterns (SFPs) within the Use of an Improper API cluster (SFP3).

C#

1002

This category identifies Software Fault Patterns (SFPs) within the Unexpected Entry Points cluster.

C#

1003

CWE entries in this view (graph) may be used to categorize potential weaknesses within sources that handle public, third-party vulnerability information, such as the National Vulnerability Database (NVD). By design, this view is incomplete; it is limited to a small number of the most commonly-seen weaknesses, so that it is easier for humans to use. This view uses a shallow hierarchy of two levels in order to simplify the complex, category-oriented navigation of the entire CWE corpus.

C#

1004

The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag.

C#

1005

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that exist when an application does not properly validate or represent input. According to the authors of the Seven Pernicious Kingdoms, "Input validation and representation problems are caused by metacharacters, alternate encodings and numeric representations. Security problems result from trusting input."

C#

1006

Weaknesses in this category are related to coding practices that are deemed unsafe and increase the chances that an exploitable vulnerability will be present in the application. These weaknesses do not directly introduce a vulnerability, but indicate that the product has not been carefully developed or maintained. If a program is complex, difficult to maintain, not portable, or shows evidence of neglect, then there is a higher likelihood that weaknesses are buried in the code.

C#

1008

This view organizes weaknesses according to common architectural security tactics. It is intended to assist architects in identifying potential mistakes that can be made when designing software.

C#

1009

Weaknesses in this category are related to the design and architecture of audit-based components of the system. Frequently these deal with logging user activities in order to identify attackers and modifications to the system. The weaknesses in this category could lead to a degradation of the quality of the audit capability if they are not addressed when designing or implementing a secure architecture.

C#

1010

Weaknesses in this category are related to the design and architecture of authentication components of the system. Frequently these deal with verifying the entity is indeed who it claims to be. The weaknesses in this category could lead to a degradation of the quality of authentication if they are not addressed when designing or implementing a secure architecture.

C#

1011

Weaknesses in this category are related to the design and architecture of a system's authorization components. Frequently these deal with enforcing that agents have the required permissions before performing certain operations, such as modifying data. The weaknesses in this category could lead to a degradation of quality of the authorization capability if they are not addressed when designing or implementing a secure architecture.

C#

1012

Weaknesses in this category are related to the design and architecture of multiple security tactics and how they affect a system. For example, information exposure can impact the Limit Access and Limit Exposure security tactics. The weaknesses in this category could lead to a degradation of the quality of many capabilities if they are not addressed when designing or implementing a secure architecture.

C#

1013

Weaknesses in this category are related to the design and architecture of data confidentiality in a system. Frequently these deal with the use of encryption libraries. The weaknesses in this category could lead to a degradation of the quality data encryption if they are not addressed when designing or implementing a secure architecture.

C#

1014

Weaknesses in this category are related to the design and architecture of a system's identification management components. Frequently these deal with verifying that external agents provide inputs into the system. The weaknesses in this category could lead to a degradation of the quality of identification management if they are not addressed when designing or implementing a secure architecture.

C#

1015

Weaknesses in this category are related to the design and architecture of system resources. Frequently these deal with restricting the amount of resources that are accessed by actors, such as memory, network connections, CPU or access points. The weaknesses in this category could lead to a degradation of the quality of authentication if they are not addressed when designing or implementing a secure architecture.

C#

1016

Weaknesses in this category are related to the design and architecture of the entry points to a system. Frequently these deal with minimizing the attack surface through designing the system with the least needed amount of entry points. The weaknesses in this category could lead to a degradation of a system's defenses if they are not addressed when designing or implementing a secure architecture.

C#

1018

Weaknesses in this category are related to the design and architecture of session management. Frequently these deal with the information or status about each user and their access rights for the duration of multiple requests. The weaknesses in this category could lead to a degradation of the quality of session management if they are not addressed when designing or implementing a secure architecture.

C#

1019

Weaknesses in this category are related to the design and architecture of a system's input validation components. Frequently these deal with sanitizing, neutralizing and validating any externally provided inputs to minimize malformed data from entering the system and preventing code injection in the input data. The weaknesses in this category could lead to a degradation of the quality of data flow in a system if they are not addressed when designing or implementing a secure architecture.

C#

1020

Weaknesses in this category are related to the design and architecture of a system's data integrity components. Frequently these deal with ensuring integrity of data, such as messages, resource files, deployment files, and configuration files. The weaknesses in this category could lead to a degradation of data integrity quality if they are not addressed when designing or implementing a secure architecture.

C#

1025

The code performs a comparison between two entities, but the comparison examines the wrong factors or characteristics of the entities, which can lead to incorrect results and resultant weaknesses.

C#

1026

CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2017.

C#

1027

Weaknesses in this category are related to the A1 category in the OWASP Top 10 2017.

C#

1028

Weaknesses in this category are related to the A2 category in the OWASP Top 10 2017.

C#

1029

Weaknesses in this category are related to the A3 category in the OWASP Top 10 2017.

C#

1030

Weaknesses in this category are related to the A4 category in the OWASP Top 10 2017.

C#

1031

Weaknesses in this category are related to the A5 category in the OWASP Top 10 2017.

C#

1032

Weaknesses in this category are related to the A6 category in the OWASP Top 10 2017.

C#

1033

Weaknesses in this category are related to the A7 category in the OWASP Top 10 2017.

C#

1034

Weaknesses in this category are related to the A8 category in the OWASP Top 10 2017.

C#

1036

Weaknesses in this category are related to the A10 category in the OWASP Top 10 2017.

C#

1041

The product has multiple functions, methods, procedures, macros, etc. that contain the same code.

C#

1078

The source code does not follow desired style or formatting for indentation, white space, comments, etc.

C#

1114

The source code contains whitespace that is inconsistent across the code or does not follow expected standards for the product.

C#

1128

This view outlines the most important software quality issues as identified by the Consortium for Information & Software Quality (CISQ) Automated Quality Characteristic Measures, released in 2016. These measures are derived from Object Management Group (OMG) standards.

C#

1129

Weaknesses in this category are related to the CISQ Quality Measures for Reliability, as documented in 2016 with the Automated Source Code CISQ Reliability Measure (ASCRM) Specification 1.0. Presence of these weaknesses could reduce the reliability of the software.

C#

1130

Weaknesses in this category are related to the CISQ Quality Measures for Maintainability, as documented in 2016 with the Automated Source Code Maintainability Measure (ASCMM) Specification 1.0. Presence of these weaknesses could reduce the maintainability of the software.

C#

1131

Weaknesses in this category are related to the CISQ Quality Measures for Security, as documented in 2016 with the Automated Source Code Security Measure (ASCSM) Specification 1.0. Presence of these weaknesses could reduce the security of the software.

C#

1133

CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT Oracle Coding Standard for Java.

C#

1134

Weaknesses in this category are related to the rules and recommendations in the Input Validation and Data Sanitization (IDS) section of the SEI CERT Oracle Secure Coding Standard for Java.

C#

1136

Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) section of the SEI CERT Oracle Secure Coding Standard for Java.

C#

1137

Weaknesses in this category are related to the rules and recommendations in the Numeric Types and Operations (NUM) section of the SEI CERT Oracle Secure Coding Standard for Java.

C#

1140

Weaknesses in this category are related to the rules and recommendations in the Methods (MET) section of the SEI CERT Oracle Secure Coding Standard for Java.

C#

1141

Weaknesses in this category are related to the rules and recommendations in the Exceptional Behavior (ERR) section of the SEI CERT Oracle Secure Coding Standard for Java.

C#

1142

Weaknesses in this category are related to the rules and recommendations in the Visibility and Atomicity (VNA) section of the SEI CERT Oracle Secure Coding Standard for Java.

C#

1143

Weaknesses in this category are related to the rules and recommendations in the Locking (LCK) section of the SEI CERT Oracle Secure Coding Standard for Java.

C#

1145

Weaknesses in this category are related to the rules and recommendations in the Thread Pools (TPS) section of the SEI CERT Oracle Secure Coding Standard for Java.

C#

1147

Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) section of the SEI CERT Oracle Secure Coding Standard for Java.

C#

1148

Weaknesses in this category are related to the rules and recommendations in the Serialization (SER) section of the SEI CERT Oracle Secure Coding Standard for Java.

C#

1149

Weaknesses in this category are related to the rules and recommendations in the Platform Security (SEC) section of the SEI CERT Oracle Secure Coding Standard for Java.

C#

1150

Weaknesses in this category are related to the rules and recommendations in the Runtime Environment (ENV) section of the SEI CERT Oracle Secure Coding Standard for Java.

C#

1152

Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT Oracle Secure Coding Standard for Java.

C#

1154

CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT C Coding Standard.

C#

1157

Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) section of the SEI CERT C Coding Standard.

C#

1158

Weaknesses in this category are related to the rules and recommendations in the Integers (INT) section of the SEI CERT C Coding Standard.

C#

1159

Weaknesses in this category are related to the rules and recommendations in the Floating Point (FLP) section of the SEI CERT C Coding Standard.

C#

1162

Weaknesses in this category are related to the rules and recommendations in the Memory Management (MEM) section of the SEI CERT C Coding Standard.

C#

1163

Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) section of the SEI CERT C Coding Standard.

C#

1164

The product contains code that is not essential for execution, i.e. makes no state changes and has no side effects that alter data or control flow, such that removal of the code would have no impact to functionality or correctness.

C#

1165

Weaknesses in this category are related to the rules and recommendations in the Environment (ENV) section of the SEI CERT C Coding Standard.

C#

1166

Weaknesses in this category are related to the rules and recommendations in the Signals (SIG) section of the SEI CERT C Coding Standard.

C#

1167

Weaknesses in this category are related to the rules and recommendations in the Error Handling (ERR) section of the SEI CERT C Coding Standard.

C#

1169

Weaknesses in this category are related to the rules and recommendations in the Concurrency (CON) section of the SEI CERT C Coding Standard.

C#

1170

Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT C Coding Standard.

C#

1171

Weaknesses in this category are related to the rules and recommendations in the POSIX (POS) section of the SEI CERT C Coding Standard.

C#

1172

Weaknesses in this category are related to the rules and recommendations in the Microsoft Windows (WIN) section of the SEI CERT C Coding Standard.

C#

1178

CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT Perl Coding Standard.

C#

1179

Weaknesses in this category are related to the rules and recommendations in the Input Validation and Data Sanitization (IDS) section of the SEI CERT Perl Coding Standard.

C#

1180

Weaknesses in this category are related to the rules and recommendations in the Declarations and Initialization (DCL) section of the SEI CERT Perl Coding Standard.

C#

1181

Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) section of the SEI CERT Perl Coding Standard.

C#

1182

Weaknesses in this category are related to the rules and recommendations in the Integers (INT) section of the SEI CERT Perl Coding Standard.

C#

1186

Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT Perl Coding Standard.

C#

1194

This view organizes weaknesses around concepts that are frequently used or encountered in hardware design. Accordingly, this view can align closely with the perspectives of designers, manufacturers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping.

C#

1200

CWE entries in this view are listed in the 2019 CWE Top 25 Most Dangerous Software Errors.

C#

1202

Weaknesses in this category are typically associated with memory (e.g., DRAM, SRAM) and storage technologies (e.g., NAND Flash, OTP, EEPROM, and eMMC).

C#

1204

The product uses a cryptographic primitive that uses an Initialization Vector (IV), but the product does not generate IVs that are sufficiently unpredictable or unique according to the expected cryptographic requirements for that primitive.

C#

1207

Weaknesses in this category are related to hardware debug and test interfaces such as JTAG and scan chain.

C#

1210

Weaknesses in this category are related to audit-based components of a software system. Frequently these deal with logging user activities in order to identify undesired access and modifications to the system. The weaknesses in this category could lead to a degradation of the quality of the audit capability if they are not addressed.

C#

1211

Weaknesses in this category are related to authentication components of a system. Frequently these deal with the ability to verify that an entity is indeed who it claims to be. If not addressed when designing or implementing a software system, these weaknesses could lead to a degradation of the quality of the authentication capability.

C#

1212

Weaknesses in this category are related to authorization components of a system. Frequently these deal with the ability to enforce that agents have the required permissions before performing certain operations, such as modifying data. If not addressed when designing or implementing a software system, these weaknesses could lead to a degradation of the quality of the authorization capability.

C#

1213

Weaknesses in this category are related to a software system's random number generation.

C#

1214

Weaknesses in this category are related to a software system's data integrity components. Frequently these deal with the ability to ensure the integrity of data, such as messages, resource files, deployment files, and configuration files. The weaknesses in this category could lead to a degradation of data integrity quality if they are not addressed.

C#

1215

Weaknesses in this category are related to a software system's components for input validation, output validation, or other kinds of validation. Validation is a frequently-used technique for ensuring that data conforms to expectations before it is further processed as input or output. There are many varieties of validation (see CWE-20, which is just for input validation). Validation is distinct from other techniques that attempt to modify data before processing it, although developers may consider all attempts to product "safe" inputs or outputs as some kind of validation. Regardless, validation is a powerful tool that is often used to minimize malformed data from entering the system, or indirectly avoid code injection or other potentially-malicious patterns when generating output. The weaknesses in this category could lead to a degradation of the quality of data flow in a system if they are not addressed.

C#

1219

Weaknesses in this category are related to the handling of files within a software system. Files, directories, and folders are so central to information technology that many different weaknesses and variants have been discovered.

C#

1228

Weaknesses in this category are related to the use of built-in functions or external APIs.

C#

1305

This view outlines the most important software quality issues as identified by the Consortium for Information & Software Quality (CISQ) Automated Quality Characteristic Measures, released in 2020. These measures are derived from Object Management Group (OMG) standards.

C#

1306

Weaknesses in this category are related to the CISQ Quality Measures for Reliability. Presence of these weaknesses could reduce the reliability of the software.

C#

1307

Weaknesses in this category are related to the CISQ Quality Measures for Maintainability. Presence of these weaknesses could reduce the maintainability of the software.

C#

1308

Weaknesses in this category are related to the CISQ Quality Measures for Security. Presence of these weaknesses could reduce the security of the software.

C#

1309

Weaknesses in this category are related to the CISQ Quality Measures for Efficiency. Presence of these weaknesses could reduce the efficiency of the software.

C#

1337

CWE entries in this view are listed in the 2021 CWE Top 25 Most Dangerous Software Weaknesses.

C#

1340

This view outlines the SMM representation of the Automated Source Code Data Protection Measurement specifications, as identified by the Consortium for Information & Software Quality (CISQ) Working Group.

C#

1344

CWE entries in this view (graph) are associated with the OWASP Top 10, as released in 2021.

C#

1345

Weaknesses in this category are related to the A01 category "Broken Access Control" in the OWASP Top 10 2021.

C#

1346

Weaknesses in this category are related to the A02 category "Cryptographic Failures" in the OWASP Top 10 2021.

C#

1347

Weaknesses in this category are related to the A03 category "Injection" in the OWASP Top 10 2021.

C#

1348

Weaknesses in this category are related to the A04 "Insecure Design" category in the OWASP Top 10 2021.

C#

1349

Weaknesses in this category are related to the A05 category "Security Misconfiguration" in the OWASP Top 10 2021.

C#

1350

CWE entries in this view are listed in the 2020 CWE Top 25 Most Dangerous Software Weaknesses.

C#

1353

Weaknesses in this category are related to the A07 category "Identification and Authentication Failures" in the OWASP Top 10 2021.

C#

1354

Weaknesses in this category are related to the A08 category "Software and Data Integrity Failures" in the OWASP Top 10 2021.

C#

1355

Weaknesses in this category are related to the A09 category "Security Logging and Monitoring Failures" in the OWASP Top 10 2021.

C#

1358

CWE entries in this view (graph) are associated with the Categories of Security Vulnerabilities in ICS, as published by the Securing Energy Infrastructure Executive Task Force (SEI ETF) in March 2022. Weaknesses and categories in this view are focused on issues that affect ICS (Industrial Control Systems) but have not been traditionally covered by CWE in the past due to its earlier emphasis on enterprise IT software. Note: weaknesses in this view are based on "Nearest IT Neighbor" recommendations and other suggestions by the CWE team. These relationships are likely to change in future CWE versions.

C#

1359

Weaknesses in this category are related to the "ICS Communications" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.

C#

1360

Weaknesses in this category are related to the "ICS Dependencies (& Architecture)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.

C#

1361

Weaknesses in this category are related to the "ICS Supply Chain" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.

C#

1362

Weaknesses in this category are related to the "ICS Engineering (Constructions/Deployment)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.

C#

1363

Weaknesses in this category are related to the "ICS Operations (& Maintenance)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.

C#

1364

Weaknesses in this category are related to the "Zone Boundary Failures" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Within an ICS system, for traffic that crosses through network zone boundaries, vulnerabilities arise when those boundaries were designed for safety or other purposes but are being repurposed for security." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

C#

1366

Weaknesses in this category are related to the "Frail Security in Protocols" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Vulnerabilities arise as a result of mis-implementation or incomplete implementation of security in ICS implementations of communication protocols." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

C#

1368

Weaknesses in this category are related to the "External Digital Systems" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Due to the highly interconnected technologies in use, an external dependency on another digital system could cause a confidentiality, integrity, or availability incident for the protected system." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

C#

1369

Weaknesses in this category are related to the "IT/OT Convergence/Expansion" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "The increased penetration of DER devices and smart loads make emerging ICS networks more like IT networks and thus susceptible to vulnerabilities similar to those of IT networks." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

C#

1370

Weaknesses in this category are related to the "Common Mode Frailties" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "At the component level, most ICS systems are assembled from common parts made by other companies. One or more of these common parts might contain a vulnerability that could result in a wide-spread incident." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

C#

1371

Weaknesses in this category are related to the "Poorly Documented or Undocumented Features" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Undocumented capabilities and configurations pose a risk by not having a clear understanding of what the device is specifically supposed to do and only do. Therefore possibly opening up the attack surface and vulnerabilities." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

C#

1372

Weaknesses in this category are related to the "OT Counterfeit and Malicious Corruption" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "In ICS, when this procurement process results in a vulnerability or component damage, it can have grid impacts or cause physical harm." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

C#

1375

Weaknesses in this category are related to the "Gaps in Details/Data" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Highly complex systems are often operated by personnel who have years of experience in managing that particular facility or plant. Much of their knowledge is passed along through verbal or hands-on training but may not be fully documented in written practices and procedures." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

C#

1376

Weaknesses in this category are related to the "Security Gaps in Commissioning" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "As a large system is brought online components of the system may remain vulnerable until the entire system is operating and functional and security controls are put in place. This creates a window of opportunity for an adversary during the commissioning process." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

C#

1382

Weaknesses in this category are related to the "Emerging Energy Technologies" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "With the rapid evolution of the energy system accelerated by the emergence of new technologies such as DERs, electric vehicles, advanced communications (5G+), novel and diverse challenges arise for secure and resilient operation of the system." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

C#

1383

Weaknesses in this category are related to the "Compliance/Conformance with Regulatory Requirements" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "The ICS environment faces overlapping regulatory regimes and authorities with multiple focus areas (e.g., operational resiliency, physical safety, interoperability, and security) which can result in cyber security vulnerabilities when implemented as written due to gaps in considerations, outdatedness, or conflicting requirements." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

C#

1387

CWE entries in this view are listed in the 2022 CWE Top 25 Most Dangerous Software Weaknesses.

C#

1396

Weaknesses in this category are related to access control.

C#

1397

Weaknesses in this category are related to comparison.

C#

1398

Weaknesses in this category are related to component interaction.

C#

1400

This view organizes weaknesses around categories that are of interest to large-scale software assurance research to support the elimination of weaknesses using tactics such as secure language development. It is also intended to help tracking weakness trends in publicly disclosed vulnerability data. This view is comprehensive in that every weakness must be contained in it, unlike most other views that only use a subset of weaknesses. This view is structured with categories at the top level, with a second level of only weaknesses. Relationships among the weaknesses presented under the research view (CWE-1000) are not shown. Each weakness is added to only one category. All categories are mutually exclusive; that is, no weakness can be a member of more than one category. While weaknesses defy strict categorization along only one characteristic, the forced bucketing into a single category can simplify certain kinds of analysis. Note that the size of each category can vary widely because (1) CWE is not as well fleshed-out in some areas compared to others; (2) abstraction of the CWEs in the grouping might go down to Variant level for some buckets, versus others.

C#

1401

Weaknesses in this category are related to concurrency.

C#

1402

Weaknesses in this category are related to encryption.

C#

1403

Weaknesses in this category are related to exposed resource.

C#

1404

Weaknesses in this category are related to file handling.

C#

1405

Weaknesses in this category are related to improper check or handling of exceptional conditions.

C#

1406

Weaknesses in this category are related to improper input validation.

C#

1407

Weaknesses in this category are related to improper neutralization.

C#

1408

Weaknesses in this category are related to incorrect calculation.

C#

1409

Weaknesses in this category are related to injection.

C#

1410

Weaknesses in this category are related to insufficient control flow management.

C#

1411

Weaknesses in this category are related to insufficient verification of data authenticity.

C#

1412

Weaknesses in this category are related to poor coding practices.

C#

1413

Weaknesses in this category are related to protection mechanism failure.

C#

1414

Weaknesses in this category are related to randomness.

C#

1415

Weaknesses in this category are related to resource control.

C#

1416

Weaknesses in this category are related to resource lifecycle management.

C#

1417

Weaknesses in this category are related to sensitive information exposure.

C#

1418

Weaknesses in this category are related to violation of secure design principles.

C/C++

2

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that are typically introduced during unexpected environmental conditions. According to the authors of the Seven Pernicious Kingdoms, "This section includes everything that is outside of the source code but is still critical to the security of the product that is being created. Because the issues covered by this kingdom are not directly related to source code, we separated it from the rest of the kingdoms."

C/C++

4

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

C/C++

5

Information sent over a network can be compromised while in transit. An attacker may be able to read or modify the contents if the data are sent in plaintext or are weakly encrypted.

C/C++

14

Sensitive memory is cleared according to the source code, but compiler optimizations leave the memory untouched when it is not read from again, aka "dead store removal."

C/C++

16

Weaknesses in this category are typically introduced during the configuration of the software.

C/C++

17

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

C/C++

18

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

C/C++

19

Weaknesses in this category are typically found in functionality that processes data. Data processing is the manipulation of input to retrieve or save information.

C/C++

20

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

C/C++

21

This category has been deprecated. It was originally used for organizing weaknesses involving file names, which enabled access to files outside of a restricted directory (path traversal) or to perform operations on files that would otherwise be restricted (path equivalence). Consider using either the File Handling Issues category (CWE-1219) or the class Use of Incorrectly-Resolved Name or Reference (CWE-706).

C/C++

22

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

C/C++

23

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.

C/C++

36

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as "/abs/path" that can resolve to a location that is outside of that directory.

C/C++

59

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

C/C++

66

The product does not handle or incorrectly handles a file name that identifies a "virtual" resource that is not directly specified within the directory that is associated with the file name, causing the product to perform file-based operations on a resource that is not a file.

C/C++

67

The product constructs pathnames from user input, but it does not handle or incorrectly handles a pathname containing a Windows device name such as AUX or CON. This typically leads to denial of service or an information exposure when the application attempts to process the pathname as a regular file.

C/C++

68

This category has been deprecated as it was found to be an unnecessary abstraction of platform specific details. Please refer to the category CWE-632 and weakness CWE-66 for relevant relationships.

C/C++

74

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

C/C++

77

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

C/C++

78

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

C/C++

88

The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.

C/C++

89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.

C/C++

91

The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.

C/C++

93

The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.

C/C++

94

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

C/C++

99

The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control.

C/C++

113

The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.

C/C++

116

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

C/C++

117

The product does not neutralize or incorrectly neutralizes output that is written to logs.

C/C++

118

The product does not restrict or incorrectly restricts operations within the boundaries of a resource that is accessed using an index or pointer, such as memory or files.

C/C++

119

The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.

C/C++

120

The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow.

C/C++

121

A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).

C/C++

122

A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().

C/C++

123

Any condition where the attacker has the ability to write an arbitrary value to an arbitrary location, often as the result of a buffer overflow.

C/C++

124

The product writes to a buffer using an index or pointer that references a memory location prior to the beginning of the buffer.

C/C++

125

The product reads data past the end, or before the beginning, of the intended buffer.

C/C++

126

The product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations after the targeted buffer.

C/C++

127

The product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations prior to the targeted buffer.

C/C++

128

Wrap around errors occur whenever a value is incremented past the maximum value for its type and therefore "wraps around" to a very small, negative, or undefined value.

C/C++

129

The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array.

C/C++

130

The product parses a formatted message or structure, but it does not handle or incorrectly handles a length field that is inconsistent with the actual length of the associated data.

C/C++

131

The product does not correctly calculate the size to be used when allocating a buffer, which could lead to a buffer overflow.

C/C++

133

Weaknesses in this category are related to the creation and modification of strings.

C/C++

134

The product uses a function that accepts a format string as an argument, but the format string originates from an external source.

C/C++

135

The product does not correctly calculate the length of strings that can contain wide or multi-byte characters.

C/C++

136

Weaknesses in this category are caused by improper data type transformation or improper handling of multiple data types.

C/C++

137

Weaknesses in this category are related to the creation or neutralization of data using an incorrect format.

C/C++

138

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as control elements or syntactic markers when they are sent to a downstream component.

C/C++

140

The product does not neutralize or incorrectly neutralizes delimiters.

C/C++

141

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as parameter or argument delimiters when they are sent to a downstream component.

C/C++

142

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as value delimiters when they are sent to a downstream component.

C/C++

143

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as record delimiters when they are sent to a downstream component.

C/C++

146

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as expression or command delimiters when they are sent to a downstream component.

C/C++

149

Quotes injected into a product can be used to compromise a system. As data are parsed, an injected/absent/duplicate/malformed use of quotes may cause the process to take unexpected actions.

C/C++

150

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component.

C/C++

157

The product does not properly handle the characters that are used to mark the beginning and ending of a group of entities, such as parentheses, brackets, and braces.

C/C++

169

This category has been deprecated. It was originally intended as a "catch-all" for input validation problems in technologies that did not have their own CWE, but introduces unnecessary depth to the hierarchy.

C/C++

170

The product does not terminate or incorrectly terminates a string or array with a null character or equivalent terminator.

C/C++

171

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. Weaknesses in this category were related to improper handling of data within protection mechanisms that attempt to perform neutralization for untrusted data. These weaknesses can be found in other similar categories.

C/C++

187

The product performs a comparison that only examines a portion of a factor before determining whether there is a match, such as a substring, leading to resultant weaknesses.

C/C++

188

The product makes invalid assumptions about how protocol data or memory is organized at a lower level, resulting in unintended program behavior.

C/C++

189

Weaknesses in this category are related to improper calculation or conversion of numbers.

C/C++

190

The product performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control.

C/C++

191

The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.

C/C++

192

Integer coercion refers to a set of flaws pertaining to the type casting, extension, or truncation of primitive data types.

C/C++

193

A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value.

C/C++

194

The product performs an operation on a number that causes it to be sign extended when it is transformed into a larger data type. When the original number is negative, this can produce unexpected values that lead to resultant weaknesses.

C/C++

195

The product uses a signed primitive and performs a cast to an unsigned primitive, which can produce an unexpected value if the value of the signed primitive can not be represented using an unsigned primitive.

C/C++

197

Truncation errors occur when a primitive is cast to a primitive of a smaller size and data is lost in the conversion.

C/C++

198

The product receives input from an upstream component, but it does not account for byte ordering (e.g. big-endian and little-endian) when processing the input, causing an incorrect number or value to be used.

C/C++

199

Weaknesses in this category are related to improper handling of sensitive information.

C/C++

200

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

C/C++

201

The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.

C/C++

209

The product generates an error message that includes sensitive information about its environment, users, or associated data.

C/C++

210

The product identifies an error condition and creates its own diagnostic or error messages that contain sensitive information.

C/C++

211

The product performs an operation that triggers an external diagnostic or error message that is not directly generated or controlled by the product, such as an error generated by the programming language interpreter that a software application uses. The error can contain sensitive system information.

C/C++

216

This entry has been deprecated, as it was not effective as a weakness and was structured more like a category. In addition, the name is inappropriate, since the "container" term is widely understood by developers in different ways than originally intended by PLOVER, the original source for this entry.

C/C++

221

The product does not record, or improperly records, security-relevant information that leads to an incorrect decision or hampers later analysis.

C/C++

226

The product releases a resource such as memory or a file so that it can be made available for reuse, but it does not clear or "zeroize" the information contained in the resource before the product performs a critical state transition or makes the resource available for reuse by other entities.

C/C++

227

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that involve the software using an API in a manner contrary to its intended use. According to the authors of the Seven Pernicious Kingdoms, "An API is a contract between a caller and a callee. The most common forms of API misuse occurs when the caller does not honor its end of this contract. For example, if a program does not call chdir() after calling chroot(), it violates the contract that specifies how to change the active root directory in a secure fashion. Another good example of library abuse is expecting the callee to return trustworthy DNS information to the caller. In this case, the caller misuses the callee API by making certain assumptions about its behavior (that the return value can be used for authentication purposes). One can also violate the caller-callee contract from the other side. For example, if a coder subclasses SecureRandom and returns a non-random value, the contract is violated."

C/C++

228

The product does not handle or incorrectly handles input that is not syntactically well-formed with respect to the associated specification.

C/C++

237

The product does not handle or incorrectly handles inputs that are related to complex structures.

C/C++

240

The product does not handle or incorrectly handles when two or more structural elements should be consistent, but are not.

C/C++

241

The product does not handle or incorrectly handles when a particular element is not the expected type, e.g. it expects a digit (0-9) but is provided with a letter (A-Z).

C/C++

242

The product calls a function that can never be guaranteed to work safely.

C/C++

243

The product uses the chroot() system call to create a jail, but does not change the working directory afterward. This does not prevent access to files outside of the jail.

C/C++

244

Using realloc() to resize buffers that store sensitive information can leave the sensitive information exposed to attack, because it is not removed from memory.

C/C++

247

This entry has been deprecated because it was a duplicate of CWE-350. All content has been transferred to CWE-350.

C/C++

248

An exception is thrown from a function, but it is not caught.

C/C++

249

This entry has been deprecated because of name confusion and an accidental combination of multiple weaknesses. Most of its content has been transferred to CWE-785.

C/C++

252

The product does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions.

C/C++

253

The product incorrectly checks a return value from a function, which prevents it from detecting errors or exceptional conditions.

C/C++

254

Software security is not security software. Here we're concerned with topics like authentication, access control, confidentiality, cryptography, and privilege management.

C/C++

255

Weaknesses in this category are related to the management of credentials.

C/C++

256

Storing a password in plaintext may result in a system compromise.

C/C++

257

The storage of passwords in a recoverable format makes them subject to password reuse attacks by malicious users. In fact, it should be noted that recoverable encrypted passwords provide no significant benefit over plaintext passwords since they are subject not only to reuse by malicious attackers but also by malicious insiders. If a system administrator can recover a password directly, or use a brute force search on the available information, the administrator can use the password on other accounts.

C/C++

259

The product contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components.

C/C++

264

Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control.

C/C++

265

Weaknesses in this category occur with improper handling, assignment, or management of privileges. A privilege is a property of an agent, such as a user. It lets the agent do things that are not ordinarily allowed. For example, there are privileges which allow an agent to perform maintenance functions such as restart a computer.

C/C++

269

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

C/C++

271

The product does not drop privileges before passing control of a resource to an actor that does not have those privileges.

C/C++

272

The elevated privilege level required to perform operations such as chroot() should be dropped immediately after the operation is performed.

C/C++

273

The product attempts to drop privileges but does not check or incorrectly checks to see if the drop succeeded.

C/C++

275

Weaknesses in this category are related to improper assignment or handling of permissions.

C/C++

276

During installation, installed file permissions are set to allow anyone to modify those files.

C/C++

282

The product assigns the wrong ownership, or does not properly verify the ownership, of an object or resource.

C/C++

284

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

C/C++

285

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

C/C++

287

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

C/C++

290

This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.

C/C++

291

The product uses an IP address for authentication.

C/C++

293

The referer field in HTTP requests can be easily modified and, as such, is not a valid means of message integrity checking.

C/C++

300

The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint.

C/C++

310

Weaknesses in this category are related to the design and implementation of data confidentiality and integrity. Frequently these deal with the use of encoding techniques, encryption libraries, and hashing algorithms. The weaknesses in this category could lead to a degradation of the quality data if they are not addressed.

C/C++

311

The product does not encrypt sensitive or critical information before storage or transmission.

C/C++

312

The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

C/C++

313

The product stores sensitive information in cleartext in a file, or on disk.

C/C++

314

The product stores sensitive information in cleartext in the registry.

C/C++

315

The product stores sensitive information in cleartext in a cookie.

C/C++

317

The product stores sensitive information in cleartext within the GUI.

C/C++

318

The product stores sensitive information in cleartext in an executable.

C/C++

319

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

C/C++

320

Weaknesses in this category are related to errors in the management of cryptographic keys.

C/C++

321

The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.

C/C++

326

The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

C/C++

327

The product uses a broken or risky cryptographic algorithm or protocol.

C/C++

328

The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (2nd preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack).

C/C++

330

The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.

C/C++

335

The product uses a Pseudo-Random Number Generator (PRNG) but does not correctly manage seeds.

C/C++

336

A Pseudo-Random Number Generator (PRNG) uses the same seed each time the product is initialized.

C/C++

337

A Pseudo-Random Number Generator (PRNG) is initialized from a predictable seed, such as the process ID or system time.

C/C++

338

The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.

C/C++

344

The product uses a constant value, name, or reference, but this value can (or should) vary across different environments.

C/C++

345

The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

C/C++

350

The product performs reverse DNS resolution on an IP address to obtain the hostname and make a security decision, but it does not properly ensure that the IP address is truly associated with the hostname.

C/C++

353

The product uses a transmission protocol that does not include a mechanism for verifying the integrity of the data during transmission, such as a checksum.

C/C++

355

Weaknesses in this category are related to or introduced in the User Interface (UI).

C/C++

359

The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.

C/C++

361

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses related to the improper management of time and state in an environment that supports simultaneous or near-simultaneous computation by multiple systems, processes, or threads. According to the authors of the Seven Pernicious Kingdoms, "Distributed computation is about time and state. That is, in order for more than one component to communicate, state must be shared, and all that takes time. Most programmers anthropomorphize their work. They think about one thread of control carrying out the entire program in the same way they would if they had to do the job themselves. Modern computers, however, switch between tasks very quickly, and in multi-core, multi-CPU, or distributed systems, two events may take place at exactly the same time. Defects rush to fill the gap between the programmer's model of how a program executes and what happens in reality. These defects are related to unexpected interactions between threads, processes, time, and information. These interactions happen through shared state: semaphores, variables, the file system, and, basically, anything that can store information."

C/C++

362

The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.

C/C++

363

The product checks the status of a file or directory before accessing it, which produces a race condition in which the file can be replaced with a link before the access is performed, causing the product to access the wrong file.

C/C++

364

The product uses a signal handler that introduces a race condition.

C/C++

366

If two threads of execution use a resource simultaneously, there exists the possibility that resources may be used while invalid, in turn making the state of execution undefined.

C/C++

367

The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. This can cause the product to perform invalid actions when the resource is in an unexpected state.

C/C++

369

The product divides a value by zero.

C/C++

376

This category has been deprecated. It was originally used for organizing the Development View (CWE-699), but it introduced unnecessary complexity and depth to the resulting tree. Consider using the File Handling Issues category (CWE-1219).

C/C++

377

Creating and using insecure temporary files can leave application and system data vulnerable to attack.

C/C++

379

The product creates a temporary file in a directory whose permissions allow unintended actors to determine the file's existence or otherwise access that file.

C/C++

380

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

C/C++

381

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

C/C++

387

Weaknesses in this category are related to the improper handling of signals.

C/C++

388

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that occur when an application does not properly handle errors that occur during processing. According to the authors of the Seven Pernicious Kingdoms, "Errors and error handling represent a class of API. Errors related to error handling are so common that they deserve a special kingdom of their own. As with 'API Abuse,' there are two ways to introduce an error-related security vulnerability: the most common one is handling errors poorly (or not at all). The second is producing errors that either give out too much information (to possible attackers) or are difficult to handle."

C/C++

389

This category includes weaknesses that occur if a function does not generate the correct return/status code, or if the application does not handle all possible return/status codes that could be generated by a function. This type of problem is most often found in conditions that are rarely encountered during the normal operation of the product. Presumably, most bugs related to common conditions are found and eliminated during development and testing. In some cases, the attacker can directly control or influence the environment to trigger the rare conditions.

C/C++

391

[PLANNED FOR DEPRECATION. SEE MAINTENANCE NOTES AND CONSIDER CWE-252, CWE-248, OR CWE-1069.] Ignoring exceptions and other error conditions may allow an attacker to induce unexpected behavior unnoticed.

C/C++

393

A function or operation returns an incorrect return value or status code that does not indicate an error, but causes the product to modify its behavior based on the incorrect result.

C/C++

394

The product does not properly check when a function or operation returns a value that is legitimate for the function, but is not expected by the product.

C/C++

396

Catching overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities.

C/C++

397

Throwing overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities.

C/C++

398

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that do not directly introduce a weakness or vulnerability, but indicate that the product has not been carefully developed or maintained. According to the authors of the Seven Pernicious Kingdoms, "Poor code quality leads to unpredictable behavior. From a user's perspective that often manifests itself as poor usability. For an adversary it provides an opportunity to stress the system in unexpected ways."

C/C++

399

Weaknesses in this category are related to improper management of system resources.

C/C++

400

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

C/C++

401

The product does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory.

C/C++

404

The product does not release or incorrectly releases a resource before it is made available for re-use.

C/C++

411

Weaknesses in this category are related to improper handling of locks that are used to control access to resources.

C/C++

415

The product calls free() twice on the same memory address, potentially leading to modification of unexpected memory locations.

C/C++

416

Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.

C/C++

417

Weaknesses in this category are related to improper handling of communication channels and access paths. These weaknesses include problems in creating, managing, or removing alternate channels and alternate paths. Some of these can overlap virtual file problems and are commonly used in "bypass" attacks, such as those that exploit authentication errors.

C/C++

427

The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.

C/C++

429

Weaknesses in this category are related to improper management of handlers.

C/C++

435

An interaction error occurs when two entities have correct behavior when running independently of each other, but when they are integrated as components in a larger system or process, they introduce incorrect behaviors that may cause resultant weaknesses.

C/C++

438

Weaknesses in this category are related to unexpected behaviors from code that an application uses.

C/C++

441

The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor.

C/C++

442

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

C/C++

452

Weaknesses in this category occur in behaviors that are used for initialization and breakdown.

C/C++

456

The product does not initialize critical variables, which causes the execution environment to use unexpected values.

C/C++

457

The code uses a variable that has not been initialized, leading to unpredictable or unintended results.

C/C++

459

The product does not properly "clean up" and remove temporary or supporting resources after they have been used.

C/C++

460

The product does not clean up its state or incorrectly cleans up its state when an exception is thrown, leading to unexpected state or control flow.

C/C++

461

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

C/C++

464

The accidental addition of a data-structure sentinel can cause serious programming logic problems.

C/C++

465

Weaknesses in this category are related to improper handling of pointers.

C/C++

467

The code calls sizeof() on a malloced pointer type, which always returns the wordsize/8. This can produce an unexpected result if the programmer intended to determine how much memory has been allocated.

C/C++

468

In C and C++, one may often accidentally refer to the wrong memory due to the semantics of when math operations are implicitly scaled.

C/C++

469

The product subtracts one pointer from another in order to determine size, but this calculation can be incorrect if the pointers do not exist in the same memory chunk.

C/C++

471

The product does not properly protect an assumed-immutable element from being modified by an attacker.

C/C++

475

The behavior of this function is undefined unless its control parameter is set to a specific value.

C/C++

476

A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.

C/C++

477

The code uses deprecated or obsolete functions, which suggests that the code has not been actively reviewed or maintained.

C/C++

478

The code does not have a default case in an expression with multiple conditions, such as a switch statement.

C/C++

479

The product defines a signal handler that calls a non-reentrant function.

C/C++

480

The product accidentally uses the wrong operator, which changes the logic in security-relevant ways.

C/C++

481

The code uses an operator for assignment when the intention was to perform a comparison.

C/C++

482

The code uses an operator for comparison when the intention was to perform an assignment.

C/C++

483

The code does not explicitly delimit a block that is intended to contain 2 or more statements, creating a logic error.

C/C++

484

The product omits a break statement within a switch or similar construct, causing code associated with multiple conditions to execute. This can cause problems when the programmer only intended to execute code associated with one condition.

C/C++

485

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that occur when the product does not sufficiently encapsulate critical data or functionality. According to the authors of the Seven Pernicious Kingdoms, "Encapsulation is about drawing strong boundaries. In a web browser that might mean ensuring that your mobile code cannot be abused by other mobile code. On the server it might mean differentiation between validated data and unvalidated data, between one user's data and another's, or between data users are allowed to see and data that they are not."

C/C++

489

The product is deployed to unauthorized actors with debugging code still enabled or active, which can create unintended entry points or expose sensitive information.

C/C++

490

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

C/C++

493

The product has a critical public variable that is not final, which allows the variable to be modified to contain unexpected values.

C/C++

497

The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does.

C/C++

500

An object contains a public static field that is not marked final, which might allow it to be modified in unexpected ways.

C/C++

505

This category has been deprecated as it was originally used for organizing the Development View (CWE-699), but it introduced unnecessary complexity and depth to the resulting tree.

C/C++

522

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

C/C++

523

Login pages do not use adequate measures to protect the user name and password while they are in transit from the client to the server.

C/C++

526

The product uses an environment variable to store unencrypted sensitive information.

C/C++

528

The product generates a core dump file in a directory, archive, or other resource that is stored, transferred, or otherwise made accessible to unauthorized actors.

C/C++

532

Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.

C/C++

535

A command shell error message indicates that there exists an unhandled exception in the web application code. In many cases, an attacker can leverage the conditions that cause these errors in order to gain unauthorized access to the system.

C/C++

536

A servlet error message indicates that there exists an unhandled exception in your web application code and may provide useful information to an attacker.

C/C++

538

The product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the sensitive information.

C/C++

539

The web application uses persistent cookies, but the cookies contain sensitive information.

C/C++

543

The product uses the singleton pattern when creating a resource within a multithreaded environment.

C/C++

547

The product uses hard-coded constants instead of symbolic names for security-critical values, which increases the likelihood of mistakes during code maintenance or security policy change.

C/C++

550

Certain conditions, such as network failure, will cause a server error message to be displayed.

C/C++

552

The product makes files or directories accessible to unauthorized actors, even though they should not be.

C/C++

557

Weaknesses in this category are related to concurrent use of shared resources.

C/C++

558

The product uses the getlogin() function in a multithreaded context, potentially causing it to return incorrect values.

C/C++

559

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

C/C++

561

The product contains dead code, which can never be executed.

C/C++

562

A function returns the address of a stack variable, which will cause unintended program behavior, typically in the form of a crash.

C/C++

563

The variable's value is assigned but never used, making it a dead store.

C/C++

566

The product uses a database table that includes records that should not be accessible to an actor, but it executes a SQL statement with a primary key that can be controlled by that actor.

C/C++

567

The product does not properly synchronize shared data, such as static variables across threads, which can lead to undefined behavior and unpredictable data changes.

C/C++

569

Weaknesses in this category are related to incorrectly written expressions within code.

C/C++

570

The product contains an expression that will always evaluate to false.

C/C++

571

The product contains an expression that will always evaluate to true.

C/C++

573

The product does not follow or incorrectly follows the specifications as required by the implementation language, environment, framework, protocol, or platform.

C/C++

590

The product calls free() on a pointer to memory that was not allocated using associated heap allocation functions such as malloc(), calloc(), or realloc().

C/C++

592

This weakness has been deprecated because it covered redundant concepts already described in CWE-287.

C/C++

595

The product compares object references instead of the contents of the objects themselves, preventing it from detecting equivalent objects.

C/C++

597

The product uses the wrong operator when comparing a string, such as using "==" when the .equals() method should be used instead.

C/C++

606

The product does not properly check inputs that are used for loop conditions, potentially leading to a denial of service or other consequences because of excessive looping.

C/C++

610

The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.

C/C++

617

The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.

C/C++

628

The product calls a function, procedure, or routine with arguments that are not correctly specified, leading to always-incorrect behavior and resultant weaknesses.

C/C++

629

CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2007. This view is considered obsolete as a newer version of the OWASP Top 10 is available.

C/C++

632

This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE.

C/C++

633

This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE.

C/C++

634

This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE.

C/C++

635

CWE nodes in this view (slice) were used by NIST to categorize vulnerabilities within NVD, from 2008 to 2016. This original version has been used by many other projects.

C/C++

637

The product uses a more complex mechanism than necessary, which could lead to resultant weaknesses when the mechanism is not correctly understood, modeled, configured, implemented, or used.

C/C++

639

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

C/C++

643

The product uses external input to dynamically construct an XPath expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query.

C/C++

644

The product does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers, such as Flash.

C/C++

655

The product has a protection mechanism that is too difficult or inconvenient to use, encouraging non-malicious users to disable or bypass the mechanism, whether by accident or on purpose.

C/C++

657

The product violates well-established principles for secure design.

C/C++

662

The product utilizes multiple threads or processes to allow temporary access to a shared resource that can only be exclusive to one process at a time, but it does not properly synchronize these actions, which might cause simultaneous accesses of this resource by multiple threads or processes.

C/C++

663

The product calls a non-reentrant function in a concurrent context in which a competing code sequence (e.g. thread or signal handler) may have an opportunity to call the same function or otherwise influence its state.

C/C++

664

The product does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release.

C/C++

665

The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.

C/C++

666

The product performs an operation on a resource at the wrong phase of the resource's lifecycle, which can lead to unexpected behaviors.

C/C++

667

The product does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors.

C/C++

668

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

C/C++

669

The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource.

C/C++

670

The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated.

C/C++

671

The product uses security features in a way that prevents the product's administrator from tailoring security settings to reflect the environment in which the product is being used. This introduces resultant weaknesses or prevents it from operating at a level of security that is desired by the administrator.

C/C++

672

The product uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked.

C/C++

674

The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.

C/C++

675

The product performs the same operation on a resource two or more times, when the operation should only be applied once.

C/C++

676

The product invokes a potentially dangerous function that could introduce a vulnerability if it is used incorrectly, but the function can also be used safely.

C/C++

680

The product performs a calculation to determine how much memory to allocate, but an integer overflow can occur that causes less memory to be allocated than expected, leading to a buffer overflow.

C/C++

681

When converting from one data type to another, such as long to integer, data can be omitted or translated in a way that produces unexpected values. If the resulting values are used in a sensitive context, then dangerous behaviors may occur.

C/C++

682

The product performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management.

C/C++

683

The product calls a function, procedure, or routine, but the caller specifies the arguments in an incorrect order, leading to resultant weaknesses.

C/C++

684

The code does not function according to its published specifications, potentially leading to incorrect usage.

C/C++

685

The product calls a function, procedure, or routine, but the caller specifies too many arguments, or too few arguments, which may lead to undefined behavior and resultant weaknesses.

C/C++

686

The product calls a function, procedure, or routine, but the caller specifies an argument that is the wrong data type, which may lead to resultant weaknesses.

C/C++

687

The product calls a function, procedure, or routine, but the caller specifies an argument that contains the wrong value, which may lead to resultant weaknesses.

C/C++

691

The code does not sufficiently manage its control flow during execution, creating conditions in which the control flow can be modified in unexpected ways.

C/C++

693

The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.

C/C++

694

The product uses multiple resources that can have the same identifier, in a context in which unique identifiers are required.

C/C++

696

The product performs multiple related behaviors, but the behaviors are performed in the wrong order in ways which may produce resultant weaknesses.

C/C++

697

The product compares two entities in a security-relevant context, but the comparison is incorrect, which may lead to resultant weaknesses.

C/C++

699

This view organizes weaknesses around concepts that are frequently used or encountered in software development. This includes all aspects of the software development lifecycle including both architecture and implementation. Accordingly, this view can align closely with the perspectives of architects, developers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping.

C/C++

700

This view (graph) organizes weaknesses using a hierarchical structure that is similar to that used by Seven Pernicious Kingdoms.

C/C++

703

The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product.

C/C++

704

The product does not correctly convert an object, resource, or structure from one type to a different type.

C/C++

705

The product does not properly return control flow to the proper location after it has completed a task or detected an unusual condition.

C/C++

706

The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.

C/C++

707

The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component.

C/C++

710

The product does not follow certain coding rules for development, which can lead to resultant weaknesses or increase the severity of the associated vulnerabilities.

C/C++

711

CWE entries in this view (graph) are associated with the OWASP Top 10, as released in 2004, and as required for compliance with PCI DSS version 1.1. This view is considered obsolete as a newer version of the OWASP Top 10 is available.

C/C++

713

Weaknesses in this category are related to the A2 category in the OWASP Top 10 2007.

C/C++

714

Weaknesses in this category are related to the A3 category in the OWASP Top 10 2007.

C/C++

715

Weaknesses in this category are related to the A4 category in the OWASP Top 10 2007.

C/C++

717

Weaknesses in this category are related to the A6 category in the OWASP Top 10 2007.

C/C++

718

Weaknesses in this category are related to the A7 category in the OWASP Top 10 2007.

C/C++

719

Weaknesses in this category are related to the A8 category in the OWASP Top 10 2007.

C/C++

720

Weaknesses in this category are related to the A9 category in the OWASP Top 10 2007.

C/C++

721

Weaknesses in this category are related to the A10 category in the OWASP Top 10 2007.

C/C++

722

Weaknesses in this category are related to the A1 category in the OWASP Top 10 2004.

C/C++

723

Weaknesses in this category are related to the A2 category in the OWASP Top 10 2004.

C/C++

724

Weaknesses in this category are related to the A3 category in the OWASP Top 10 2004.

C/C++

725

Weaknesses in this category are related to the A4 category in the OWASP Top 10 2004.

C/C++

726

Weaknesses in this category are related to the A5 category in the OWASP Top 10 2004.

C/C++

727

Weaknesses in this category are related to the A6 category in the OWASP Top 10 2004.

C/C++

728

Weaknesses in this category are related to the A7 category in the OWASP Top 10 2004.

C/C++

729

Weaknesses in this category are related to the A8 category in the OWASP Top 10 2004.

C/C++

730

Weaknesses in this category are related to the A9 category in the OWASP Top 10 2004.

C/C++

731

Weaknesses in this category are related to the A10 category in the OWASP Top 10 2004.

C/C++

732

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

C/C++

733

The developer builds a security-critical protection mechanism into the software, but the compiler optimizes the program such that the mechanism is removed or modified.

C/C++

734

CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT C Secure Coding Standard" published in 2008. This view is considered obsolete, as a newer version of the coding standard is available. This view statically represents the coding rules as they were in 2008.

C/C++

735

Weaknesses in this category are related to the rules and recommendations in the Preprocessor (PRE) chapter of the CERT C Secure Coding Standard (2008).

C/C++

736

Weaknesses in this category are related to the rules and recommendations in the Declarations and Initialization (DCL) chapter of the CERT C Secure Coding Standard (2008).

C/C++

737

Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) chapter of the CERT C Secure Coding Standard (2008).

C/C++

738

Weaknesses in this category are related to the rules and recommendations in the Integers (INT) chapter of the CERT C Secure Coding Standard (2008).

C/C++

739

Weaknesses in this category are related to the rules and recommendations in the Floating Point (FLP) chapter of the CERT C Secure Coding Standard (2008).

C/C++

740

Weaknesses in this category are related to the rules and recommendations in the Arrays (ARR) chapter of the CERT C Secure Coding Standard (2008).

C/C++

741

Weaknesses in this category are related to the rules and recommendations in the Characters and Strings (STR) chapter of the CERT C Secure Coding Standard (2008).

C/C++

742

Weaknesses in this category are related to the rules and recommendations in the Memory Management (MEM) chapter of the CERT C Secure Coding Standard (2008).

C/C++

743

Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) chapter of the CERT C Secure Coding Standard (2008).

C/C++

744

Weaknesses in this category are related to the rules and recommendations in the Environment (ENV) chapter of the CERT C Secure Coding Standard (2008).

C/C++

745

Weaknesses in this category are related to the rules and recommendations in the Signals (SIG) chapter of the CERT C Secure Coding Standard (2008).

C/C++

746

Weaknesses in this category are related to the rules and recommendations in the Error Handling (ERR) chapter of the CERT C Secure Coding Standard (2008).

C/C++

747

Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) chapter of the CERT C Secure Coding Standard (2008).

C/C++

748

Weaknesses in this category are related to the rules and recommendations in the POSIX (POS) appendix of the CERT C Secure Coding Standard (2008).

C/C++

750

CWE entries in this view (graph) are listed in the 2009 CWE/SANS Top 25 Programming Errors. This view is considered obsolete as a newer version of the Top 25 is available.

C/C++

751

Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2009 CWE/SANS Top 25 Programming Errors.

C/C++

752

Weaknesses in this category are listed in the "Risky Resource Management" section of the 2009 CWE/SANS Top 25 Programming Errors.

C/C++

753

Weaknesses in this category are listed in the "Porous Defenses" section of the 2009 CWE/SANS Top 25 Programming Errors.

C/C++

754

The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.

C/C++

755

The product does not handle or incorrectly handles an exceptional condition.

C/C++

758

The product uses an API function, data structure, or other entity in a way that relies on properties that are not always guaranteed to hold for that entity.

C/C++

759

The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product does not also use a salt as part of the input.

C/C++

760

The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product uses a predictable salt as part of the input.

C/C++

762

The product attempts to return a memory resource to the system, but it calls a release function that is not compatible with the function that was originally used to allocate that resource.

C/C++

763

The product attempts to return a memory resource to the system, but it calls the wrong release function or calls the appropriate release function incorrectly.

C/C++

764

The product locks a critical resource more times than intended, leading to an unexpected state in the system.

C/C++

765

The product unlocks a critical resource more times than intended, leading to an unexpected state in the system.

C/C++

769

This entry has been deprecated because it was a duplicate of CWE-774. All content has been transferred to CWE-774.

C/C++

770

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

C/C++

771

The product does not properly maintain a reference to a resource that has been allocated, which prevents the resource from being reclaimed.

C/C++

772

The product does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.

C/C++

775

The product does not release a file descriptor or handle after its effective lifetime has ended, i.e., after the file descriptor/handle is no longer needed.

C/C++

783

The product uses an expression in which operator precedence causes incorrect logic to be used.

C/C++

786

The product reads or writes to a buffer using an index or pointer that references a memory location prior to the beginning of the buffer.

C/C++

787

The product writes data past the end, or before the beginning, of the intended buffer.

C/C++

788

The product reads or writes to a buffer using an index or pointer that references a memory location after the end of the buffer.

C/C++

789

The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated.

C/C++

798

The product contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.

C/C++

800

CWE entries in this view (graph) are listed in the 2010 CWE/SANS Top 25 Programming Errors. This view is considered obsolete as a newer version of the Top 25 is available.

C/C++

801

Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2010 CWE/SANS Top 25 Programming Errors.

C/C++

802

Weaknesses in this category are listed in the "Risky Resource Management" section of the 2010 CWE/SANS Top 25 Programming Errors.

C/C++

803

Weaknesses in this category are listed in the "Porous Defenses" section of the 2010 CWE/SANS Top 25 Programming Errors.

C/C++

805

The product uses a sequential operation to read or write a buffer, but it uses an incorrect length value that causes it to access memory that is outside of the bounds of the buffer.

C/C++

806

The product uses the size of a source buffer when reading from or writing to a destination buffer, which may cause it to access memory that is outside of the bounds of the buffer.

C/C++

807

The product uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism.

C/C++

808

Weaknesses in this category are not part of the general Top 25, but they were part of the original nominee list from which the Top 25 was drawn.

C/C++

809

CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2010. This view is considered obsolete as a newer version of the OWASP Top 10 is available.

C/C++

810

Weaknesses in this category are related to the A1 category in the OWASP Top 10 2010.

C/C++

812

Weaknesses in this category are related to the A3 category in the OWASP Top 10 2010.

C/C++

813

Weaknesses in this category are related to the A4 category in the OWASP Top 10 2010.

C/C++

815

Weaknesses in this category are related to the A6 category in the OWASP Top 10 2010.

C/C++

816

Weaknesses in this category are related to the A7 category in the OWASP Top 10 2010.

C/C++

817

Weaknesses in this category are related to the A8 category in the OWASP Top 10 2010.

C/C++

818

Weaknesses in this category are related to the A9 category in the OWASP Top 10 2010.

C/C++

820

The product utilizes a shared resource in a concurrent manner but does not attempt to synchronize access to the resource.

C/C++

823

The product performs pointer arithmetic on a valid pointer, but it uses an offset that can point outside of the intended range of valid memory locations for the resulting pointer.

C/C++

824

The product accesses or uses a pointer that has not been initialized.

C/C++

825

The product dereferences a pointer that contains a location for memory that was previously valid, but is no longer valid.

C/C++

828

The product defines a signal handler that contains code sequences that are not asynchronous-safe, i.e., the functionality is not reentrant, or it can be interrupted.

C/C++

833

The product contains multiple threads or executable segments that are waiting for each other to release a necessary lock, resulting in deadlock.

C/C++

834

The product performs an iteration or loop without sufficiently limiting the number of times that the loop is executed.

C/C++

835

The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.

C/C++

839

The product checks a value to ensure that it is less than or equal to a maximum, but it does not also verify that the value is greater than or equal to the minimum.

C/C++

840

Weaknesses in this category identify some of the underlying problems that commonly allow attackers to manipulate the business logic of an application. Errors in business logic can be devastating to an entire application. They can be difficult to find automatically, since they typically involve legitimate use of the application's functionality. However, many business logic errors can exhibit patterns that are similar to well-understood implementation and design weaknesses.

C/C++

843

The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.

C/C++

844

CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT Oracle Secure Coding Standard for Java" published in 2011. This view is considered obsolete as a newer version of the coding standard is available.

C/C++

845

Weaknesses in this category are related to rules in the Input Validation and Data Sanitization (IDS) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

C/C++

846

Weaknesses in this category are related to rules in the Declarations and Initialization (DCL) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

C/C++

847

Weaknesses in this category are related to rules in the Expressions (EXP) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

C/C++

848

Weaknesses in this category are related to rules in the Numeric Types and Operations (NUM) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

C/C++

849

Weaknesses in this category are related to rules in the Object Orientation (OBJ) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

C/C++

850

Weaknesses in this category are related to rules in the Methods (MET) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

C/C++

851

Weaknesses in this category are related to rules in the Exceptional Behavior (ERR) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

C/C++

852

Weaknesses in this category are related to rules in the Visibility and Atomicity (VNA) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

C/C++

853

Weaknesses in this category are related to rules in the Locking (LCK) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

C/C++

854

Weaknesses in this category are related to rules in the Thread APIs (THI) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

C/C++

857

Weaknesses in this category are related to rules in the Input Output (FIO) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

C/C++

858

Weaknesses in this category are related to rules in the Serialization (SER) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

C/C++

859

Weaknesses in this category are related to rules in the Platform Security (SEC) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

C/C++

860

Weaknesses in this category are related to rules in the Runtime Environment (ENV) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

C/C++

861

Weaknesses in this category are related to rules in the Miscellaneous (MSC) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

C/C++

862

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

C/C++

864

Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.

C/C++

865

Weaknesses in this category are listed in the "Risky Resource Management" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.

C/C++

866

Weaknesses in this category are listed in the "Porous Defenses" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.

C/C++

867

Weaknesses in this category are not part of the general Top 25, but they were part of the original nominee list from which the Top 25 was drawn.

C/C++

868

CWE entries in this view (graph) are fully or partially eliminated by following the SEI CERT C++ Coding Standard, as published in 2016. This view is no longer being actively maintained, since it statically represents the coding rules as they were in 2016.

C/C++

871

Weaknesses in this category are related to rules in the Expressions (EXP) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

C/C++

872

Weaknesses in this category are related to rules in the Integers (INT) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

C/C++

873

Weaknesses in this category are related to rules in the Floating Point Arithmetic (FLP) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

C/C++

874

Weaknesses in this category are related to rules in the Arrays and the STL (ARR) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

C/C++

875

Weaknesses in this category are related to rules in the Characters and Strings (STR) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

C/C++

876

Weaknesses in this category are related to rules in the Memory Management (MEM) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

C/C++

877

Weaknesses in this category are related to rules in the Input Output (FIO) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

C/C++

878

Weaknesses in this category are related to rules in the Environment (ENV) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

C/C++

879

Weaknesses in this category are related to rules in the Signals (SIG) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

C/C++

880

Weaknesses in this category are related to rules in the Exceptions and Error Handling (ERR) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

C/C++

881

Weaknesses in this category are related to rules in the Object Oriented Programming (OOP) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

C/C++

882

Weaknesses in this category are related to rules in the Concurrency (CON) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

C/C++

883

Weaknesses in this category are related to rules in the Miscellaneous (MSC) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

C/C++

884

This view contains a selection of weaknesses that represent the variety of weaknesses that are captured in CWE, at a level of abstraction that is likely to be useful to most audiences. It can be used by researchers to determine how broad their theories, models, or tools are. It will also be used by the CWE content team in 2012 to focus quality improvement efforts for individual CWE entries.

C/C++

885

This category identifies Software Fault Patterns (SFPs) within the Risky Values cluster (SFP1).

C/C++

886

This category identifies Software Fault Patterns (SFPs) within the Unused entities cluster (SFP2).

C/C++

887

This category identifies Software Fault Patterns (SFPs) within the API cluster (SFP3).

C/C++

888

CWE identifiers in this view are associated with clusters of Software Fault Patterns (SFPs).

C/C++

889

This category identifies Software Fault Patterns (SFPs) within the Exception Management cluster (SFP4, SFP5, SFP6).

C/C++

890

This category identifies Software Fault Patterns (SFPs) within the Memory Access cluster (SFP7, SFP8).

C/C++

891

This category identifies Software Fault Patterns (SFPs) within the Memory Management cluster (SFP38).

C/C++

892

This category identifies Software Fault Patterns (SFPs) within the Resource Management cluster (SFP37).

C/C++

893

This category identifies Software Fault Patterns (SFPs) within the Path Resolution cluster (SFP16, SFP17, SFP18).

C/C++

894

This category identifies Software Fault Patterns (SFPs) within the Synchronization cluster (SFP19, SFP20, SFP21, SFP22).

C/C++

895

This category identifies Software Fault Patterns (SFPs) within the Information Leak cluster (SFP23).

C/C++

896

This category identifies Software Fault Patterns (SFPs) within the Tainted Input cluster (SFP24, SFP25, SFP26, SFP27).

C/C++

897

This category identifies Software Fault Patterns (SFPs) within the Entry Points cluster (SFP28).

C/C++

898

This category identifies Software Fault Patterns (SFPs) within the Authentication cluster (SFP29, SFP30, SFP31, SFP32, SFP33, SFP34).

C/C++

899

This category identifies Software Fault Patterns (SFPs) within the Access Control cluster (SFP35).

C/C++

900

CWE entries in this view (graph) are listed in the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.

C/C++

901

This category identifies Software Fault Patterns (SFPs) within the Privilege cluster (SFP36).

C/C++

902

This category identifies Software Fault Patterns (SFPs) within the Channel cluster.

C/C++

903

This category identifies Software Fault Patterns (SFPs) within the Cryptography cluster.

C/C++

905

This category identifies Software Fault Patterns (SFPs) within the Predictability cluster.

C/C++

906

This category identifies Software Fault Patterns (SFPs) within the UI cluster.

C/C++

907

This category identifies Software Fault Patterns (SFPs) within the Other cluster.

C/C++

908

The product uses or accesses a resource that has not been initialized.

C/C++

909

The product does not initialize a critical resource.

C/C++

910

The product uses or accesses a file descriptor after it has been closed.

C/C++

913

The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements.

C/C++

916

The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive.

C/C++

918

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

C/C++

922

The product stores sensitive information without properly limiting read or write access by unauthorized actors.

C/C++

923

The product establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that it is communicating with the correct endpoint.

C/C++

928

CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2013. This view is considered obsolete as a newer version of the OWASP Top 10 is available.

C/C++

929

Weaknesses in this category are related to the A1 category in the OWASP Top 10 2013.

C/C++

930

Weaknesses in this category are related to the A2 category in the OWASP Top 10 2013.

C/C++

932

Weaknesses in this category are related to the A4 category in the OWASP Top 10 2013.

C/C++

933

Weaknesses in this category are related to the A5 category in the OWASP Top 10 2013.

C/C++

934

Weaknesses in this category are related to the A6 category in the OWASP Top 10 2013.

C/C++

935

Weaknesses in this category are related to the A7 category in the OWASP Top 10 2013.

C/C++

943

The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query.

C/C++

944

This category identifies Software Fault Patterns (SFPs) within the Access Management cluster.

C/C++

945

This category identifies Software Fault Patterns (SFPs) within the Insecure Resource Access cluster (SFP35).

C/C++

946

This category identifies Software Fault Patterns (SFPs) within the Insecure Resource Permissions cluster.

C/C++

947

This category identifies Software Fault Patterns (SFPs) within the Authentication Bypass cluster.

C/C++

949

This category identifies Software Fault Patterns (SFPs) within the Faulty Endpoint Authentication cluster (SFP29).

C/C++

950

This category identifies Software Fault Patterns (SFPs) within the Hardcoded Sensitive Data cluster (SFP33).

C/C++

956

This category identifies Software Fault Patterns (SFPs) within the Channel Attack cluster.

C/C++

957

This category identifies Software Fault Patterns (SFPs) within the Protocol Error cluster.

C/C++

958

This category identifies Software Fault Patterns (SFPs) within the Broken Cryptography cluster.

C/C++

959

This category identifies Software Fault Patterns (SFPs) within the Weak Cryptography cluster.

C/C++

960

This category identifies Software Fault Patterns (SFPs) within the Ambiguous Exception Type cluster (SFP5).

C/C++

961

This category identifies Software Fault Patterns (SFPs) within the Incorrect Exception Behavior cluster (SFP6).

C/C++

962

This category identifies Software Fault Patterns (SFPs) within the Unchecked Status Condition cluster (SFP4).

C/C++

963

This category identifies Software Fault Patterns (SFPs) within the Exposed Data cluster (SFP23).

C/C++

964

This category identifies Software Fault Patterns (SFPs) within the Exposure Temporary File cluster.

C/C++

966

This category identifies Software Fault Patterns (SFPs) within the Other Exposures cluster.

C/C++

969

This category identifies Software Fault Patterns (SFPs) within the Faulty Memory Release cluster (SFP12).

C/C++

970

This category identifies Software Fault Patterns (SFPs) within the Faulty Buffer Access cluster (SFP8).

C/C++

971

This category identifies Software Fault Patterns (SFPs) within the Faulty Pointer Use cluster (SFP7).

C/C++

973

This category identifies Software Fault Patterns (SFPs) within the Improper NULL Termination cluster (SFP11).

C/C++

974

This category identifies Software Fault Patterns (SFPs) within the Incorrect Buffer Length Computation cluster (SFP10).

C/C++

975

This category identifies Software Fault Patterns (SFPs) within the Architecture cluster.

C/C++

976

This category identifies Software Fault Patterns (SFPs) within the Compiler cluster.

C/C++

977

This category identifies Software Fault Patterns (SFPs) within the Design cluster.

C/C++

978

This category identifies Software Fault Patterns (SFPs) within the Implementation cluster.

C/C++

979

This category identifies Software Fault Patterns (SFPs) within the Failed Chroot Jail cluster (SFP17).

C/C++

980

This category identifies Software Fault Patterns (SFPs) within the Link in Resource Name Resolution cluster (SFP18).

C/C++

981

This category identifies Software Fault Patterns (SFPs) within the Path Traversal cluster (SFP16).

C/C++

982

This category identifies Software Fault Patterns (SFPs) within the Failure to Release Resource cluster (SFP14).

C/C++

983

This category identifies Software Fault Patterns (SFPs) within the Faulty Resource Use cluster (SFP15).

C/C++

984

This category identifies Software Fault Patterns (SFPs) within the Life Cycle cluster.

C/C++

985

This category identifies Software Fault Patterns (SFPs) within the Unrestricted Consumption cluster (SFP13).

C/C++

986

This category identifies Software Fault Patterns (SFPs) within the Missing Lock cluster (SFP19).

C/C++

987

This category identifies Software Fault Patterns (SFPs) within the Multiple Locks/Unlocks cluster (SFP21).

C/C++

988

This category identifies Software Fault Patterns (SFPs) within the Race Condition Window cluster (SFP20).

C/C++

990

This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Command cluster (SFP24).

C/C++

991

This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Environment cluster (SFP27).

C/C++

992

This category identifies Software Fault Patterns (SFPs) within the Faulty Input Transformation cluster.

C/C++

993

This category identifies Software Fault Patterns (SFPs) within the Incorrect Input Handling cluster.

C/C++

994

This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Variable cluster (SFP25).

C/C++

995

This category identifies Software Fault Patterns (SFPs) within the Feature cluster.

C/C++

997

This category identifies Software Fault Patterns (SFPs) within the Information Loss cluster.

C/C++

998

This category identifies Software Fault Patterns (SFPs) within the Glitch in Computation cluster (SFP1).

C/C++

1000

This view is intended to facilitate research into weaknesses, including their inter-dependencies, and can be leveraged to systematically identify theoretical gaps within CWE. It is mainly organized according to abstractions of behaviors instead of how they can be detected, where they appear in code, or when they are introduced in the development life cycle. By design, this view is expected to include every weakness within CWE.

C/C++

1001

This category identifies Software Fault Patterns (SFPs) within the Use of an Improper API cluster (SFP3).

C/C++

1002

This category identifies Software Fault Patterns (SFPs) within the Unexpected Entry Points cluster.

C/C++

1003

CWE entries in this view (graph) may be used to categorize potential weaknesses within sources that handle public, third-party vulnerability information, such as the National Vulnerability Database (NVD). By design, this view is incomplete; it is limited to a small number of the most commonly-seen weaknesses, so that it is easier for humans to use. This view uses a shallow hierarchy of two levels in order to simplify the complex, category-oriented navigation of the entire CWE corpus.

C/C++

1005

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that exist when an application does not properly validate or represent input. According to the authors of the Seven Pernicious Kingdoms, "Input validation and representation problems are caused by metacharacters, alternate encodings and numeric representations. Security problems result from trusting input."

C/C++

1006

Weaknesses in this category are related to coding practices that are deemed unsafe and increase the chances that an exploitable vulnerability will be present in the application. These weaknesses do not directly introduce a vulnerability, but indicate that the product has not been carefully developed or maintained. If a program is complex, difficult to maintain, not portable, or shows evidence of neglect, then there is a higher likelihood that weaknesses are buried in the code.

C/C++

1008

This view organizes weaknesses according to common architectural security tactics. It is intended to assist architects in identifying potential mistakes that can be made when designing software.

C/C++

1009

Weaknesses in this category are related to the design and architecture of audit-based components of the system. Frequently these deal with logging user activities in order to identify attackers and modifications to the system. The weaknesses in this category could lead to a degradation of the quality of the audit capability if they are not addressed when designing or implementing a secure architecture.

C/C++

1010

Weaknesses in this category are related to the design and architecture of authentication components of the system. Frequently these deal with verifying the entity is indeed who it claims to be. The weaknesses in this category could lead to a degradation of the quality of authentication if they are not addressed when designing or implementing a secure architecture.

C/C++

1011

Weaknesses in this category are related to the design and architecture of a system's authorization components. Frequently these deal with enforcing that agents have the required permissions before performing certain operations, such as modifying data. The weaknesses in this category could lead to a degradation of quality of the authorization capability if they are not addressed when designing or implementing a secure architecture.

C/C++

1012

Weaknesses in this category are related to the design and architecture of multiple security tactics and how they affect a system. For example, information exposure can impact the Limit Access and Limit Exposure security tactics. The weaknesses in this category could lead to a degradation of the quality of many capabilities if they are not addressed when designing or implementing a secure architecture.

C/C++

1013

Weaknesses in this category are related to the design and architecture of data confidentiality in a system. Frequently these deal with the use of encryption libraries. The weaknesses in this category could lead to a degradation of the quality data encryption if they are not addressed when designing or implementing a secure architecture.

C/C++

1014

Weaknesses in this category are related to the design and architecture of a system's identification management components. Frequently these deal with verifying that external agents provide inputs into the system. The weaknesses in this category could lead to a degradation of the quality of identification management if they are not addressed when designing or implementing a secure architecture.

C/C++

1015

Weaknesses in this category are related to the design and architecture of system resources. Frequently these deal with restricting the amount of resources that are accessed by actors, such as memory, network connections, CPU or access points. The weaknesses in this category could lead to a degradation of the quality of authentication if they are not addressed when designing or implementing a secure architecture.

C/C++

1016

Weaknesses in this category are related to the design and architecture of the entry points to a system. Frequently these deal with minimizing the attack surface through designing the system with the least needed amount of entry points. The weaknesses in this category could lead to a degradation of a system's defenses if they are not addressed when designing or implementing a secure architecture.

C/C++

1019

Weaknesses in this category are related to the design and architecture of a system's input validation components. Frequently these deal with sanitizing, neutralizing and validating any externally provided inputs to minimize malformed data from entering the system and preventing code injection in the input data. The weaknesses in this category could lead to a degradation of the quality of data flow in a system if they are not addressed when designing or implementing a secure architecture.

C/C++

1020

Weaknesses in this category are related to the design and architecture of a system's data integrity components. Frequently these deal with ensuring integrity of data, such as messages, resource files, deployment files, and configuration files. The weaknesses in this category could lead to a degradation of data integrity quality if they are not addressed when designing or implementing a secure architecture.

C/C++

1025

The code performs a comparison between two entities, but the comparison examines the wrong factors or characteristics of the entities, which can lead to incorrect results and resultant weaknesses.

C/C++

1026

CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2017.

C/C++

1027

Weaknesses in this category are related to the A1 category in the OWASP Top 10 2017.

C/C++

1028

Weaknesses in this category are related to the A2 category in the OWASP Top 10 2017.

C/C++

1029

Weaknesses in this category are related to the A3 category in the OWASP Top 10 2017.

C/C++

1031

Weaknesses in this category are related to the A5 category in the OWASP Top 10 2017.

C/C++

1032

Weaknesses in this category are related to the A6 category in the OWASP Top 10 2017.

C/C++

1037

The developer builds a security-critical protection mechanism into the software, but the processor optimizes the execution of the program such that the mechanism is removed or modified.

C/C++

1041

The product has multiple functions, methods, procedures, macros, etc. that contain the same code.

C/C++

1045

A parent class has a virtual destructor method, but the parent has a child class that does not have a virtual destructor.

C/C++

1055

The product contains a class with inheritance from more than one concrete class.

C/C++

1059

The product does not contain sufficient technical or engineering documentation (whether on paper or in electronic form) that contains descriptions of all the relevant software/hardware elements of the product, such as its usage, structure, architectural components, interfaces, design, implementation, configuration, operation, etc.

C/C++

1061

The product does not sufficiently hide the internal representation and implementation details of data or methods, which might allow external components or modules to modify data unexpectedly, invoke unexpected functionality, or introduce dependencies that the programmer did not intend.

C/C++

1076

The product's architecture, source code, design, documentation, or other artifact does not follow required conventions.

C/C++

1077

The code performs a comparison such as an equality test between two float (floating point) values, but it uses comparison operators that do not account for the possibility of loss of precision.

C/C++

1078

The source code does not follow desired style or formatting for indentation, white space, comments, etc.

C/C++

1079

A parent class contains one or more child classes, but the parent class does not have a virtual destructor method.

C/C++

1095

The product uses a loop with a control flow condition based on a value that is updated within the body of the loop.

C/C++

1108

The code is structured in a way that relies too much on using or setting global variables throughout various points in the code, instead of preserving the associated information in a narrower, more local context.

C/C++

1109

The code contains a callable, block, or other code element in which the same variable is used to control more than one unique task or store more than one instance of data.

C/C++

1113

The source code uses comment styles or formats that are inconsistent or do not follow expected standards for the product.

C/C++

1114

The source code contains whitespace that is inconsistent across the code or does not follow expected standards for the product.

C/C++

1126

The source code declares a variable in one scope, but the variable is only used within a narrower scope.

C/C++

1128

This view outlines the most important software quality issues as identified by the Consortium for Information & Software Quality (CISQ) Automated Quality Characteristic Measures, released in 2016. These measures are derived from Object Management Group (OMG) standards.

C/C++

1129

Weaknesses in this category are related to the CISQ Quality Measures for Reliability, as documented in 2016 with the Automated Source Code CISQ Reliability Measure (ASCRM) Specification 1.0. Presence of these weaknesses could reduce the reliability of the software.

C/C++

1130

Weaknesses in this category are related to the CISQ Quality Measures for Maintainability, as documented in 2016 with the Automated Source Code Maintainability Measure (ASCMM) Specification 1.0. Presence of these weaknesses could reduce the maintainability of the software.

C/C++

1131

Weaknesses in this category are related to the CISQ Quality Measures for Security, as documented in 2016 with the Automated Source Code Security Measure (ASCSM) Specification 1.0. Presence of these weaknesses could reduce the security of the software.

C/C++

1133

CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT Oracle Coding Standard for Java.

C/C++

1134

Weaknesses in this category are related to the rules and recommendations in the Input Validation and Data Sanitization (IDS) section of the SEI CERT Oracle Secure Coding Standard for Java.

C/C++

1135

Weaknesses in this category are related to the rules and recommendations in the Declarations and Initialization (DCL) section of the SEI CERT Oracle Secure Coding Standard for Java.

C/C++

1136

Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) section of the SEI CERT Oracle Secure Coding Standard for Java.

C/C++

1137

Weaknesses in this category are related to the rules and recommendations in the Numeric Types and Operations (NUM) section of the SEI CERT Oracle Secure Coding Standard for Java.

C/C++

1139

Weaknesses in this category are related to the rules and recommendations in the Object Orientation (OBJ) section of the SEI CERT Oracle Secure Coding Standard for Java.

C/C++

1140

Weaknesses in this category are related to the rules and recommendations in the Methods (MET) section of the SEI CERT Oracle Secure Coding Standard for Java.

C/C++

1141

Weaknesses in this category are related to the rules and recommendations in the Exceptional Behavior (ERR) section of the SEI CERT Oracle Secure Coding Standard for Java.

C/C++

1142

Weaknesses in this category are related to the rules and recommendations in the Visibility and Atomicity (VNA) section of the SEI CERT Oracle Secure Coding Standard for Java.

C/C++

1143

Weaknesses in this category are related to the rules and recommendations in the Locking (LCK) section of the SEI CERT Oracle Secure Coding Standard for Java.

C/C++

1147

Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) section of the SEI CERT Oracle Secure Coding Standard for Java.

C/C++

1148

Weaknesses in this category are related to the rules and recommendations in the Serialization (SER) section of the SEI CERT Oracle Secure Coding Standard for Java.

C/C++

1149

Weaknesses in this category are related to the rules and recommendations in the Platform Security (SEC) section of the SEI CERT Oracle Secure Coding Standard for Java.

C/C++

1150

Weaknesses in this category are related to the rules and recommendations in the Runtime Environment (ENV) section of the SEI CERT Oracle Secure Coding Standard for Java.

C/C++

1152

Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT Oracle Secure Coding Standard for Java.

C/C++

1154

CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT C Coding Standard.

C/C++

1156

Weaknesses in this category are related to the rules and recommendations in the Declarations and Initialization (DCL) section of the SEI CERT C Coding Standard.

C/C++

1157

Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) section of the SEI CERT C Coding Standard.

C/C++

1158

Weaknesses in this category are related to the rules and recommendations in the Integers (INT) section of the SEI CERT C Coding Standard.

C/C++

1159

Weaknesses in this category are related to the rules and recommendations in the Floating Point (FLP) section of the SEI CERT C Coding Standard.

C/C++

1160

Weaknesses in this category are related to the rules and recommendations in the Arrays (ARR) section of the SEI CERT C Coding Standard.

C/C++

1161

Weaknesses in this category are related to the rules and recommendations in the Characters and Strings (STR) section of the SEI CERT C Coding Standard.

C/C++

1162

Weaknesses in this category are related to the rules and recommendations in the Memory Management (MEM) section of the SEI CERT C Coding Standard.

C/C++

1163

Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) section of the SEI CERT C Coding Standard.

C/C++

1164

The product contains code that is not essential for execution, i.e. makes no state changes and has no side effects that alter data or control flow, such that removal of the code would have no impact to functionality or correctness.

C/C++

1165

Weaknesses in this category are related to the rules and recommendations in the Environment (ENV) section of the SEI CERT C Coding Standard.

C/C++

1166

Weaknesses in this category are related to the rules and recommendations in the Signals (SIG) section of the SEI CERT C Coding Standard.

C/C++

1167

Weaknesses in this category are related to the rules and recommendations in the Error Handling (ERR) section of the SEI CERT C Coding Standard.

C/C++

1168

Weaknesses in this category are related to the rules and recommendations in the Application Programming Interfaces (API) section of the SEI CERT C Coding Standard.

C/C++

1169

Weaknesses in this category are related to the rules and recommendations in the Concurrency (CON) section of the SEI CERT C Coding Standard.

C/C++

1170

Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT C Coding Standard.

C/C++

1171

Weaknesses in this category are related to the rules and recommendations in the POSIX (POS) section of the SEI CERT C Coding Standard.

C/C++

1172

Weaknesses in this category are related to the rules and recommendations in the Microsoft Windows (WIN) section of the SEI CERT C Coding Standard.

C/C++

1177

The product uses a function, library, or third party component that has been explicitly prohibited, whether by the developer or the customer.

C/C++

1178

CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT Perl Coding Standard.

C/C++

1179

Weaknesses in this category are related to the rules and recommendations in the Input Validation and Data Sanitization (IDS) section of the SEI CERT Perl Coding Standard.

C/C++

1180

Weaknesses in this category are related to the rules and recommendations in the Declarations and Initialization (DCL) section of the SEI CERT Perl Coding Standard.

C/C++

1181

Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) section of the SEI CERT Perl Coding Standard.

C/C++

1182

Weaknesses in this category are related to the rules and recommendations in the Integers (INT) section of the SEI CERT Perl Coding Standard.

C/C++

1185

Weaknesses in this category are related to the rules and recommendations in the File Input and Output (FIO) section of the SEI CERT Perl Coding Standard.

C/C++

1186

Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT Perl Coding Standard.

C/C++

1194

This view organizes weaknesses around concepts that are frequently used or encountered in hardware design. Accordingly, this view can align closely with the perspectives of designers, manufacturers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping.

C/C++

1195

Weaknesses in this category are root-caused to defects that arise in the semiconductor-manufacturing process or during the life cycle and supply chain.

C/C++

1198

Weaknesses in this category are related to features and mechanisms providing hardware-based isolation and access control (e.g., identity, policy, locking control) of sensitive shared hardware resources such as registers and fuses.

C/C++

1200

CWE entries in this view are listed in the 2019 CWE Top 25 Most Dangerous Software Errors.

C/C++

1202

Weaknesses in this category are typically associated with memory (e.g., DRAM, SRAM) and storage technologies (e.g., NAND Flash, OTP, EEPROM, and eMMC).

C/C++

1205

Weaknesses in this category are related to hardware implementations of cryptographic protocols and other hardware-security primitives such as physical unclonable functions (PUFs) and random number generators (RNGs).

C/C++

1207

Weaknesses in this category are related to hardware debug and test interfaces such as JTAG and scan chain.

C/C++

1208

Weaknesses in this category can arise in multiple areas of hardware design or can apply to a wide cross-section of components.

C/C++

1210

Weaknesses in this category are related to audit-based components of a software system. Frequently these deal with logging user activities in order to identify undesired access and modifications to the system. The weaknesses in this category could lead to a degradation of the quality of the audit capability if they are not addressed.

C/C++

1211

Weaknesses in this category are related to authentication components of a system. Frequently these deal with the ability to verify that an entity is indeed who it claims to be. If not addressed when designing or implementing a software system, these weaknesses could lead to a degradation of the quality of the authentication capability.

C/C++

1212

Weaknesses in this category are related to authorization components of a system. Frequently these deal with the ability to enforce that agents have the required permissions before performing certain operations, such as modifying data. If not addressed when designing or implementing a software system, these weaknesses could lead to a degradation of the quality of the authorization capability.

C/C++

1213

Weaknesses in this category are related to a software system's random number generation.

C/C++

1214

Weaknesses in this category are related to a software system's data integrity components. Frequently these deal with the ability to ensure the integrity of data, such as messages, resource files, deployment files, and configuration files. The weaknesses in this category could lead to a degradation of data integrity quality if they are not addressed.

C/C++

1215

Weaknesses in this category are related to a software system's components for input validation, output validation, or other kinds of validation. Validation is a frequently-used technique for ensuring that data conforms to expectations before it is further processed as input or output. There are many varieties of validation (see CWE-20, which is just for input validation). Validation is distinct from other techniques that attempt to modify data before processing it, although developers may consider all attempts to product "safe" inputs or outputs as some kind of validation. Regardless, validation is a powerful tool that is often used to minimize malformed data from entering the system, or indirectly avoid code injection or other potentially-malicious patterns when generating output. The weaknesses in this category could lead to a degradation of the quality of data flow in a system if they are not addressed.

C/C++

1218

Weaknesses in this category are related to the handling of memory buffers within a software system.

C/C++

1219

Weaknesses in this category are related to the handling of files within a software system. Files, directories, and folders are so central to information technology that many different weaknesses and variants have been discovered.

C/C++

1226

Weaknesses in this category are associated with things being overly complex.

C/C++

1228

Weaknesses in this category are related to the use of built-in functions or external APIs.

C/C++

1237

This category identifies Software Fault Patterns (SFPs) within the Faulty Resource Release cluster (SFP37).

C/C++

1238

This category identifies Software Fault Patterns (SFPs) within the Failure to Release Memory cluster (SFP38).

C/C++

1241

The device uses an algorithm that is predictable and generates a pseudo-random number.

C/C++

1305

This view outlines the most important software quality issues as identified by the Consortium for Information & Software Quality (CISQ) Automated Quality Characteristic Measures, released in 2020. These measures are derived from Object Management Group (OMG) standards.

C/C++

1306

Weaknesses in this category are related to the CISQ Quality Measures for Reliability. Presence of these weaknesses could reduce the reliability of the software.

C/C++

1307

Weaknesses in this category are related to the CISQ Quality Measures for Maintainability. Presence of these weaknesses could reduce the maintainability of the software.

C/C++

1308

Weaknesses in this category are related to the CISQ Quality Measures for Security. Presence of these weaknesses could reduce the security of the software.

C/C++

1309

Weaknesses in this category are related to the CISQ Quality Measures for Efficiency. Presence of these weaknesses could reduce the efficiency of the software.

C/C++

1337

CWE entries in this view are listed in the 2021 CWE Top 25 Most Dangerous Software Weaknesses.

C/C++

1340

This view outlines the SMM representation of the Automated Source Code Data Protection Measurement specifications, as identified by the Consortium for Information & Software Quality (CISQ) Working Group.

C/C++

1341

The product attempts to close or release a resource or handle more than once, without any successful open between the close operations.

C/C++

1344

CWE entries in this view (graph) are associated with the OWASP Top 10, as released in 2021.

C/C++

1345

Weaknesses in this category are related to the A01 category "Broken Access Control" in the OWASP Top 10 2021.

C/C++

1346

Weaknesses in this category are related to the A02 category "Cryptographic Failures" in the OWASP Top 10 2021.

C/C++

1347

Weaknesses in this category are related to the A03 category "Injection" in the OWASP Top 10 2021.

C/C++

1348

Weaknesses in this category are related to the A04 "Insecure Design" category in the OWASP Top 10 2021.

C/C++

1349

Weaknesses in this category are related to the A05 category "Security Misconfiguration" in the OWASP Top 10 2021.

C/C++

1350

CWE entries in this view are listed in the 2020 CWE Top 25 Most Dangerous Software Weaknesses.

C/C++

1353

Weaknesses in this category are related to the A07 category "Identification and Authentication Failures" in the OWASP Top 10 2021.

C/C++

1354

Weaknesses in this category are related to the A08 category "Software and Data Integrity Failures" in the OWASP Top 10 2021.

C/C++

1355

Weaknesses in this category are related to the A09 category "Security Logging and Monitoring Failures" in the OWASP Top 10 2021.

C/C++

1356

Weaknesses in this category are related to the A10 category "Server-Side Request Forgery (SSRF)" in the OWASP Top 10 2021.

C/C++

1358

CWE entries in this view (graph) are associated with the Categories of Security Vulnerabilities in ICS, as published by the Securing Energy Infrastructure Executive Task Force (SEI ETF) in March 2022. Weaknesses and categories in this view are focused on issues that affect ICS (Industrial Control Systems) but have not been traditionally covered by CWE in the past due to its earlier emphasis on enterprise IT software. Note: weaknesses in this view are based on "Nearest IT Neighbor" recommendations and other suggestions by the CWE team. These relationships are likely to change in future CWE versions.

C/C++

1359

Weaknesses in this category are related to the "ICS Communications" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.

C/C++

1360

Weaknesses in this category are related to the "ICS Dependencies (& Architecture)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.

C/C++

1361

Weaknesses in this category are related to the "ICS Supply Chain" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.

C/C++

1362

Weaknesses in this category are related to the "ICS Engineering (Constructions/Deployment)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.

C/C++

1363

Weaknesses in this category are related to the "ICS Operations (& Maintenance)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.

C/C++

1364

Weaknesses in this category are related to the "Zone Boundary Failures" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Within an ICS system, for traffic that crosses through network zone boundaries, vulnerabilities arise when those boundaries were designed for safety or other purposes but are being repurposed for security." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

C/C++

1366

Weaknesses in this category are related to the "Frail Security in Protocols" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Vulnerabilities arise as a result of mis-implementation or incomplete implementation of security in ICS implementations of communication protocols." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

C/C++

1368

Weaknesses in this category are related to the "External Digital Systems" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Due to the highly interconnected technologies in use, an external dependency on another digital system could cause a confidentiality, integrity, or availability incident for the protected system." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

C/C++

1369

Weaknesses in this category are related to the "IT/OT Convergence/Expansion" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "The increased penetration of DER devices and smart loads make emerging ICS networks more like IT networks and thus susceptible to vulnerabilities similar to those of IT networks." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

C/C++

1370

Weaknesses in this category are related to the "Common Mode Frailties" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "At the component level, most ICS systems are assembled from common parts made by other companies. One or more of these common parts might contain a vulnerability that could result in a wide-spread incident." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

C/C++

1371

Weaknesses in this category are related to the "Poorly Documented or Undocumented Features" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Undocumented capabilities and configurations pose a risk by not having a clear understanding of what the device is specifically supposed to do and only do. Therefore possibly opening up the attack surface and vulnerabilities." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

C/C++

1372

Weaknesses in this category are related to the "OT Counterfeit and Malicious Corruption" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "In ICS, when this procurement process results in a vulnerability or component damage, it can have grid impacts or cause physical harm." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

C/C++

1373

Weaknesses in this category are related to the "Trust Model Problems" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Assumptions made about the user during the design or construction phase may result in vulnerabilities after the system is installed if the user operates it using a different security approach or process than what was designed or built." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

C/C++

1375

Weaknesses in this category are related to the "Gaps in Details/Data" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Highly complex systems are often operated by personnel who have years of experience in managing that particular facility or plant. Much of their knowledge is passed along through verbal or hands-on training but may not be fully documented in written practices and procedures." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

C/C++

1376

Weaknesses in this category are related to the "Security Gaps in Commissioning" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "As a large system is brought online components of the system may remain vulnerable until the entire system is operating and functional and security controls are put in place. This creates a window of opportunity for an adversary during the commissioning process." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

C/C++

1379

Weaknesses in this category are related to the "Human factors in ICS environments" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Environmental factors in ICS including physical duress, system complexities, and isolation may result in security gaps or inadequacies in the performance of individual duties and responsibilities." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

C/C++

1382

Weaknesses in this category are related to the "Emerging Energy Technologies" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "With the rapid evolution of the energy system accelerated by the emergence of new technologies such as DERs, electric vehicles, advanced communications (5G+), novel and diverse challenges arise for secure and resilient operation of the system." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

C/C++

1383

Weaknesses in this category are related to the "Compliance/Conformance with Regulatory Requirements" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "The ICS environment faces overlapping regulatory regimes and authorities with multiple focus areas (e.g., operational resiliency, physical safety, interoperability, and security) which can result in cyber security vulnerabilities when implemented as written due to gaps in considerations, outdatedness, or conflicting requirements." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

C/C++

1387

CWE entries in this view are listed in the 2022 CWE Top 25 Most Dangerous Software Weaknesses.

C/C++

1396

Weaknesses in this category are related to access control.

C/C++

1397

Weaknesses in this category are related to comparison.

C/C++

1398

Weaknesses in this category are related to component interaction.

C/C++

1399

Weaknesses in this category are related to memory safety.

C/C++

1400

This view organizes weaknesses around categories that are of interest to large-scale software assurance research to support the elimination of weaknesses using tactics such as secure language development. It is also intended to help tracking weakness trends in publicly disclosed vulnerability data. This view is comprehensive in that every weakness must be contained in it, unlike most other views that only use a subset of weaknesses. This view is structured with categories at the top level, with a second level of only weaknesses. Relationships among the weaknesses presented under the research view (CWE-1000) are not shown. Each weakness is added to only one category. All categories are mutually exclusive; that is, no weakness can be a member of more than one category. While weaknesses defy strict categorization along only one characteristic, the forced bucketing into a single category can simplify certain kinds of analysis. Note that the size of each category can vary widely because (1) CWE is not as well fleshed-out in some areas compared to others; (2) abstraction of the CWEs in the grouping might go down to Variant level for some buckets, versus others.

C/C++

1401

Weaknesses in this category are related to concurrency.

C/C++

1402

Weaknesses in this category are related to encryption.

C/C++

1403

Weaknesses in this category are related to exposed resource.

C/C++

1404

Weaknesses in this category are related to file handling.

C/C++

1405

Weaknesses in this category are related to improper check or handling of exceptional conditions.

C/C++

1406

Weaknesses in this category are related to improper input validation.

C/C++

1407

Weaknesses in this category are related to improper neutralization.

C/C++

1408

Weaknesses in this category are related to incorrect calculation.

C/C++

1409

Weaknesses in this category are related to injection.

C/C++

1410

Weaknesses in this category are related to insufficient control flow management.

C/C++

1411

Weaknesses in this category are related to insufficient verification of data authenticity.

C/C++

1412

Weaknesses in this category are related to poor coding practices.

C/C++

1413

Weaknesses in this category are related to protection mechanism failure.

C/C++

1414

Weaknesses in this category are related to randomness.

C/C++

1415

Weaknesses in this category are related to resource control.

C/C++

1416

Weaknesses in this category are related to resource lifecycle management.

C/C++

1417

Weaknesses in this category are related to sensitive information exposure.

C/C++

1418

Weaknesses in this category are related to violation of secure design principles.

CUDA

2

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that are typically introduced during unexpected environmental conditions. According to the authors of the Seven Pernicious Kingdoms, "This section includes everything that is outside of the source code but is still critical to the security of the product that is being created. Because the issues covered by this kingdom are not directly related to source code, we separated it from the rest of the kingdoms."

CUDA

4

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

CUDA

5

Information sent over a network can be compromised while in transit. An attacker may be able to read or modify the contents if the data are sent in plaintext or are weakly encrypted.

CUDA

14

Sensitive memory is cleared according to the source code, but compiler optimizations leave the memory untouched when it is not read from again, aka "dead store removal."

CUDA

16

Weaknesses in this category are typically introduced during the configuration of the software.

CUDA

17

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

CUDA

18

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

CUDA

19

Weaknesses in this category are typically found in functionality that processes data. Data processing is the manipulation of input to retrieve or save information.

CUDA

20

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

CUDA

21

This category has been deprecated. It was originally used for organizing weaknesses involving file names, which enabled access to files outside of a restricted directory (path traversal) or to perform operations on files that would otherwise be restricted (path equivalence). Consider using either the File Handling Issues category (CWE-1219) or the class Use of Incorrectly-Resolved Name or Reference (CWE-706).

CUDA

22

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

CUDA

23

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.

CUDA

36

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as "/abs/path" that can resolve to a location that is outside of that directory.

CUDA

59

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

CUDA

66

The product does not handle or incorrectly handles a file name that identifies a "virtual" resource that is not directly specified within the directory that is associated with the file name, causing the product to perform file-based operations on a resource that is not a file.

CUDA

67

The product constructs pathnames from user input, but it does not handle or incorrectly handles a pathname containing a Windows device name such as AUX or CON. This typically leads to denial of service or an information exposure when the application attempts to process the pathname as a regular file.

CUDA

68

This category has been deprecated as it was found to be an unnecessary abstraction of platform specific details. Please refer to the category CWE-632 and weakness CWE-66 for relevant relationships.

CUDA

74

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

CUDA

77

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

CUDA

78

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

CUDA

88

The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.

CUDA

89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.

CUDA

91

The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.

CUDA

93

The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.

CUDA

94

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CUDA

99

The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control.

CUDA

113

The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.

CUDA

116

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

CUDA

117

The product does not neutralize or incorrectly neutralizes output that is written to logs.

CUDA

118

The product does not restrict or incorrectly restricts operations within the boundaries of a resource that is accessed using an index or pointer, such as memory or files.

CUDA

119

The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.

CUDA

120

The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow.

CUDA

121

A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).

CUDA

122

A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().

CUDA

123

Any condition where the attacker has the ability to write an arbitrary value to an arbitrary location, often as the result of a buffer overflow.

CUDA

124

The product writes to a buffer using an index or pointer that references a memory location prior to the beginning of the buffer.

CUDA

125

The product reads data past the end, or before the beginning, of the intended buffer.

CUDA

126

The product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations after the targeted buffer.

CUDA

127

The product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations prior to the targeted buffer.

CUDA

128

Wrap around errors occur whenever a value is incremented past the maximum value for its type and therefore "wraps around" to a very small, negative, or undefined value.

CUDA

129

The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array.

CUDA

130

The product parses a formatted message or structure, but it does not handle or incorrectly handles a length field that is inconsistent with the actual length of the associated data.

CUDA

131

The product does not correctly calculate the size to be used when allocating a buffer, which could lead to a buffer overflow.

CUDA

133

Weaknesses in this category are related to the creation and modification of strings.

CUDA

134

The product uses a function that accepts a format string as an argument, but the format string originates from an external source.

CUDA

135

The product does not correctly calculate the length of strings that can contain wide or multi-byte characters.

CUDA

136

Weaknesses in this category are caused by improper data type transformation or improper handling of multiple data types.

CUDA

137

Weaknesses in this category are related to the creation or neutralization of data using an incorrect format.

CUDA

138

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as control elements or syntactic markers when they are sent to a downstream component.

CUDA

140

The product does not neutralize or incorrectly neutralizes delimiters.

CUDA

141

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as parameter or argument delimiters when they are sent to a downstream component.

CUDA

142

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as value delimiters when they are sent to a downstream component.

CUDA

143

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as record delimiters when they are sent to a downstream component.

CUDA

146

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as expression or command delimiters when they are sent to a downstream component.

CUDA

149

Quotes injected into a product can be used to compromise a system. As data are parsed, an injected/absent/duplicate/malformed use of quotes may cause the process to take unexpected actions.

CUDA

150

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component.

CUDA

157

The product does not properly handle the characters that are used to mark the beginning and ending of a group of entities, such as parentheses, brackets, and braces.

CUDA

169

This category has been deprecated. It was originally intended as a "catch-all" for input validation problems in technologies that did not have their own CWE, but introduces unnecessary depth to the hierarchy.

CUDA

170

The product does not terminate or incorrectly terminates a string or array with a null character or equivalent terminator.

CUDA

171

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. Weaknesses in this category were related to improper handling of data within protection mechanisms that attempt to perform neutralization for untrusted data. These weaknesses can be found in other similar categories.

CUDA

187

The product performs a comparison that only examines a portion of a factor before determining whether there is a match, such as a substring, leading to resultant weaknesses.

CUDA

188

The product makes invalid assumptions about how protocol data or memory is organized at a lower level, resulting in unintended program behavior.

CUDA

189

Weaknesses in this category are related to improper calculation or conversion of numbers.

CUDA

190

The product performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control.

CUDA

191

The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.

CUDA

192

Integer coercion refers to a set of flaws pertaining to the type casting, extension, or truncation of primitive data types.

CUDA

193

A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value.

CUDA

194

The product performs an operation on a number that causes it to be sign extended when it is transformed into a larger data type. When the original number is negative, this can produce unexpected values that lead to resultant weaknesses.

CUDA

195

The product uses a signed primitive and performs a cast to an unsigned primitive, which can produce an unexpected value if the value of the signed primitive can not be represented using an unsigned primitive.

CUDA

197

Truncation errors occur when a primitive is cast to a primitive of a smaller size and data is lost in the conversion.

CUDA

198

The product receives input from an upstream component, but it does not account for byte ordering (e.g. big-endian and little-endian) when processing the input, causing an incorrect number or value to be used.

CUDA

199

Weaknesses in this category are related to improper handling of sensitive information.

CUDA

200

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CUDA

201

The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.

CUDA

209

The product generates an error message that includes sensitive information about its environment, users, or associated data.

CUDA

210

The product identifies an error condition and creates its own diagnostic or error messages that contain sensitive information.

CUDA

211

The product performs an operation that triggers an external diagnostic or error message that is not directly generated or controlled by the product, such as an error generated by the programming language interpreter that a software application uses. The error can contain sensitive system information.

CUDA

216

This entry has been deprecated, as it was not effective as a weakness and was structured more like a category. In addition, the name is inappropriate, since the "container" term is widely understood by developers in different ways than originally intended by PLOVER, the original source for this entry.

CUDA

221

The product does not record, or improperly records, security-relevant information that leads to an incorrect decision or hampers later analysis.

CUDA

226

The product releases a resource such as memory or a file so that it can be made available for reuse, but it does not clear or "zeroize" the information contained in the resource before the product performs a critical state transition or makes the resource available for reuse by other entities.

CUDA

227

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that involve the software using an API in a manner contrary to its intended use. According to the authors of the Seven Pernicious Kingdoms, "An API is a contract between a caller and a callee. The most common forms of API misuse occurs when the caller does not honor its end of this contract. For example, if a program does not call chdir() after calling chroot(), it violates the contract that specifies how to change the active root directory in a secure fashion. Another good example of library abuse is expecting the callee to return trustworthy DNS information to the caller. In this case, the caller misuses the callee API by making certain assumptions about its behavior (that the return value can be used for authentication purposes). One can also violate the caller-callee contract from the other side. For example, if a coder subclasses SecureRandom and returns a non-random value, the contract is violated."

CUDA

228

The product does not handle or incorrectly handles input that is not syntactically well-formed with respect to the associated specification.

CUDA

237

The product does not handle or incorrectly handles inputs that are related to complex structures.

CUDA

240

The product does not handle or incorrectly handles when two or more structural elements should be consistent, but are not.

CUDA

241

The product does not handle or incorrectly handles when a particular element is not the expected type, e.g. it expects a digit (0-9) but is provided with a letter (A-Z).

CUDA

242

The product calls a function that can never be guaranteed to work safely.

CUDA

243

The product uses the chroot() system call to create a jail, but does not change the working directory afterward. This does not prevent access to files outside of the jail.

CUDA

244

Using realloc() to resize buffers that store sensitive information can leave the sensitive information exposed to attack, because it is not removed from memory.

CUDA

247

This entry has been deprecated because it was a duplicate of CWE-350. All content has been transferred to CWE-350.

CUDA

248

An exception is thrown from a function, but it is not caught.

CUDA

249

This entry has been deprecated because of name confusion and an accidental combination of multiple weaknesses. Most of its content has been transferred to CWE-785.

CUDA

252

The product does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions.

CUDA

253

The product incorrectly checks a return value from a function, which prevents it from detecting errors or exceptional conditions.

CUDA

254

Software security is not security software. Here we're concerned with topics like authentication, access control, confidentiality, cryptography, and privilege management.

CUDA

255

Weaknesses in this category are related to the management of credentials.

CUDA

256

Storing a password in plaintext may result in a system compromise.

CUDA

257

The storage of passwords in a recoverable format makes them subject to password reuse attacks by malicious users. In fact, it should be noted that recoverable encrypted passwords provide no significant benefit over plaintext passwords since they are subject not only to reuse by malicious attackers but also by malicious insiders. If a system administrator can recover a password directly, or use a brute force search on the available information, the administrator can use the password on other accounts.

CUDA

259

The product contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components.

CUDA

264

Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control.

CUDA

265

Weaknesses in this category occur with improper handling, assignment, or management of privileges. A privilege is a property of an agent, such as a user. It lets the agent do things that are not ordinarily allowed. For example, there are privileges which allow an agent to perform maintenance functions such as restart a computer.

CUDA

269

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

CUDA

271

The product does not drop privileges before passing control of a resource to an actor that does not have those privileges.

CUDA

272

The elevated privilege level required to perform operations such as chroot() should be dropped immediately after the operation is performed.

CUDA

273

The product attempts to drop privileges but does not check or incorrectly checks to see if the drop succeeded.

CUDA

275

Weaknesses in this category are related to improper assignment or handling of permissions.

CUDA

276

During installation, installed file permissions are set to allow anyone to modify those files.

CUDA

282

The product assigns the wrong ownership, or does not properly verify the ownership, of an object or resource.

CUDA

284

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CUDA

285

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

CUDA

287

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

CUDA

290

This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.

CUDA

291

The product uses an IP address for authentication.

CUDA

293

The referer field in HTTP requests can be easily modified and, as such, is not a valid means of message integrity checking.

CUDA

300

The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint.

CUDA

310

Weaknesses in this category are related to the design and implementation of data confidentiality and integrity. Frequently these deal with the use of encoding techniques, encryption libraries, and hashing algorithms. The weaknesses in this category could lead to a degradation of the quality data if they are not addressed.

CUDA

311

The product does not encrypt sensitive or critical information before storage or transmission.

CUDA

312

The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

CUDA

313

The product stores sensitive information in cleartext in a file, or on disk.

CUDA

314

The product stores sensitive information in cleartext in the registry.

CUDA

315

The product stores sensitive information in cleartext in a cookie.

CUDA

317

The product stores sensitive information in cleartext within the GUI.

CUDA

318

The product stores sensitive information in cleartext in an executable.

CUDA

319

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

CUDA

320

Weaknesses in this category are related to errors in the management of cryptographic keys.

CUDA

321

The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.

CUDA

326

The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

CUDA

327

The product uses a broken or risky cryptographic algorithm or protocol.

CUDA

328

The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (2nd preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack).

CUDA

330

The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.

CUDA

335

The product uses a Pseudo-Random Number Generator (PRNG) but does not correctly manage seeds.

CUDA

336

A Pseudo-Random Number Generator (PRNG) uses the same seed each time the product is initialized.

CUDA

337

A Pseudo-Random Number Generator (PRNG) is initialized from a predictable seed, such as the process ID or system time.

CUDA

338

The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.

CUDA

344

The product uses a constant value, name, or reference, but this value can (or should) vary across different environments.

CUDA

345

The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

CUDA

350

The product performs reverse DNS resolution on an IP address to obtain the hostname and make a security decision, but it does not properly ensure that the IP address is truly associated with the hostname.

CUDA

353

The product uses a transmission protocol that does not include a mechanism for verifying the integrity of the data during transmission, such as a checksum.

CUDA

355

Weaknesses in this category are related to or introduced in the User Interface (UI).

CUDA

359

The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.

CUDA

361

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses related to the improper management of time and state in an environment that supports simultaneous or near-simultaneous computation by multiple systems, processes, or threads. According to the authors of the Seven Pernicious Kingdoms, "Distributed computation is about time and state. That is, in order for more than one component to communicate, state must be shared, and all that takes time. Most programmers anthropomorphize their work. They think about one thread of control carrying out the entire program in the same way they would if they had to do the job themselves. Modern computers, however, switch between tasks very quickly, and in multi-core, multi-CPU, or distributed systems, two events may take place at exactly the same time. Defects rush to fill the gap between the programmer's model of how a program executes and what happens in reality. These defects are related to unexpected interactions between threads, processes, time, and information. These interactions happen through shared state: semaphores, variables, the file system, and, basically, anything that can store information."

CUDA

362

The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.

CUDA

363

The product checks the status of a file or directory before accessing it, which produces a race condition in which the file can be replaced with a link before the access is performed, causing the product to access the wrong file.

CUDA

364

The product uses a signal handler that introduces a race condition.

CUDA

366

If two threads of execution use a resource simultaneously, there exists the possibility that resources may be used while invalid, in turn making the state of execution undefined.

CUDA

367

The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. This can cause the product to perform invalid actions when the resource is in an unexpected state.

CUDA

369

The product divides a value by zero.

CUDA

376

This category has been deprecated. It was originally used for organizing the Development View (CWE-699), but it introduced unnecessary complexity and depth to the resulting tree. Consider using the File Handling Issues category (CWE-1219).

CUDA

377

Creating and using insecure temporary files can leave application and system data vulnerable to attack.

CUDA

379

The product creates a temporary file in a directory whose permissions allow unintended actors to determine the file's existence or otherwise access that file.

CUDA

380

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

CUDA

381

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

CUDA

387

Weaknesses in this category are related to the improper handling of signals.

CUDA

388

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that occur when an application does not properly handle errors that occur during processing. According to the authors of the Seven Pernicious Kingdoms, "Errors and error handling represent a class of API. Errors related to error handling are so common that they deserve a special kingdom of their own. As with 'API Abuse,' there are two ways to introduce an error-related security vulnerability: the most common one is handling errors poorly (or not at all). The second is producing errors that either give out too much information (to possible attackers) or are difficult to handle."

CUDA

389

This category includes weaknesses that occur if a function does not generate the correct return/status code, or if the application does not handle all possible return/status codes that could be generated by a function. This type of problem is most often found in conditions that are rarely encountered during the normal operation of the product. Presumably, most bugs related to common conditions are found and eliminated during development and testing. In some cases, the attacker can directly control or influence the environment to trigger the rare conditions.

CUDA

391

[PLANNED FOR DEPRECATION. SEE MAINTENANCE NOTES AND CONSIDER CWE-252, CWE-248, OR CWE-1069.] Ignoring exceptions and other error conditions may allow an attacker to induce unexpected behavior unnoticed.

CUDA

393

A function or operation returns an incorrect return value or status code that does not indicate an error, but causes the product to modify its behavior based on the incorrect result.

CUDA

394

The product does not properly check when a function or operation returns a value that is legitimate for the function, but is not expected by the product.

CUDA

396

Catching overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities.

CUDA

397

Throwing overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities.

CUDA

398

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that do not directly introduce a weakness or vulnerability, but indicate that the product has not been carefully developed or maintained. According to the authors of the Seven Pernicious Kingdoms, "Poor code quality leads to unpredictable behavior. From a user's perspective that often manifests itself as poor usability. For an adversary it provides an opportunity to stress the system in unexpected ways."

CUDA

399

Weaknesses in this category are related to improper management of system resources.

CUDA

400

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

CUDA

401

The product does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory.

CUDA

404

The product does not release or incorrectly releases a resource before it is made available for re-use.

CUDA

411

Weaknesses in this category are related to improper handling of locks that are used to control access to resources.

CUDA

415

The product calls free() twice on the same memory address, potentially leading to modification of unexpected memory locations.

CUDA

416

Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.

CUDA

417

Weaknesses in this category are related to improper handling of communication channels and access paths. These weaknesses include problems in creating, managing, or removing alternate channels and alternate paths. Some of these can overlap virtual file problems and are commonly used in "bypass" attacks, such as those that exploit authentication errors.

CUDA

427

The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.

CUDA

429

Weaknesses in this category are related to improper management of handlers.

CUDA

435

An interaction error occurs when two entities have correct behavior when running independently of each other, but when they are integrated as components in a larger system or process, they introduce incorrect behaviors that may cause resultant weaknesses.

CUDA

438

Weaknesses in this category are related to unexpected behaviors from code that an application uses.

CUDA

441

The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor.

CUDA

442

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

CUDA

452

Weaknesses in this category occur in behaviors that are used for initialization and breakdown.

CUDA

456

The product does not initialize critical variables, which causes the execution environment to use unexpected values.

CUDA

457

The code uses a variable that has not been initialized, leading to unpredictable or unintended results.

CUDA

459

The product does not properly "clean up" and remove temporary or supporting resources after they have been used.

CUDA

460

The product does not clean up its state or incorrectly cleans up its state when an exception is thrown, leading to unexpected state or control flow.

CUDA

461

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

CUDA

464

The accidental addition of a data-structure sentinel can cause serious programming logic problems.

CUDA

465

Weaknesses in this category are related to improper handling of pointers.

CUDA

467

The code calls sizeof() on a malloced pointer type, which always returns the wordsize/8. This can produce an unexpected result if the programmer intended to determine how much memory has been allocated.

CUDA

468

In C and C++, one may often accidentally refer to the wrong memory due to the semantics of when math operations are implicitly scaled.

CUDA

469

The product subtracts one pointer from another in order to determine size, but this calculation can be incorrect if the pointers do not exist in the same memory chunk.

CUDA

471

The product does not properly protect an assumed-immutable element from being modified by an attacker.

CUDA

475

The behavior of this function is undefined unless its control parameter is set to a specific value.

CUDA

476

A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.

CUDA

477

The code uses deprecated or obsolete functions, which suggests that the code has not been actively reviewed or maintained.

CUDA

478

The code does not have a default case in an expression with multiple conditions, such as a switch statement.

CUDA

479

The product defines a signal handler that calls a non-reentrant function.

CUDA

480

The product accidentally uses the wrong operator, which changes the logic in security-relevant ways.

CUDA

481

The code uses an operator for assignment when the intention was to perform a comparison.

CUDA

482

The code uses an operator for comparison when the intention was to perform an assignment.

CUDA

483

The code does not explicitly delimit a block that is intended to contain 2 or more statements, creating a logic error.

CUDA

484

The product omits a break statement within a switch or similar construct, causing code associated with multiple conditions to execute. This can cause problems when the programmer only intended to execute code associated with one condition.

CUDA

485

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that occur when the product does not sufficiently encapsulate critical data or functionality. According to the authors of the Seven Pernicious Kingdoms, "Encapsulation is about drawing strong boundaries. In a web browser that might mean ensuring that your mobile code cannot be abused by other mobile code. On the server it might mean differentiation between validated data and unvalidated data, between one user's data and another's, or between data users are allowed to see and data that they are not."

CUDA

489

The product is deployed to unauthorized actors with debugging code still enabled or active, which can create unintended entry points or expose sensitive information.

CUDA

490

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

CUDA

493

The product has a critical public variable that is not final, which allows the variable to be modified to contain unexpected values.

CUDA

497

The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does.

CUDA

500

An object contains a public static field that is not marked final, which might allow it to be modified in unexpected ways.

CUDA

505

This category has been deprecated as it was originally used for organizing the Development View (CWE-699), but it introduced unnecessary complexity and depth to the resulting tree.

CUDA

522

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

CUDA

523

Login pages do not use adequate measures to protect the user name and password while they are in transit from the client to the server.

CUDA

526

The product uses an environment variable to store unencrypted sensitive information.

CUDA

528

The product generates a core dump file in a directory, archive, or other resource that is stored, transferred, or otherwise made accessible to unauthorized actors.

CUDA

532

Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.

CUDA

535

A command shell error message indicates that there exists an unhandled exception in the web application code. In many cases, an attacker can leverage the conditions that cause these errors in order to gain unauthorized access to the system.

CUDA

536

A servlet error message indicates that there exists an unhandled exception in your web application code and may provide useful information to an attacker.

CUDA

538

The product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the sensitive information.

CUDA

539

The web application uses persistent cookies, but the cookies contain sensitive information.

CUDA

543

The product uses the singleton pattern when creating a resource within a multithreaded environment.

CUDA

547

The product uses hard-coded constants instead of symbolic names for security-critical values, which increases the likelihood of mistakes during code maintenance or security policy change.

CUDA

550

Certain conditions, such as network failure, will cause a server error message to be displayed.

CUDA

552

The product makes files or directories accessible to unauthorized actors, even though they should not be.

CUDA

557

Weaknesses in this category are related to concurrent use of shared resources.

CUDA

558

The product uses the getlogin() function in a multithreaded context, potentially causing it to return incorrect values.

CUDA

559

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

CUDA

561

The product contains dead code, which can never be executed.

CUDA

562

A function returns the address of a stack variable, which will cause unintended program behavior, typically in the form of a crash.

CUDA

563

The variable's value is assigned but never used, making it a dead store.

CUDA

566

The product uses a database table that includes records that should not be accessible to an actor, but it executes a SQL statement with a primary key that can be controlled by that actor.

CUDA

567

The product does not properly synchronize shared data, such as static variables across threads, which can lead to undefined behavior and unpredictable data changes.

CUDA

569

Weaknesses in this category are related to incorrectly written expressions within code.

CUDA

570

The product contains an expression that will always evaluate to false.

CUDA

571

The product contains an expression that will always evaluate to true.

CUDA

573

The product does not follow or incorrectly follows the specifications as required by the implementation language, environment, framework, protocol, or platform.

CUDA

590

The product calls free() on a pointer to memory that was not allocated using associated heap allocation functions such as malloc(), calloc(), or realloc().

CUDA

592

This weakness has been deprecated because it covered redundant concepts already described in CWE-287.

CUDA

595

The product compares object references instead of the contents of the objects themselves, preventing it from detecting equivalent objects.

CUDA

597

The product uses the wrong operator when comparing a string, such as using "==" when the .equals() method should be used instead.

CUDA

606

The product does not properly check inputs that are used for loop conditions, potentially leading to a denial of service or other consequences because of excessive looping.

CUDA

610

The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.

CUDA

617

The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.

CUDA

628

The product calls a function, procedure, or routine with arguments that are not correctly specified, leading to always-incorrect behavior and resultant weaknesses.

CUDA

629

CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2007. This view is considered obsolete as a newer version of the OWASP Top 10 is available.

CUDA

632

This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE.

CUDA

633

This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE.

CUDA

634

This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE.

CUDA

635

CWE nodes in this view (slice) were used by NIST to categorize vulnerabilities within NVD, from 2008 to 2016. This original version has been used by many other projects.

CUDA

637

The product uses a more complex mechanism than necessary, which could lead to resultant weaknesses when the mechanism is not correctly understood, modeled, configured, implemented, or used.

CUDA

639

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

CUDA

643

The product uses external input to dynamically construct an XPath expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query.

CUDA

644

The product does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers, such as Flash.

CUDA

655

The product has a protection mechanism that is too difficult or inconvenient to use, encouraging non-malicious users to disable or bypass the mechanism, whether by accident or on purpose.

CUDA

657

The product violates well-established principles for secure design.

CUDA

662

The product utilizes multiple threads or processes to allow temporary access to a shared resource that can only be exclusive to one process at a time, but it does not properly synchronize these actions, which might cause simultaneous accesses of this resource by multiple threads or processes.

CUDA

663

The product calls a non-reentrant function in a concurrent context in which a competing code sequence (e.g. thread or signal handler) may have an opportunity to call the same function or otherwise influence its state.

CUDA

664

The product does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release.

CUDA

665

The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.

CUDA

666

The product performs an operation on a resource at the wrong phase of the resource's lifecycle, which can lead to unexpected behaviors.

CUDA

667

The product does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors.

CUDA

668

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

CUDA

669

The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource.

CUDA

670

The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated.

CUDA

671

The product uses security features in a way that prevents the product's administrator from tailoring security settings to reflect the environment in which the product is being used. This introduces resultant weaknesses or prevents it from operating at a level of security that is desired by the administrator.

CUDA

672

The product uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked.

CUDA

674

The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.

CUDA

675

The product performs the same operation on a resource two or more times, when the operation should only be applied once.

CUDA

676

The product invokes a potentially dangerous function that could introduce a vulnerability if it is used incorrectly, but the function can also be used safely.

CUDA

680

The product performs a calculation to determine how much memory to allocate, but an integer overflow can occur that causes less memory to be allocated than expected, leading to a buffer overflow.

CUDA

681

When converting from one data type to another, such as long to integer, data can be omitted or translated in a way that produces unexpected values. If the resulting values are used in a sensitive context, then dangerous behaviors may occur.

CUDA

682

The product performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management.

CUDA

683

The product calls a function, procedure, or routine, but the caller specifies the arguments in an incorrect order, leading to resultant weaknesses.

CUDA

684

The code does not function according to its published specifications, potentially leading to incorrect usage.

CUDA

685

The product calls a function, procedure, or routine, but the caller specifies too many arguments, or too few arguments, which may lead to undefined behavior and resultant weaknesses.

CUDA

686

The product calls a function, procedure, or routine, but the caller specifies an argument that is the wrong data type, which may lead to resultant weaknesses.

CUDA

687

The product calls a function, procedure, or routine, but the caller specifies an argument that contains the wrong value, which may lead to resultant weaknesses.

CUDA

691

The code does not sufficiently manage its control flow during execution, creating conditions in which the control flow can be modified in unexpected ways.

CUDA

693

The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.

CUDA

694

The product uses multiple resources that can have the same identifier, in a context in which unique identifiers are required.

CUDA

696

The product performs multiple related behaviors, but the behaviors are performed in the wrong order in ways which may produce resultant weaknesses.

CUDA

697

The product compares two entities in a security-relevant context, but the comparison is incorrect, which may lead to resultant weaknesses.

CUDA

699

This view organizes weaknesses around concepts that are frequently used or encountered in software development. This includes all aspects of the software development lifecycle including both architecture and implementation. Accordingly, this view can align closely with the perspectives of architects, developers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping.

CUDA

700

This view (graph) organizes weaknesses using a hierarchical structure that is similar to that used by Seven Pernicious Kingdoms.

CUDA

703

The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product.

CUDA

704

The product does not correctly convert an object, resource, or structure from one type to a different type.

CUDA

705

The product does not properly return control flow to the proper location after it has completed a task or detected an unusual condition.

CUDA

706

The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.

CUDA

707

The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component.

CUDA

710

The product does not follow certain coding rules for development, which can lead to resultant weaknesses or increase the severity of the associated vulnerabilities.

CUDA

711

CWE entries in this view (graph) are associated with the OWASP Top 10, as released in 2004, and as required for compliance with PCI DSS version 1.1. This view is considered obsolete as a newer version of the OWASP Top 10 is available.

CUDA

713

Weaknesses in this category are related to the A2 category in the OWASP Top 10 2007.

CUDA

714

Weaknesses in this category are related to the A3 category in the OWASP Top 10 2007.

CUDA

715

Weaknesses in this category are related to the A4 category in the OWASP Top 10 2007.

CUDA

717

Weaknesses in this category are related to the A6 category in the OWASP Top 10 2007.

CUDA

718

Weaknesses in this category are related to the A7 category in the OWASP Top 10 2007.

CUDA

719

Weaknesses in this category are related to the A8 category in the OWASP Top 10 2007.

CUDA

720

Weaknesses in this category are related to the A9 category in the OWASP Top 10 2007.

CUDA

721

Weaknesses in this category are related to the A10 category in the OWASP Top 10 2007.

CUDA

722

Weaknesses in this category are related to the A1 category in the OWASP Top 10 2004.

CUDA

723

Weaknesses in this category are related to the A2 category in the OWASP Top 10 2004.

CUDA

724

Weaknesses in this category are related to the A3 category in the OWASP Top 10 2004.

CUDA

725

Weaknesses in this category are related to the A4 category in the OWASP Top 10 2004.

CUDA

726

Weaknesses in this category are related to the A5 category in the OWASP Top 10 2004.

CUDA

727

Weaknesses in this category are related to the A6 category in the OWASP Top 10 2004.

CUDA

728

Weaknesses in this category are related to the A7 category in the OWASP Top 10 2004.

CUDA

729

Weaknesses in this category are related to the A8 category in the OWASP Top 10 2004.

CUDA

730

Weaknesses in this category are related to the A9 category in the OWASP Top 10 2004.

CUDA

731

Weaknesses in this category are related to the A10 category in the OWASP Top 10 2004.

CUDA

732

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

CUDA

733

The developer builds a security-critical protection mechanism into the software, but the compiler optimizes the program such that the mechanism is removed or modified.

CUDA

734

CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT C Secure Coding Standard" published in 2008. This view is considered obsolete, as a newer version of the coding standard is available. This view statically represents the coding rules as they were in 2008.

CUDA

735

Weaknesses in this category are related to the rules and recommendations in the Preprocessor (PRE) chapter of the CERT C Secure Coding Standard (2008).

CUDA

736

Weaknesses in this category are related to the rules and recommendations in the Declarations and Initialization (DCL) chapter of the CERT C Secure Coding Standard (2008).

CUDA

737

Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) chapter of the CERT C Secure Coding Standard (2008).

CUDA

738

Weaknesses in this category are related to the rules and recommendations in the Integers (INT) chapter of the CERT C Secure Coding Standard (2008).

CUDA

739

Weaknesses in this category are related to the rules and recommendations in the Floating Point (FLP) chapter of the CERT C Secure Coding Standard (2008).

CUDA

740

Weaknesses in this category are related to the rules and recommendations in the Arrays (ARR) chapter of the CERT C Secure Coding Standard (2008).

CUDA

741

Weaknesses in this category are related to the rules and recommendations in the Characters and Strings (STR) chapter of the CERT C Secure Coding Standard (2008).

CUDA

742

Weaknesses in this category are related to the rules and recommendations in the Memory Management (MEM) chapter of the CERT C Secure Coding Standard (2008).

CUDA

743

Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) chapter of the CERT C Secure Coding Standard (2008).

CUDA

744

Weaknesses in this category are related to the rules and recommendations in the Environment (ENV) chapter of the CERT C Secure Coding Standard (2008).

CUDA

745

Weaknesses in this category are related to the rules and recommendations in the Signals (SIG) chapter of the CERT C Secure Coding Standard (2008).

CUDA

746

Weaknesses in this category are related to the rules and recommendations in the Error Handling (ERR) chapter of the CERT C Secure Coding Standard (2008).

CUDA

747

Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) chapter of the CERT C Secure Coding Standard (2008).

CUDA

748

Weaknesses in this category are related to the rules and recommendations in the POSIX (POS) appendix of the CERT C Secure Coding Standard (2008).

CUDA

750

CWE entries in this view (graph) are listed in the 2009 CWE/SANS Top 25 Programming Errors. This view is considered obsolete as a newer version of the Top 25 is available.

CUDA

751

Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2009 CWE/SANS Top 25 Programming Errors.

CUDA

752

Weaknesses in this category are listed in the "Risky Resource Management" section of the 2009 CWE/SANS Top 25 Programming Errors.

CUDA

753

Weaknesses in this category are listed in the "Porous Defenses" section of the 2009 CWE/SANS Top 25 Programming Errors.

CUDA

754

The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.

CUDA

755

The product does not handle or incorrectly handles an exceptional condition.

CUDA

758

The product uses an API function, data structure, or other entity in a way that relies on properties that are not always guaranteed to hold for that entity.

CUDA

759

The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product does not also use a salt as part of the input.

CUDA

760

The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product uses a predictable salt as part of the input.

CUDA

762

The product attempts to return a memory resource to the system, but it calls a release function that is not compatible with the function that was originally used to allocate that resource.

CUDA

763

The product attempts to return a memory resource to the system, but it calls the wrong release function or calls the appropriate release function incorrectly.

CUDA

764

The product locks a critical resource more times than intended, leading to an unexpected state in the system.

CUDA

765

The product unlocks a critical resource more times than intended, leading to an unexpected state in the system.

CUDA

769

This entry has been deprecated because it was a duplicate of CWE-774. All content has been transferred to CWE-774.

CUDA

770

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

CUDA

771

The product does not properly maintain a reference to a resource that has been allocated, which prevents the resource from being reclaimed.

CUDA

772

The product does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.

CUDA

775

The product does not release a file descriptor or handle after its effective lifetime has ended, i.e., after the file descriptor/handle is no longer needed.

CUDA

783

The product uses an expression in which operator precedence causes incorrect logic to be used.

CUDA

786

The product reads or writes to a buffer using an index or pointer that references a memory location prior to the beginning of the buffer.

CUDA

787

The product writes data past the end, or before the beginning, of the intended buffer.

CUDA

788

The product reads or writes to a buffer using an index or pointer that references a memory location after the end of the buffer.

CUDA

789

The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated.

CUDA

798

The product contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.

CUDA

800

CWE entries in this view (graph) are listed in the 2010 CWE/SANS Top 25 Programming Errors. This view is considered obsolete as a newer version of the Top 25 is available.

CUDA

801

Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2010 CWE/SANS Top 25 Programming Errors.

CUDA

802

Weaknesses in this category are listed in the "Risky Resource Management" section of the 2010 CWE/SANS Top 25 Programming Errors.

CUDA

803

Weaknesses in this category are listed in the "Porous Defenses" section of the 2010 CWE/SANS Top 25 Programming Errors.

CUDA

805

The product uses a sequential operation to read or write a buffer, but it uses an incorrect length value that causes it to access memory that is outside of the bounds of the buffer.

CUDA

806

The product uses the size of a source buffer when reading from or writing to a destination buffer, which may cause it to access memory that is outside of the bounds of the buffer.

CUDA

807

The product uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism.

CUDA

808

Weaknesses in this category are not part of the general Top 25, but they were part of the original nominee list from which the Top 25 was drawn.

CUDA

809

CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2010. This view is considered obsolete as a newer version of the OWASP Top 10 is available.

CUDA

810

Weaknesses in this category are related to the A1 category in the OWASP Top 10 2010.

CUDA

812

Weaknesses in this category are related to the A3 category in the OWASP Top 10 2010.

CUDA

813

Weaknesses in this category are related to the A4 category in the OWASP Top 10 2010.

CUDA

815

Weaknesses in this category are related to the A6 category in the OWASP Top 10 2010.

CUDA

816

Weaknesses in this category are related to the A7 category in the OWASP Top 10 2010.

CUDA

817

Weaknesses in this category are related to the A8 category in the OWASP Top 10 2010.

CUDA

818

Weaknesses in this category are related to the A9 category in the OWASP Top 10 2010.

CUDA

820

The product utilizes a shared resource in a concurrent manner but does not attempt to synchronize access to the resource.

CUDA

823

The product performs pointer arithmetic on a valid pointer, but it uses an offset that can point outside of the intended range of valid memory locations for the resulting pointer.

CUDA

824

The product accesses or uses a pointer that has not been initialized.

CUDA

825

The product dereferences a pointer that contains a location for memory that was previously valid, but is no longer valid.

CUDA

828

The product defines a signal handler that contains code sequences that are not asynchronous-safe, i.e., the functionality is not reentrant, or it can be interrupted.

CUDA

833

The product contains multiple threads or executable segments that are waiting for each other to release a necessary lock, resulting in deadlock.

CUDA

834

The product performs an iteration or loop without sufficiently limiting the number of times that the loop is executed.

CUDA

835

The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.

CUDA

839

The product checks a value to ensure that it is less than or equal to a maximum, but it does not also verify that the value is greater than or equal to the minimum.

CUDA

840

Weaknesses in this category identify some of the underlying problems that commonly allow attackers to manipulate the business logic of an application. Errors in business logic can be devastating to an entire application. They can be difficult to find automatically, since they typically involve legitimate use of the application's functionality. However, many business logic errors can exhibit patterns that are similar to well-understood implementation and design weaknesses.

CUDA

843

The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.

CUDA

844

CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT Oracle Secure Coding Standard for Java" published in 2011. This view is considered obsolete as a newer version of the coding standard is available.

CUDA

845

Weaknesses in this category are related to rules in the Input Validation and Data Sanitization (IDS) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

CUDA

846

Weaknesses in this category are related to rules in the Declarations and Initialization (DCL) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

CUDA

847

Weaknesses in this category are related to rules in the Expressions (EXP) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

CUDA

848

Weaknesses in this category are related to rules in the Numeric Types and Operations (NUM) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

CUDA

849

Weaknesses in this category are related to rules in the Object Orientation (OBJ) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

CUDA

850

Weaknesses in this category are related to rules in the Methods (MET) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

CUDA

851

Weaknesses in this category are related to rules in the Exceptional Behavior (ERR) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

CUDA

852

Weaknesses in this category are related to rules in the Visibility and Atomicity (VNA) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

CUDA

853

Weaknesses in this category are related to rules in the Locking (LCK) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

CUDA

854

Weaknesses in this category are related to rules in the Thread APIs (THI) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

CUDA

857

Weaknesses in this category are related to rules in the Input Output (FIO) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

CUDA

858

Weaknesses in this category are related to rules in the Serialization (SER) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

CUDA

859

Weaknesses in this category are related to rules in the Platform Security (SEC) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

CUDA

860

Weaknesses in this category are related to rules in the Runtime Environment (ENV) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

CUDA

861

Weaknesses in this category are related to rules in the Miscellaneous (MSC) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

CUDA

862

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

CUDA

864

Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.

CUDA

865

Weaknesses in this category are listed in the "Risky Resource Management" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.

CUDA

866

Weaknesses in this category are listed in the "Porous Defenses" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.

CUDA

867

Weaknesses in this category are not part of the general Top 25, but they were part of the original nominee list from which the Top 25 was drawn.

CUDA

868

CWE entries in this view (graph) are fully or partially eliminated by following the SEI CERT C++ Coding Standard, as published in 2016. This view is no longer being actively maintained, since it statically represents the coding rules as they were in 2016.

CUDA

871

Weaknesses in this category are related to rules in the Expressions (EXP) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

CUDA

872

Weaknesses in this category are related to rules in the Integers (INT) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

CUDA

873

Weaknesses in this category are related to rules in the Floating Point Arithmetic (FLP) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

CUDA

874

Weaknesses in this category are related to rules in the Arrays and the STL (ARR) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

CUDA

875

Weaknesses in this category are related to rules in the Characters and Strings (STR) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

CUDA

876

Weaknesses in this category are related to rules in the Memory Management (MEM) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

CUDA

877

Weaknesses in this category are related to rules in the Input Output (FIO) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

CUDA

878

Weaknesses in this category are related to rules in the Environment (ENV) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

CUDA

879

Weaknesses in this category are related to rules in the Signals (SIG) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

CUDA

880

Weaknesses in this category are related to rules in the Exceptions and Error Handling (ERR) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

CUDA

881

Weaknesses in this category are related to rules in the Object Oriented Programming (OOP) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

CUDA

882

Weaknesses in this category are related to rules in the Concurrency (CON) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

CUDA

883

Weaknesses in this category are related to rules in the Miscellaneous (MSC) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

CUDA

884

This view contains a selection of weaknesses that represent the variety of weaknesses that are captured in CWE, at a level of abstraction that is likely to be useful to most audiences. It can be used by researchers to determine how broad their theories, models, or tools are. It will also be used by the CWE content team in 2012 to focus quality improvement efforts for individual CWE entries.

CUDA

885

This category identifies Software Fault Patterns (SFPs) within the Risky Values cluster (SFP1).

CUDA

886

This category identifies Software Fault Patterns (SFPs) within the Unused entities cluster (SFP2).

CUDA

887

This category identifies Software Fault Patterns (SFPs) within the API cluster (SFP3).

CUDA

888

CWE identifiers in this view are associated with clusters of Software Fault Patterns (SFPs).

CUDA

889

This category identifies Software Fault Patterns (SFPs) within the Exception Management cluster (SFP4, SFP5, SFP6).

CUDA

890

This category identifies Software Fault Patterns (SFPs) within the Memory Access cluster (SFP7, SFP8).

CUDA

891

This category identifies Software Fault Patterns (SFPs) within the Memory Management cluster (SFP38).

CUDA

892

This category identifies Software Fault Patterns (SFPs) within the Resource Management cluster (SFP37).

CUDA

893

This category identifies Software Fault Patterns (SFPs) within the Path Resolution cluster (SFP16, SFP17, SFP18).

CUDA

894

This category identifies Software Fault Patterns (SFPs) within the Synchronization cluster (SFP19, SFP20, SFP21, SFP22).

CUDA

895

This category identifies Software Fault Patterns (SFPs) within the Information Leak cluster (SFP23).

CUDA

896

This category identifies Software Fault Patterns (SFPs) within the Tainted Input cluster (SFP24, SFP25, SFP26, SFP27).

CUDA

897

This category identifies Software Fault Patterns (SFPs) within the Entry Points cluster (SFP28).

CUDA

898

This category identifies Software Fault Patterns (SFPs) within the Authentication cluster (SFP29, SFP30, SFP31, SFP32, SFP33, SFP34).

CUDA

899

This category identifies Software Fault Patterns (SFPs) within the Access Control cluster (SFP35).

CUDA

900

CWE entries in this view (graph) are listed in the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.

CUDA

901

This category identifies Software Fault Patterns (SFPs) within the Privilege cluster (SFP36).

CUDA

902

This category identifies Software Fault Patterns (SFPs) within the Channel cluster.

CUDA

903

This category identifies Software Fault Patterns (SFPs) within the Cryptography cluster.

CUDA

905

This category identifies Software Fault Patterns (SFPs) within the Predictability cluster.

CUDA

906

This category identifies Software Fault Patterns (SFPs) within the UI cluster.

CUDA

907

This category identifies Software Fault Patterns (SFPs) within the Other cluster.

CUDA

908

The product uses or accesses a resource that has not been initialized.

CUDA

909

The product does not initialize a critical resource.

CUDA

910

The product uses or accesses a file descriptor after it has been closed.

CUDA

913

The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements.

CUDA

916

The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive.

CUDA

918

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

CUDA

922

The product stores sensitive information without properly limiting read or write access by unauthorized actors.

CUDA

923

The product establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that it is communicating with the correct endpoint.

CUDA

928

CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2013. This view is considered obsolete as a newer version of the OWASP Top 10 is available.

CUDA

929

Weaknesses in this category are related to the A1 category in the OWASP Top 10 2013.

CUDA

930

Weaknesses in this category are related to the A2 category in the OWASP Top 10 2013.

CUDA

932

Weaknesses in this category are related to the A4 category in the OWASP Top 10 2013.

CUDA

933

Weaknesses in this category are related to the A5 category in the OWASP Top 10 2013.

CUDA

934

Weaknesses in this category are related to the A6 category in the OWASP Top 10 2013.

CUDA

935

Weaknesses in this category are related to the A7 category in the OWASP Top 10 2013.

CUDA

943

The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query.

CUDA

944

This category identifies Software Fault Patterns (SFPs) within the Access Management cluster.

CUDA

945

This category identifies Software Fault Patterns (SFPs) within the Insecure Resource Access cluster (SFP35).

CUDA

946

This category identifies Software Fault Patterns (SFPs) within the Insecure Resource Permissions cluster.

CUDA

947

This category identifies Software Fault Patterns (SFPs) within the Authentication Bypass cluster.

CUDA

949

This category identifies Software Fault Patterns (SFPs) within the Faulty Endpoint Authentication cluster (SFP29).

CUDA

950

This category identifies Software Fault Patterns (SFPs) within the Hardcoded Sensitive Data cluster (SFP33).

CUDA

956

This category identifies Software Fault Patterns (SFPs) within the Channel Attack cluster.

CUDA

957

This category identifies Software Fault Patterns (SFPs) within the Protocol Error cluster.

CUDA

958

This category identifies Software Fault Patterns (SFPs) within the Broken Cryptography cluster.

CUDA

959

This category identifies Software Fault Patterns (SFPs) within the Weak Cryptography cluster.

CUDA

960

This category identifies Software Fault Patterns (SFPs) within the Ambiguous Exception Type cluster (SFP5).

CUDA

961

This category identifies Software Fault Patterns (SFPs) within the Incorrect Exception Behavior cluster (SFP6).

CUDA

962

This category identifies Software Fault Patterns (SFPs) within the Unchecked Status Condition cluster (SFP4).

CUDA

963

This category identifies Software Fault Patterns (SFPs) within the Exposed Data cluster (SFP23).

CUDA

964

This category identifies Software Fault Patterns (SFPs) within the Exposure Temporary File cluster.

CUDA

966

This category identifies Software Fault Patterns (SFPs) within the Other Exposures cluster.

CUDA

969

This category identifies Software Fault Patterns (SFPs) within the Faulty Memory Release cluster (SFP12).

CUDA

970

This category identifies Software Fault Patterns (SFPs) within the Faulty Buffer Access cluster (SFP8).

CUDA

971

This category identifies Software Fault Patterns (SFPs) within the Faulty Pointer Use cluster (SFP7).

CUDA

973

This category identifies Software Fault Patterns (SFPs) within the Improper NULL Termination cluster (SFP11).

CUDA

974

This category identifies Software Fault Patterns (SFPs) within the Incorrect Buffer Length Computation cluster (SFP10).

CUDA

975

This category identifies Software Fault Patterns (SFPs) within the Architecture cluster.

CUDA

976

This category identifies Software Fault Patterns (SFPs) within the Compiler cluster.

CUDA

977

This category identifies Software Fault Patterns (SFPs) within the Design cluster.

CUDA

978

This category identifies Software Fault Patterns (SFPs) within the Implementation cluster.

CUDA

979

This category identifies Software Fault Patterns (SFPs) within the Failed Chroot Jail cluster (SFP17).

CUDA

980

This category identifies Software Fault Patterns (SFPs) within the Link in Resource Name Resolution cluster (SFP18).

CUDA

981

This category identifies Software Fault Patterns (SFPs) within the Path Traversal cluster (SFP16).

CUDA

982

This category identifies Software Fault Patterns (SFPs) within the Failure to Release Resource cluster (SFP14).

CUDA

983

This category identifies Software Fault Patterns (SFPs) within the Faulty Resource Use cluster (SFP15).

CUDA

984

This category identifies Software Fault Patterns (SFPs) within the Life Cycle cluster.

CUDA

985

This category identifies Software Fault Patterns (SFPs) within the Unrestricted Consumption cluster (SFP13).

CUDA

986

This category identifies Software Fault Patterns (SFPs) within the Missing Lock cluster (SFP19).

CUDA

987

This category identifies Software Fault Patterns (SFPs) within the Multiple Locks/Unlocks cluster (SFP21).

CUDA

988

This category identifies Software Fault Patterns (SFPs) within the Race Condition Window cluster (SFP20).

CUDA

990

This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Command cluster (SFP24).

CUDA

991

This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Environment cluster (SFP27).

CUDA

992

This category identifies Software Fault Patterns (SFPs) within the Faulty Input Transformation cluster.

CUDA

993

This category identifies Software Fault Patterns (SFPs) within the Incorrect Input Handling cluster.

CUDA

994

This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Variable cluster (SFP25).

CUDA

995

This category identifies Software Fault Patterns (SFPs) within the Feature cluster.

CUDA

997

This category identifies Software Fault Patterns (SFPs) within the Information Loss cluster.

CUDA

998

This category identifies Software Fault Patterns (SFPs) within the Glitch in Computation cluster (SFP1).

CUDA

1000

This view is intended to facilitate research into weaknesses, including their inter-dependencies, and can be leveraged to systematically identify theoretical gaps within CWE. It is mainly organized according to abstractions of behaviors instead of how they can be detected, where they appear in code, or when they are introduced in the development life cycle. By design, this view is expected to include every weakness within CWE.

CUDA

1001

This category identifies Software Fault Patterns (SFPs) within the Use of an Improper API cluster (SFP3).

CUDA

1002

This category identifies Software Fault Patterns (SFPs) within the Unexpected Entry Points cluster.

CUDA

1003

CWE entries in this view (graph) may be used to categorize potential weaknesses within sources that handle public, third-party vulnerability information, such as the National Vulnerability Database (NVD). By design, this view is incomplete; it is limited to a small number of the most commonly-seen weaknesses, so that it is easier for humans to use. This view uses a shallow hierarchy of two levels in order to simplify the complex, category-oriented navigation of the entire CWE corpus.

CUDA

1005

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that exist when an application does not properly validate or represent input. According to the authors of the Seven Pernicious Kingdoms, "Input validation and representation problems are caused by metacharacters, alternate encodings and numeric representations. Security problems result from trusting input."

CUDA

1006

Weaknesses in this category are related to coding practices that are deemed unsafe and increase the chances that an exploitable vulnerability will be present in the application. These weaknesses do not directly introduce a vulnerability, but indicate that the product has not been carefully developed or maintained. If a program is complex, difficult to maintain, not portable, or shows evidence of neglect, then there is a higher likelihood that weaknesses are buried in the code.

CUDA

1008

This view organizes weaknesses according to common architectural security tactics. It is intended to assist architects in identifying potential mistakes that can be made when designing software.

CUDA

1009

Weaknesses in this category are related to the design and architecture of audit-based components of the system. Frequently these deal with logging user activities in order to identify attackers and modifications to the system. The weaknesses in this category could lead to a degradation of the quality of the audit capability if they are not addressed when designing or implementing a secure architecture.

CUDA

1010

Weaknesses in this category are related to the design and architecture of authentication components of the system. Frequently these deal with verifying the entity is indeed who it claims to be. The weaknesses in this category could lead to a degradation of the quality of authentication if they are not addressed when designing or implementing a secure architecture.

CUDA

1011

Weaknesses in this category are related to the design and architecture of a system's authorization components. Frequently these deal with enforcing that agents have the required permissions before performing certain operations, such as modifying data. The weaknesses in this category could lead to a degradation of quality of the authorization capability if they are not addressed when designing or implementing a secure architecture.

CUDA

1012

Weaknesses in this category are related to the design and architecture of multiple security tactics and how they affect a system. For example, information exposure can impact the Limit Access and Limit Exposure security tactics. The weaknesses in this category could lead to a degradation of the quality of many capabilities if they are not addressed when designing or implementing a secure architecture.

CUDA

1013

Weaknesses in this category are related to the design and architecture of data confidentiality in a system. Frequently these deal with the use of encryption libraries. The weaknesses in this category could lead to a degradation of the quality data encryption if they are not addressed when designing or implementing a secure architecture.

CUDA

1014

Weaknesses in this category are related to the design and architecture of a system's identification management components. Frequently these deal with verifying that external agents provide inputs into the system. The weaknesses in this category could lead to a degradation of the quality of identification management if they are not addressed when designing or implementing a secure architecture.

CUDA

1015

Weaknesses in this category are related to the design and architecture of system resources. Frequently these deal with restricting the amount of resources that are accessed by actors, such as memory, network connections, CPU or access points. The weaknesses in this category could lead to a degradation of the quality of authentication if they are not addressed when designing or implementing a secure architecture.

CUDA

1016

Weaknesses in this category are related to the design and architecture of the entry points to a system. Frequently these deal with minimizing the attack surface through designing the system with the least needed amount of entry points. The weaknesses in this category could lead to a degradation of a system's defenses if they are not addressed when designing or implementing a secure architecture.

CUDA

1019

Weaknesses in this category are related to the design and architecture of a system's input validation components. Frequently these deal with sanitizing, neutralizing and validating any externally provided inputs to minimize malformed data from entering the system and preventing code injection in the input data. The weaknesses in this category could lead to a degradation of the quality of data flow in a system if they are not addressed when designing or implementing a secure architecture.

CUDA

1020

Weaknesses in this category are related to the design and architecture of a system's data integrity components. Frequently these deal with ensuring integrity of data, such as messages, resource files, deployment files, and configuration files. The weaknesses in this category could lead to a degradation of data integrity quality if they are not addressed when designing or implementing a secure architecture.

CUDA

1025

The code performs a comparison between two entities, but the comparison examines the wrong factors or characteristics of the entities, which can lead to incorrect results and resultant weaknesses.

CUDA

1026

CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2017.

CUDA

1027

Weaknesses in this category are related to the A1 category in the OWASP Top 10 2017.

CUDA

1028

Weaknesses in this category are related to the A2 category in the OWASP Top 10 2017.

CUDA

1029

Weaknesses in this category are related to the A3 category in the OWASP Top 10 2017.

CUDA

1031

Weaknesses in this category are related to the A5 category in the OWASP Top 10 2017.

CUDA

1032

Weaknesses in this category are related to the A6 category in the OWASP Top 10 2017.

CUDA

1037

The developer builds a security-critical protection mechanism into the software, but the processor optimizes the execution of the program such that the mechanism is removed or modified.

CUDA

1041

The product has multiple functions, methods, procedures, macros, etc. that contain the same code.

CUDA

1045

A parent class has a virtual destructor method, but the parent has a child class that does not have a virtual destructor.

CUDA

1055

The product contains a class with inheritance from more than one concrete class.

CUDA

1059

The product does not contain sufficient technical or engineering documentation (whether on paper or in electronic form) that contains descriptions of all the relevant software/hardware elements of the product, such as its usage, structure, architectural components, interfaces, design, implementation, configuration, operation, etc.

CUDA

1061

The product does not sufficiently hide the internal representation and implementation details of data or methods, which might allow external components or modules to modify data unexpectedly, invoke unexpected functionality, or introduce dependencies that the programmer did not intend.

CUDA

1076

The product's architecture, source code, design, documentation, or other artifact does not follow required conventions.

CUDA

1077

The code performs a comparison such as an equality test between two float (floating point) values, but it uses comparison operators that do not account for the possibility of loss of precision.

CUDA

1078

The source code does not follow desired style or formatting for indentation, white space, comments, etc.

CUDA

1079

A parent class contains one or more child classes, but the parent class does not have a virtual destructor method.

CUDA

1095

The product uses a loop with a control flow condition based on a value that is updated within the body of the loop.

CUDA

1108

The code is structured in a way that relies too much on using or setting global variables throughout various points in the code, instead of preserving the associated information in a narrower, more local context.

CUDA

1109

The code contains a callable, block, or other code element in which the same variable is used to control more than one unique task or store more than one instance of data.

CUDA

1113

The source code uses comment styles or formats that are inconsistent or do not follow expected standards for the product.

CUDA

1114

The source code contains whitespace that is inconsistent across the code or does not follow expected standards for the product.

CUDA

1126

The source code declares a variable in one scope, but the variable is only used within a narrower scope.

CUDA

1128

This view outlines the most important software quality issues as identified by the Consortium for Information & Software Quality (CISQ) Automated Quality Characteristic Measures, released in 2016. These measures are derived from Object Management Group (OMG) standards.

CUDA

1129

Weaknesses in this category are related to the CISQ Quality Measures for Reliability, as documented in 2016 with the Automated Source Code CISQ Reliability Measure (ASCRM) Specification 1.0. Presence of these weaknesses could reduce the reliability of the software.

CUDA

1130

Weaknesses in this category are related to the CISQ Quality Measures for Maintainability, as documented in 2016 with the Automated Source Code Maintainability Measure (ASCMM) Specification 1.0. Presence of these weaknesses could reduce the maintainability of the software.

CUDA

1131

Weaknesses in this category are related to the CISQ Quality Measures for Security, as documented in 2016 with the Automated Source Code Security Measure (ASCSM) Specification 1.0. Presence of these weaknesses could reduce the security of the software.

CUDA

1133

CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT Oracle Coding Standard for Java.

CUDA

1134

Weaknesses in this category are related to the rules and recommendations in the Input Validation and Data Sanitization (IDS) section of the SEI CERT Oracle Secure Coding Standard for Java.

CUDA

1135

Weaknesses in this category are related to the rules and recommendations in the Declarations and Initialization (DCL) section of the SEI CERT Oracle Secure Coding Standard for Java.

CUDA

1136

Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) section of the SEI CERT Oracle Secure Coding Standard for Java.

CUDA

1137

Weaknesses in this category are related to the rules and recommendations in the Numeric Types and Operations (NUM) section of the SEI CERT Oracle Secure Coding Standard for Java.

CUDA

1139

Weaknesses in this category are related to the rules and recommendations in the Object Orientation (OBJ) section of the SEI CERT Oracle Secure Coding Standard for Java.

CUDA

1140

Weaknesses in this category are related to the rules and recommendations in the Methods (MET) section of the SEI CERT Oracle Secure Coding Standard for Java.

CUDA

1141

Weaknesses in this category are related to the rules and recommendations in the Exceptional Behavior (ERR) section of the SEI CERT Oracle Secure Coding Standard for Java.

CUDA

1142

Weaknesses in this category are related to the rules and recommendations in the Visibility and Atomicity (VNA) section of the SEI CERT Oracle Secure Coding Standard for Java.

CUDA

1143

Weaknesses in this category are related to the rules and recommendations in the Locking (LCK) section of the SEI CERT Oracle Secure Coding Standard for Java.

CUDA

1147

Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) section of the SEI CERT Oracle Secure Coding Standard for Java.

CUDA

1148

Weaknesses in this category are related to the rules and recommendations in the Serialization (SER) section of the SEI CERT Oracle Secure Coding Standard for Java.

CUDA

1149

Weaknesses in this category are related to the rules and recommendations in the Platform Security (SEC) section of the SEI CERT Oracle Secure Coding Standard for Java.

CUDA

1150

Weaknesses in this category are related to the rules and recommendations in the Runtime Environment (ENV) section of the SEI CERT Oracle Secure Coding Standard for Java.

CUDA

1152

Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT Oracle Secure Coding Standard for Java.

CUDA

1154

CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT C Coding Standard.

CUDA

1156

Weaknesses in this category are related to the rules and recommendations in the Declarations and Initialization (DCL) section of the SEI CERT C Coding Standard.

CUDA

1157

Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) section of the SEI CERT C Coding Standard.

CUDA

1158

Weaknesses in this category are related to the rules and recommendations in the Integers (INT) section of the SEI CERT C Coding Standard.

CUDA

1159

Weaknesses in this category are related to the rules and recommendations in the Floating Point (FLP) section of the SEI CERT C Coding Standard.

CUDA

1160

Weaknesses in this category are related to the rules and recommendations in the Arrays (ARR) section of the SEI CERT C Coding Standard.

CUDA

1161

Weaknesses in this category are related to the rules and recommendations in the Characters and Strings (STR) section of the SEI CERT C Coding Standard.

CUDA

1162

Weaknesses in this category are related to the rules and recommendations in the Memory Management (MEM) section of the SEI CERT C Coding Standard.

CUDA

1163

Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) section of the SEI CERT C Coding Standard.

CUDA

1164

The product contains code that is not essential for execution, i.e. makes no state changes and has no side effects that alter data or control flow, such that removal of the code would have no impact to functionality or correctness.

CUDA

1165

Weaknesses in this category are related to the rules and recommendations in the Environment (ENV) section of the SEI CERT C Coding Standard.

CUDA

1166

Weaknesses in this category are related to the rules and recommendations in the Signals (SIG) section of the SEI CERT C Coding Standard.

CUDA

1167

Weaknesses in this category are related to the rules and recommendations in the Error Handling (ERR) section of the SEI CERT C Coding Standard.

CUDA

1168

Weaknesses in this category are related to the rules and recommendations in the Application Programming Interfaces (API) section of the SEI CERT C Coding Standard.

CUDA

1169

Weaknesses in this category are related to the rules and recommendations in the Concurrency (CON) section of the SEI CERT C Coding Standard.

CUDA

1170

Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT C Coding Standard.

CUDA

1171

Weaknesses in this category are related to the rules and recommendations in the POSIX (POS) section of the SEI CERT C Coding Standard.

CUDA

1172

Weaknesses in this category are related to the rules and recommendations in the Microsoft Windows (WIN) section of the SEI CERT C Coding Standard.

CUDA

1177

The product uses a function, library, or third party component that has been explicitly prohibited, whether by the developer or the customer.

CUDA

1178

CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT Perl Coding Standard.

CUDA

1179

Weaknesses in this category are related to the rules and recommendations in the Input Validation and Data Sanitization (IDS) section of the SEI CERT Perl Coding Standard.

CUDA

1180

Weaknesses in this category are related to the rules and recommendations in the Declarations and Initialization (DCL) section of the SEI CERT Perl Coding Standard.

CUDA

1181

Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) section of the SEI CERT Perl Coding Standard.

CUDA

1182

Weaknesses in this category are related to the rules and recommendations in the Integers (INT) section of the SEI CERT Perl Coding Standard.

CUDA

1185

Weaknesses in this category are related to the rules and recommendations in the File Input and Output (FIO) section of the SEI CERT Perl Coding Standard.

CUDA

1186

Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT Perl Coding Standard.

CUDA

1194

This view organizes weaknesses around concepts that are frequently used or encountered in hardware design. Accordingly, this view can align closely with the perspectives of designers, manufacturers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping.

CUDA

1195

Weaknesses in this category are root-caused to defects that arise in the semiconductor-manufacturing process or during the life cycle and supply chain.

CUDA

1198

Weaknesses in this category are related to features and mechanisms providing hardware-based isolation and access control (e.g., identity, policy, locking control) of sensitive shared hardware resources such as registers and fuses.

CUDA

1200

CWE entries in this view are listed in the 2019 CWE Top 25 Most Dangerous Software Errors.

CUDA

1202

Weaknesses in this category are typically associated with memory (e.g., DRAM, SRAM) and storage technologies (e.g., NAND Flash, OTP, EEPROM, and eMMC).

CUDA

1205

Weaknesses in this category are related to hardware implementations of cryptographic protocols and other hardware-security primitives such as physical unclonable functions (PUFs) and random number generators (RNGs).

CUDA

1207

Weaknesses in this category are related to hardware debug and test interfaces such as JTAG and scan chain.

CUDA

1208

Weaknesses in this category can arise in multiple areas of hardware design or can apply to a wide cross-section of components.

CUDA

1210

Weaknesses in this category are related to audit-based components of a software system. Frequently these deal with logging user activities in order to identify undesired access and modifications to the system. The weaknesses in this category could lead to a degradation of the quality of the audit capability if they are not addressed.

CUDA

1211

Weaknesses in this category are related to authentication components of a system. Frequently these deal with the ability to verify that an entity is indeed who it claims to be. If not addressed when designing or implementing a software system, these weaknesses could lead to a degradation of the quality of the authentication capability.

CUDA

1212

Weaknesses in this category are related to authorization components of a system. Frequently these deal with the ability to enforce that agents have the required permissions before performing certain operations, such as modifying data. If not addressed when designing or implementing a software system, these weaknesses could lead to a degradation of the quality of the authorization capability.

CUDA

1213

Weaknesses in this category are related to a software system's random number generation.

CUDA

1214

Weaknesses in this category are related to a software system's data integrity components. Frequently these deal with the ability to ensure the integrity of data, such as messages, resource files, deployment files, and configuration files. The weaknesses in this category could lead to a degradation of data integrity quality if they are not addressed.

CUDA

1215

Weaknesses in this category are related to a software system's components for input validation, output validation, or other kinds of validation. Validation is a frequently-used technique for ensuring that data conforms to expectations before it is further processed as input or output. There are many varieties of validation (see CWE-20, which is just for input validation). Validation is distinct from other techniques that attempt to modify data before processing it, although developers may consider all attempts to product "safe" inputs or outputs as some kind of validation. Regardless, validation is a powerful tool that is often used to minimize malformed data from entering the system, or indirectly avoid code injection or other potentially-malicious patterns when generating output. The weaknesses in this category could lead to a degradation of the quality of data flow in a system if they are not addressed.

CUDA

1218

Weaknesses in this category are related to the handling of memory buffers within a software system.

CUDA

1219

Weaknesses in this category are related to the handling of files within a software system. Files, directories, and folders are so central to information technology that many different weaknesses and variants have been discovered.

CUDA

1226

Weaknesses in this category are associated with things being overly complex.

CUDA

1228

Weaknesses in this category are related to the use of built-in functions or external APIs.

CUDA

1237

This category identifies Software Fault Patterns (SFPs) within the Faulty Resource Release cluster (SFP37).

CUDA

1238

This category identifies Software Fault Patterns (SFPs) within the Failure to Release Memory cluster (SFP38).

CUDA

1241

The device uses an algorithm that is predictable and generates a pseudo-random number.

CUDA

1305

This view outlines the most important software quality issues as identified by the Consortium for Information & Software Quality (CISQ) Automated Quality Characteristic Measures, released in 2020. These measures are derived from Object Management Group (OMG) standards.

CUDA

1306

Weaknesses in this category are related to the CISQ Quality Measures for Reliability. Presence of these weaknesses could reduce the reliability of the software.

CUDA

1307

Weaknesses in this category are related to the CISQ Quality Measures for Maintainability. Presence of these weaknesses could reduce the maintainability of the software.

CUDA

1308

Weaknesses in this category are related to the CISQ Quality Measures for Security. Presence of these weaknesses could reduce the security of the software.

CUDA

1309

Weaknesses in this category are related to the CISQ Quality Measures for Efficiency. Presence of these weaknesses could reduce the efficiency of the software.

CUDA

1337

CWE entries in this view are listed in the 2021 CWE Top 25 Most Dangerous Software Weaknesses.

CUDA

1340

This view outlines the SMM representation of the Automated Source Code Data Protection Measurement specifications, as identified by the Consortium for Information & Software Quality (CISQ) Working Group.

CUDA

1341

The product attempts to close or release a resource or handle more than once, without any successful open between the close operations.

CUDA

1344

CWE entries in this view (graph) are associated with the OWASP Top 10, as released in 2021.

CUDA

1345

Weaknesses in this category are related to the A01 category "Broken Access Control" in the OWASP Top 10 2021.

CUDA

1346

Weaknesses in this category are related to the A02 category "Cryptographic Failures" in the OWASP Top 10 2021.

CUDA

1347

Weaknesses in this category are related to the A03 category "Injection" in the OWASP Top 10 2021.

CUDA

1348

Weaknesses in this category are related to the A04 "Insecure Design" category in the OWASP Top 10 2021.

CUDA

1349

Weaknesses in this category are related to the A05 category "Security Misconfiguration" in the OWASP Top 10 2021.

CUDA

1350

CWE entries in this view are listed in the 2020 CWE Top 25 Most Dangerous Software Weaknesses.

CUDA

1353

Weaknesses in this category are related to the A07 category "Identification and Authentication Failures" in the OWASP Top 10 2021.

CUDA

1354

Weaknesses in this category are related to the A08 category "Software and Data Integrity Failures" in the OWASP Top 10 2021.

CUDA

1355

Weaknesses in this category are related to the A09 category "Security Logging and Monitoring Failures" in the OWASP Top 10 2021.

CUDA

1356

Weaknesses in this category are related to the A10 category "Server-Side Request Forgery (SSRF)" in the OWASP Top 10 2021.

CUDA

1358

CWE entries in this view (graph) are associated with the Categories of Security Vulnerabilities in ICS, as published by the Securing Energy Infrastructure Executive Task Force (SEI ETF) in March 2022. Weaknesses and categories in this view are focused on issues that affect ICS (Industrial Control Systems) but have not been traditionally covered by CWE in the past due to its earlier emphasis on enterprise IT software. Note: weaknesses in this view are based on "Nearest IT Neighbor" recommendations and other suggestions by the CWE team. These relationships are likely to change in future CWE versions.

CUDA

1359

Weaknesses in this category are related to the "ICS Communications" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.

CUDA

1360

Weaknesses in this category are related to the "ICS Dependencies (& Architecture)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.

CUDA

1361

Weaknesses in this category are related to the "ICS Supply Chain" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.

CUDA

1362

Weaknesses in this category are related to the "ICS Engineering (Constructions/Deployment)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.

CUDA

1363

Weaknesses in this category are related to the "ICS Operations (& Maintenance)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.

CUDA

1364

Weaknesses in this category are related to the "Zone Boundary Failures" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Within an ICS system, for traffic that crosses through network zone boundaries, vulnerabilities arise when those boundaries were designed for safety or other purposes but are being repurposed for security." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

CUDA

1366

Weaknesses in this category are related to the "Frail Security in Protocols" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Vulnerabilities arise as a result of mis-implementation or incomplete implementation of security in ICS implementations of communication protocols." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

CUDA

1368

Weaknesses in this category are related to the "External Digital Systems" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Due to the highly interconnected technologies in use, an external dependency on another digital system could cause a confidentiality, integrity, or availability incident for the protected system." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

CUDA

1369

Weaknesses in this category are related to the "IT/OT Convergence/Expansion" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "The increased penetration of DER devices and smart loads make emerging ICS networks more like IT networks and thus susceptible to vulnerabilities similar to those of IT networks." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

CUDA

1370

Weaknesses in this category are related to the "Common Mode Frailties" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "At the component level, most ICS systems are assembled from common parts made by other companies. One or more of these common parts might contain a vulnerability that could result in a wide-spread incident." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

CUDA

1371

Weaknesses in this category are related to the "Poorly Documented or Undocumented Features" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Undocumented capabilities and configurations pose a risk by not having a clear understanding of what the device is specifically supposed to do and only do. Therefore possibly opening up the attack surface and vulnerabilities." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

CUDA

1372

Weaknesses in this category are related to the "OT Counterfeit and Malicious Corruption" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "In ICS, when this procurement process results in a vulnerability or component damage, it can have grid impacts or cause physical harm." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

CUDA

1373

Weaknesses in this category are related to the "Trust Model Problems" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Assumptions made about the user during the design or construction phase may result in vulnerabilities after the system is installed if the user operates it using a different security approach or process than what was designed or built." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

CUDA

1375

Weaknesses in this category are related to the "Gaps in Details/Data" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Highly complex systems are often operated by personnel who have years of experience in managing that particular facility or plant. Much of their knowledge is passed along through verbal or hands-on training but may not be fully documented in written practices and procedures." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

CUDA

1376

Weaknesses in this category are related to the "Security Gaps in Commissioning" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "As a large system is brought online components of the system may remain vulnerable until the entire system is operating and functional and security controls are put in place. This creates a window of opportunity for an adversary during the commissioning process." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

CUDA

1379

Weaknesses in this category are related to the "Human factors in ICS environments" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Environmental factors in ICS including physical duress, system complexities, and isolation may result in security gaps or inadequacies in the performance of individual duties and responsibilities." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

CUDA

1382

Weaknesses in this category are related to the "Emerging Energy Technologies" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "With the rapid evolution of the energy system accelerated by the emergence of new technologies such as DERs, electric vehicles, advanced communications (5G+), novel and diverse challenges arise for secure and resilient operation of the system." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

CUDA

1383

Weaknesses in this category are related to the "Compliance/Conformance with Regulatory Requirements" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "The ICS environment faces overlapping regulatory regimes and authorities with multiple focus areas (e.g., operational resiliency, physical safety, interoperability, and security) which can result in cyber security vulnerabilities when implemented as written due to gaps in considerations, outdatedness, or conflicting requirements." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

CUDA

1387

CWE entries in this view are listed in the 2022 CWE Top 25 Most Dangerous Software Weaknesses.

CUDA

1396

Weaknesses in this category are related to access control.

CUDA

1397

Weaknesses in this category are related to comparison.

CUDA

1398

Weaknesses in this category are related to component interaction.

CUDA

1399

Weaknesses in this category are related to memory safety.

CUDA

1400

This view organizes weaknesses around categories that are of interest to large-scale software assurance research to support the elimination of weaknesses using tactics such as secure language development. It is also intended to help tracking weakness trends in publicly disclosed vulnerability data. This view is comprehensive in that every weakness must be contained in it, unlike most other views that only use a subset of weaknesses. This view is structured with categories at the top level, with a second level of only weaknesses. Relationships among the weaknesses presented under the research view (CWE-1000) are not shown. Each weakness is added to only one category. All categories are mutually exclusive; that is, no weakness can be a member of more than one category. While weaknesses defy strict categorization along only one characteristic, the forced bucketing into a single category can simplify certain kinds of analysis. Note that the size of each category can vary widely because (1) CWE is not as well fleshed-out in some areas compared to others; (2) abstraction of the CWEs in the grouping might go down to Variant level for some buckets, versus others.

CUDA

1401

Weaknesses in this category are related to concurrency.

CUDA

1402

Weaknesses in this category are related to encryption.

CUDA

1403

Weaknesses in this category are related to exposed resource.

CUDA

1404

Weaknesses in this category are related to file handling.

CUDA

1405

Weaknesses in this category are related to improper check or handling of exceptional conditions.

CUDA

1406

Weaknesses in this category are related to improper input validation.

CUDA

1407

Weaknesses in this category are related to improper neutralization.

CUDA

1408

Weaknesses in this category are related to incorrect calculation.

CUDA

1409

Weaknesses in this category are related to injection.

CUDA

1410

Weaknesses in this category are related to insufficient control flow management.

CUDA

1411

Weaknesses in this category are related to insufficient verification of data authenticity.

CUDA

1412

Weaknesses in this category are related to poor coding practices.

CUDA

1413

Weaknesses in this category are related to protection mechanism failure.

CUDA

1414

Weaknesses in this category are related to randomness.

CUDA

1415

Weaknesses in this category are related to resource control.

CUDA

1416

Weaknesses in this category are related to resource lifecycle management.

CUDA

1417

Weaknesses in this category are related to sensitive information exposure.

CUDA

1418

Weaknesses in this category are related to violation of secure design principles.

Go

2

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that are typically introduced during unexpected environmental conditions. According to the authors of the Seven Pernicious Kingdoms, "This section includes everything that is outside of the source code but is still critical to the security of the product that is being created. Because the issues covered by this kingdom are not directly related to source code, we separated it from the rest of the kingdoms."

Go

4

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

Go

5

Information sent over a network can be compromised while in transit. An attacker may be able to read or modify the contents if the data are sent in plaintext or are weakly encrypted.

Go

16

Weaknesses in this category are typically introduced during the configuration of the software.

Go

17

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

Go

18

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

Go

19

Weaknesses in this category are typically found in functionality that processes data. Data processing is the manipulation of input to retrieve or save information.

Go

20

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Go

21

This category has been deprecated. It was originally used for organizing weaknesses involving file names, which enabled access to files outside of a restricted directory (path traversal) or to perform operations on files that would otherwise be restricted (path equivalence). Consider using either the File Handling Issues category (CWE-1219) or the class Use of Incorrectly-Resolved Name or Reference (CWE-706).

Go

22

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Go

23

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.

Go

36

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as "/abs/path" that can resolve to a location that is outside of that directory.

Go

74

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Go

77

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

Go

78

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Go

79

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Go

80

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.

Go

82

The web application does not neutralize or incorrectly neutralizes scripting elements within attributes of HTML IMG tags, such as the src attribute.

Go

83

The product does not neutralize or incorrectly neutralizes "javascript:" or other URIs from dangerous attributes within tags, such as onmouseover, onload, onerror, or style.

Go

85

The web application does not filter user-controlled input for executable script disguised using doubling of the involved characters.

Go

86

The product does not neutralize or incorrectly neutralizes invalid characters or byte sequences in the middle of tag names, URI schemes, and other identifiers.

Go

87

The product does not neutralize or incorrectly neutralizes user-controlled input for alternate script syntax.

Go

88

The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.

Go

89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.

Go

91

The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.

Go

93

The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.

Go

94

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Go

95

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").

Go

113

The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.

Go

116

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

Go

117

The product does not neutralize or incorrectly neutralizes output that is written to logs.

Go

118

The product does not restrict or incorrectly restricts operations within the boundaries of a resource that is accessed using an index or pointer, such as memory or files.

Go

119

The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.

Go

133

Weaknesses in this category are related to the creation and modification of strings.

Go

137

Weaknesses in this category are related to the creation or neutralization of data using an incorrect format.

Go

138

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as control elements or syntactic markers when they are sent to a downstream component.

Go

140

The product does not neutralize or incorrectly neutralizes delimiters.

Go

141

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as parameter or argument delimiters when they are sent to a downstream component.

Go

142

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as value delimiters when they are sent to a downstream component.

Go

143

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as record delimiters when they are sent to a downstream component.

Go

146

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as expression or command delimiters when they are sent to a downstream component.

Go

149

Quotes injected into a product can be used to compromise a system. As data are parsed, an injected/absent/duplicate/malformed use of quotes may cause the process to take unexpected actions.

Go

150

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component.

Go

157

The product does not properly handle the characters that are used to mark the beginning and ending of a group of entities, such as parentheses, brackets, and braces.

Go

171

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. Weaknesses in this category were related to improper handling of data within protection mechanisms that attempt to perform neutralization for untrusted data. These weaknesses can be found in other similar categories.

Go

183

The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is too permissive - that is, it allows an input that is unsafe, leading to resultant weaknesses.

Go

189

Weaknesses in this category are related to improper calculation or conversion of numbers.

Go

199

Weaknesses in this category are related to improper handling of sensitive information.

Go

200

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Go

201

The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.

Go

209

The product generates an error message that includes sensitive information about its environment, users, or associated data.

Go

210

The product identifies an error condition and creates its own diagnostic or error messages that contain sensitive information.

Go

211

The product performs an operation that triggers an external diagnostic or error message that is not directly generated or controlled by the product, such as an error generated by the programming language interpreter that a software application uses. The error can contain sensitive system information.

Go

221

The product does not record, or improperly records, security-relevant information that leads to an incorrect decision or hampers later analysis.

Go

223

The product does not record or display information that would be important for identifying the source or nature of an attack, or determining if an action is safe.

Go

226

The product releases a resource such as memory or a file so that it can be made available for reuse, but it does not clear or "zeroize" the information contained in the resource before the product performs a critical state transition or makes the resource available for reuse by other entities.

Go

227

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that involve the software using an API in a manner contrary to its intended use. According to the authors of the Seven Pernicious Kingdoms, "An API is a contract between a caller and a callee. The most common forms of API misuse occurs when the caller does not honor its end of this contract. For example, if a program does not call chdir() after calling chroot(), it violates the contract that specifies how to change the active root directory in a secure fashion. Another good example of library abuse is expecting the callee to return trustworthy DNS information to the caller. In this case, the caller misuses the callee API by making certain assumptions about its behavior (that the return value can be used for authentication purposes). One can also violate the caller-callee contract from the other side. For example, if a coder subclasses SecureRandom and returns a non-random value, the contract is violated."

Go

249

This entry has been deprecated because of name confusion and an accidental combination of multiple weaknesses. Most of its content has been transferred to CWE-785.

Go

252

The product does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions.

Go

253

The product incorrectly checks a return value from a function, which prevents it from detecting errors or exceptional conditions.

Go

254

Software security is not security software. Here we're concerned with topics like authentication, access control, confidentiality, cryptography, and privilege management.

Go

255

Weaknesses in this category are related to the management of credentials.

Go

256

Storing a password in plaintext may result in a system compromise.

Go

257

The storage of passwords in a recoverable format makes them subject to password reuse attacks by malicious users. In fact, it should be noted that recoverable encrypted passwords provide no significant benefit over plaintext passwords since they are subject not only to reuse by malicious attackers but also by malicious insiders. If a system administrator can recover a password directly, or use a brute force search on the available information, the administrator can use the password on other accounts.

Go

259

The product contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components.

Go

264

Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control.

Go

265

Weaknesses in this category occur with improper handling, assignment, or management of privileges. A privilege is a property of an agent, such as a user. It lets the agent do things that are not ordinarily allowed. For example, there are privileges which allow an agent to perform maintenance functions such as restart a computer.

Go

275

Weaknesses in this category are related to improper assignment or handling of permissions.

Go

284

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Go

285

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

Go

287

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Go

295

The product does not validate, or incorrectly validates, a certificate.

Go

300

The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint.

Go

304

The product implements an authentication technique, but it skips a step that weakens the technique.

Go

306

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Go

310

Weaknesses in this category are related to the design and implementation of data confidentiality and integrity. Frequently these deal with the use of encoding techniques, encryption libraries, and hashing algorithms. The weaknesses in this category could lead to a degradation of the quality data if they are not addressed.

Go

311

The product does not encrypt sensitive or critical information before storage or transmission.

Go

312

The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

Go

313

The product stores sensitive information in cleartext in a file, or on disk.

Go

314

The product stores sensitive information in cleartext in the registry.

Go

315

The product stores sensitive information in cleartext in a cookie.

Go

317

The product stores sensitive information in cleartext within the GUI.

Go

318

The product stores sensitive information in cleartext in an executable.

Go

319

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

Go

320

Weaknesses in this category are related to errors in the management of cryptographic keys.

Go

321

The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.

Go

326

The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

Go

327

The product uses a broken or risky cryptographic algorithm or protocol.

Go

328

The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (2nd preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack).

Go

330

The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.

Go

344

The product uses a constant value, name, or reference, but this value can (or should) vary across different environments.

Go

345

The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

Go

346

The product does not properly verify that the source of data or communication is valid.

Go

352

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

Go

353

The product uses a transmission protocol that does not include a mechanism for verifying the integrity of the data during transmission, such as a checksum.

Go

355

Weaknesses in this category are related to or introduced in the User Interface (UI).

Go

359

The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.

Go

361

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses related to the improper management of time and state in an environment that supports simultaneous or near-simultaneous computation by multiple systems, processes, or threads. According to the authors of the Seven Pernicious Kingdoms, "Distributed computation is about time and state. That is, in order for more than one component to communicate, state must be shared, and all that takes time. Most programmers anthropomorphize their work. They think about one thread of control carrying out the entire program in the same way they would if they had to do the job themselves. Modern computers, however, switch between tasks very quickly, and in multi-core, multi-CPU, or distributed systems, two events may take place at exactly the same time. Defects rush to fill the gap between the programmer's model of how a program executes and what happens in reality. These defects are related to unexpected interactions between threads, processes, time, and information. These interactions happen through shared state: semaphores, variables, the file system, and, basically, anything that can store information."

Go

362

The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.

Go

366

If two threads of execution use a resource simultaneously, there exists the possibility that resources may be used while invalid, in turn making the state of execution undefined.

Go

369

The product divides a value by zero.

Go

371

Weaknesses in this category are related to improper management of system state.

Go

384

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

Go

388

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that occur when an application does not properly handle errors that occur during processing. According to the authors of the Seven Pernicious Kingdoms, "Errors and error handling represent a class of API. Errors related to error handling are so common that they deserve a special kingdom of their own. As with 'API Abuse,' there are two ways to introduce an error-related security vulnerability: the most common one is handling errors poorly (or not at all). The second is producing errors that either give out too much information (to possible attackers) or are difficult to handle."

Go

389

This category includes weaknesses that occur if a function does not generate the correct return/status code, or if the application does not handle all possible return/status codes that could be generated by a function. This type of problem is most often found in conditions that are rarely encountered during the normal operation of the product. Presumably, most bugs related to common conditions are found and eliminated during development and testing. In some cases, the attacker can directly control or influence the environment to trigger the rare conditions.

Go

398

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that do not directly introduce a weakness or vulnerability, but indicate that the product has not been carefully developed or maintained. According to the authors of the Seven Pernicious Kingdoms, "Poor code quality leads to unpredictable behavior. From a user's perspective that often manifests itself as poor usability. For an adversary it provides an opportunity to stress the system in unexpected ways."

Go

399

Weaknesses in this category are related to improper management of system resources.

Go

404

The product does not release or incorrectly releases a resource before it is made available for re-use.

Go

405

The product does not properly control situations in which an adversary can cause the product to consume or produce excessive resources without requiring the adversary to invest equivalent work or otherwise prove authorization, i.e., the adversary's influence is "asymmetric."

Go

409

The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.

Go

411

Weaknesses in this category are related to improper handling of locks that are used to control access to resources.

Go

417

Weaknesses in this category are related to improper handling of communication channels and access paths. These weaknesses include problems in creating, managing, or removing alternate channels and alternate paths. Some of these can overlap virtual file problems and are commonly used in "bypass" attacks, such as those that exploit authentication errors.

Go

435

An interaction error occurs when two entities have correct behavior when running independently of each other, but when they are integrated as components in a larger system or process, they introduce incorrect behaviors that may cause resultant weaknesses.

Go

436

Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.

Go

438

Weaknesses in this category are related to unexpected behaviors from code that an application uses.

Go

441

The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor.

Go

442

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

Go

452

Weaknesses in this category occur in behaviors that are used for initialization and breakdown.

Go

459

The product does not properly "clean up" and remove temporary or supporting resources after they have been used.

Go

465

Weaknesses in this category are related to improper handling of pointers.

Go

476

A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.

Go

480

The product accidentally uses the wrong operator, which changes the logic in security-relevant ways.

Go

485

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that occur when the product does not sufficiently encapsulate critical data or functionality. According to the authors of the Seven Pernicious Kingdoms, "Encapsulation is about drawing strong boundaries. In a web browser that might mean ensuring that your mobile code cannot be abused by other mobile code. On the server it might mean differentiation between validated data and unvalidated data, between one user's data and another's, or between data users are allowed to see and data that they are not."

Go

497

The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does.

Go

502

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

Go

505

This category has been deprecated as it was originally used for organizing the Development View (CWE-699), but it introduced unnecessary complexity and depth to the resulting tree.

Go

522

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

Go

523

Login pages do not use adequate measures to protect the user name and password while they are in transit from the client to the server.

Go

526

The product uses an environment variable to store unencrypted sensitive information.

Go

532

Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.

Go

536

A servlet error message indicates that there exists an unhandled exception in your web application code and may provide useful information to an attacker.

Go

538

The product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the sensitive information.

Go

539

The web application uses persistent cookies, but the cookies contain sensitive information.

Go

548

A directory listing is inappropriately exposed, yielding potentially sensitive information to attackers.

Go

550

Certain conditions, such as network failure, will cause a server error message to be displayed.

Go

552

The product makes files or directories accessible to unauthorized actors, even though they should not be.

Go

557

Weaknesses in this category are related to concurrent use of shared resources.

Go

561

The product contains dead code, which can never be executed.

Go

563

The variable's value is assigned but never used, making it a dead store.

Go

565

The product relies on the existence or values of cookies when performing security-critical operations, but it does not properly ensure that the setting is valid for the associated user.

Go

566

The product uses a database table that includes records that should not be accessible to an actor, but it executes a SQL statement with a primary key that can be controlled by that actor.

Go

567

The product does not properly synchronize shared data, such as static variables across threads, which can lead to undefined behavior and unpredictable data changes.

Go

569

Weaknesses in this category are related to incorrectly written expressions within code.

Go

573

The product does not follow or incorrectly follows the specifications as required by the implementation language, environment, framework, protocol, or platform.

Go

601

A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.

Go

602

The product is composed of a server that relies on the client to implement a mechanism that is intended to protect the server.

Go

610

The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.

Go

611

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

Go

613

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

Go

614

The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session.

Go

617

The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.

Go

624

The product uses a regular expression that either (1) contains an executable component with user-controlled inputs, or (2) allows a user to enable execution by inserting pattern modifiers.

Go

629

CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2007. This view is considered obsolete as a newer version of the OWASP Top 10 is available.

Go

632

This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE.

Go

633

This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE.

Go

634

This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE.

Go

635

CWE nodes in this view (slice) were used by NIST to categorize vulnerabilities within NVD, from 2008 to 2016. This original version has been used by many other projects.

Go

639

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Go

642

The product stores security-critical state information about its users, or the product itself, in a location that is accessible to unauthorized actors.

Go

643

The product uses external input to dynamically construct an XPath expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query.

Go

644

The product does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers, such as Flash.

Go

657

The product violates well-established principles for secure design.

Go

662

The product utilizes multiple threads or processes to allow temporary access to a shared resource that can only be exclusive to one process at a time, but it does not properly synchronize these actions, which might cause simultaneous accesses of this resource by multiple threads or processes.

Go

664

The product does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release.

Go

666

The product performs an operation on a resource at the wrong phase of the resource's lifecycle, which can lead to unexpected behaviors.

Go

667

The product does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors.

Go

668

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

Go

669

The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource.

Go

670

The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated.

Go

671

The product uses security features in a way that prevents the product's administrator from tailoring security settings to reflect the environment in which the product is being used. This introduces resultant weaknesses or prevents it from operating at a level of security that is desired by the administrator.

Go

672

The product uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked.

Go

674

The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.

Go

675

The product performs the same operation on a resource two or more times, when the operation should only be applied once.

Go

682

The product performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management.

Go

691

The code does not sufficiently manage its control flow during execution, creating conditions in which the control flow can be modified in unexpected ways.

Go

692

The product uses a denylist-based protection mechanism to defend against XSS attacks, but the denylist is incomplete, allowing XSS variants to succeed.

Go

693

The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.

Go

697

The product compares two entities in a security-relevant context, but the comparison is incorrect, which may lead to resultant weaknesses.

Go

699

This view organizes weaknesses around concepts that are frequently used or encountered in software development. This includes all aspects of the software development lifecycle including both architecture and implementation. Accordingly, this view can align closely with the perspectives of architects, developers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping.

Go

700

This view (graph) organizes weaknesses using a hierarchical structure that is similar to that used by Seven Pernicious Kingdoms.

Go

703

The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product.

Go

706

The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.

Go

707

The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component.

Go

710

The product does not follow certain coding rules for development, which can lead to resultant weaknesses or increase the severity of the associated vulnerabilities.

Go

711

CWE entries in this view (graph) are associated with the OWASP Top 10, as released in 2004, and as required for compliance with PCI DSS version 1.1. This view is considered obsolete as a newer version of the OWASP Top 10 is available.

Go

712

Weaknesses in this category are related to the A1 category in the OWASP Top 10 2007.

Go

713

Weaknesses in this category are related to the A2 category in the OWASP Top 10 2007.

Go

714

Weaknesses in this category are related to the A3 category in the OWASP Top 10 2007.

Go

715

Weaknesses in this category are related to the A4 category in the OWASP Top 10 2007.

Go

716

Weaknesses in this category are related to the A5 category in the OWASP Top 10 2007.

Go

717

Weaknesses in this category are related to the A6 category in the OWASP Top 10 2007.

Go

718

Weaknesses in this category are related to the A7 category in the OWASP Top 10 2007.

Go

719

Weaknesses in this category are related to the A8 category in the OWASP Top 10 2007.

Go

720

Weaknesses in this category are related to the A9 category in the OWASP Top 10 2007.

Go

721

Weaknesses in this category are related to the A10 category in the OWASP Top 10 2007.

Go

722

Weaknesses in this category are related to the A1 category in the OWASP Top 10 2004.

Go

723

Weaknesses in this category are related to the A2 category in the OWASP Top 10 2004.

Go

724

Weaknesses in this category are related to the A3 category in the OWASP Top 10 2004.

Go

725

Weaknesses in this category are related to the A4 category in the OWASP Top 10 2004.

Go

726

Weaknesses in this category are related to the A5 category in the OWASP Top 10 2004.

Go

727

Weaknesses in this category are related to the A6 category in the OWASP Top 10 2004.

Go

728

Weaknesses in this category are related to the A7 category in the OWASP Top 10 2004.

Go

729

Weaknesses in this category are related to the A8 category in the OWASP Top 10 2004.

Go

730

Weaknesses in this category are related to the A9 category in the OWASP Top 10 2004.

Go

731

Weaknesses in this category are related to the A10 category in the OWASP Top 10 2004.

Go

732

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

Go

734

CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT C Secure Coding Standard" published in 2008. This view is considered obsolete, as a newer version of the coding standard is available. This view statically represents the coding rules as they were in 2008.

Go

737

Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) chapter of the CERT C Secure Coding Standard (2008).

Go

738

Weaknesses in this category are related to the rules and recommendations in the Integers (INT) chapter of the CERT C Secure Coding Standard (2008).

Go

739

Weaknesses in this category are related to the rules and recommendations in the Floating Point (FLP) chapter of the CERT C Secure Coding Standard (2008).

Go

740

Weaknesses in this category are related to the rules and recommendations in the Arrays (ARR) chapter of the CERT C Secure Coding Standard (2008).

Go

741

Weaknesses in this category are related to the rules and recommendations in the Characters and Strings (STR) chapter of the CERT C Secure Coding Standard (2008).

Go

742

Weaknesses in this category are related to the rules and recommendations in the Memory Management (MEM) chapter of the CERT C Secure Coding Standard (2008).

Go

743

Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) chapter of the CERT C Secure Coding Standard (2008).

Go

744

Weaknesses in this category are related to the rules and recommendations in the Environment (ENV) chapter of the CERT C Secure Coding Standard (2008).

Go

745

Weaknesses in this category are related to the rules and recommendations in the Signals (SIG) chapter of the CERT C Secure Coding Standard (2008).

Go

746

Weaknesses in this category are related to the rules and recommendations in the Error Handling (ERR) chapter of the CERT C Secure Coding Standard (2008).

Go

747

Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) chapter of the CERT C Secure Coding Standard (2008).

Go

748

Weaknesses in this category are related to the rules and recommendations in the POSIX (POS) appendix of the CERT C Secure Coding Standard (2008).

Go

749

The product provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted.

Go

750

CWE entries in this view (graph) are listed in the 2009 CWE/SANS Top 25 Programming Errors. This view is considered obsolete as a newer version of the Top 25 is available.

Go

751

Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2009 CWE/SANS Top 25 Programming Errors.

Go

752

Weaknesses in this category are listed in the "Risky Resource Management" section of the 2009 CWE/SANS Top 25 Programming Errors.

Go

753

Weaknesses in this category are listed in the "Porous Defenses" section of the 2009 CWE/SANS Top 25 Programming Errors.

Go

754

The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.

Go

755

The product does not handle or incorrectly handles an exceptional condition.

Go

764

The product locks a critical resource more times than intended, leading to an unexpected state in the system.

Go

765

The product unlocks a critical resource more times than intended, leading to an unexpected state in the system.

Go

776

The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.

Go

778

When a security-critical event occurs, the product either does not record the event or omits important details about the event when logging it.

Go

783

The product uses an expression in which operator precedence causes incorrect logic to be used.

Go

798

The product contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.

Go

800

CWE entries in this view (graph) are listed in the 2010 CWE/SANS Top 25 Programming Errors. This view is considered obsolete as a newer version of the Top 25 is available.

Go

801

Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2010 CWE/SANS Top 25 Programming Errors.

Go

802

Weaknesses in this category are listed in the "Risky Resource Management" section of the 2010 CWE/SANS Top 25 Programming Errors.

Go

803

Weaknesses in this category are listed in the "Porous Defenses" section of the 2010 CWE/SANS Top 25 Programming Errors.

Go

808

Weaknesses in this category are not part of the general Top 25, but they were part of the original nominee list from which the Top 25 was drawn.

Go

809

CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2010. This view is considered obsolete as a newer version of the OWASP Top 10 is available.

Go

810

Weaknesses in this category are related to the A1 category in the OWASP Top 10 2010.

Go

811

Weaknesses in this category are related to the A2 category in the OWASP Top 10 2010.

Go

812

Weaknesses in this category are related to the A3 category in the OWASP Top 10 2010.

Go

813

Weaknesses in this category are related to the A4 category in the OWASP Top 10 2010.

Go

814

Weaknesses in this category are related to the A5 category in the OWASP Top 10 2010.

Go

815

Weaknesses in this category are related to the A6 category in the OWASP Top 10 2010.

Go

816

Weaknesses in this category are related to the A7 category in the OWASP Top 10 2010.

Go

817

Weaknesses in this category are related to the A8 category in the OWASP Top 10 2010.

Go

818

Weaknesses in this category are related to the A9 category in the OWASP Top 10 2010.

Go

819

Weaknesses in this category are related to the A10 category in the OWASP Top 10 2010.

Go

820

The product utilizes a shared resource in a concurrent manner but does not attempt to synchronize access to the resource.

Go

833

The product contains multiple threads or executable segments that are waiting for each other to release a necessary lock, resulting in deadlock.

Go

834

The product performs an iteration or loop without sufficiently limiting the number of times that the loop is executed.

Go

835

The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.

Go

840

Weaknesses in this category identify some of the underlying problems that commonly allow attackers to manipulate the business logic of an application. Errors in business logic can be devastating to an entire application. They can be difficult to find automatically, since they typically involve legitimate use of the application's functionality. However, many business logic errors can exhibit patterns that are similar to well-understood implementation and design weaknesses.

Go

844

CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT Oracle Secure Coding Standard for Java" published in 2011. This view is considered obsolete as a newer version of the coding standard is available.

Go

845

Weaknesses in this category are related to rules in the Input Validation and Data Sanitization (IDS) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

Go

847

Weaknesses in this category are related to rules in the Expressions (EXP) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

Go

848

Weaknesses in this category are related to rules in the Numeric Types and Operations (NUM) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

Go

850

Weaknesses in this category are related to rules in the Methods (MET) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

Go

851

Weaknesses in this category are related to rules in the Exceptional Behavior (ERR) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

Go

852

Weaknesses in this category are related to rules in the Visibility and Atomicity (VNA) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

Go

853

Weaknesses in this category are related to rules in the Locking (LCK) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

Go

855

Weaknesses in this category are related to rules in the Thread Pools (TPS) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

Go

857

Weaknesses in this category are related to rules in the Input Output (FIO) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

Go

858

Weaknesses in this category are related to rules in the Serialization (SER) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

Go

859

Weaknesses in this category are related to rules in the Platform Security (SEC) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

Go

860

Weaknesses in this category are related to rules in the Runtime Environment (ENV) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

Go

861

Weaknesses in this category are related to rules in the Miscellaneous (MSC) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

Go

862

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Go

864

Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.

Go

865

Weaknesses in this category are listed in the "Risky Resource Management" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.

Go

866

Weaknesses in this category are listed in the "Porous Defenses" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.

Go

867

Weaknesses in this category are not part of the general Top 25, but they were part of the original nominee list from which the Top 25 was drawn.

Go

868

CWE entries in this view (graph) are fully or partially eliminated by following the SEI CERT C++ Coding Standard, as published in 2016. This view is no longer being actively maintained, since it statically represents the coding rules as they were in 2016.

Go

871

Weaknesses in this category are related to rules in the Expressions (EXP) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

Go

872

Weaknesses in this category are related to rules in the Integers (INT) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

Go

873

Weaknesses in this category are related to rules in the Floating Point Arithmetic (FLP) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

Go

874

Weaknesses in this category are related to rules in the Arrays and the STL (ARR) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

Go

875

Weaknesses in this category are related to rules in the Characters and Strings (STR) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

Go

876

Weaknesses in this category are related to rules in the Memory Management (MEM) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

Go

877

Weaknesses in this category are related to rules in the Input Output (FIO) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

Go

878

Weaknesses in this category are related to rules in the Environment (ENV) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

Go

879

Weaknesses in this category are related to rules in the Signals (SIG) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

Go

880

Weaknesses in this category are related to rules in the Exceptions and Error Handling (ERR) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

Go

881

Weaknesses in this category are related to rules in the Object Oriented Programming (OOP) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

Go

882

Weaknesses in this category are related to rules in the Concurrency (CON) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

Go

883

Weaknesses in this category are related to rules in the Miscellaneous (MSC) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

Go

884

This view contains a selection of weaknesses that represent the variety of weaknesses that are captured in CWE, at a level of abstraction that is likely to be useful to most audiences. It can be used by researchers to determine how broad their theories, models, or tools are. It will also be used by the CWE content team in 2012 to focus quality improvement efforts for individual CWE entries.

Go

885

This category identifies Software Fault Patterns (SFPs) within the Risky Values cluster (SFP1).

Go

886

This category identifies Software Fault Patterns (SFPs) within the Unused entities cluster (SFP2).

Go

887

This category identifies Software Fault Patterns (SFPs) within the API cluster (SFP3).

Go

888

CWE identifiers in this view are associated with clusters of Software Fault Patterns (SFPs).

Go

889

This category identifies Software Fault Patterns (SFPs) within the Exception Management cluster (SFP4, SFP5, SFP6).

Go

890

This category identifies Software Fault Patterns (SFPs) within the Memory Access cluster (SFP7, SFP8).

Go

892

This category identifies Software Fault Patterns (SFPs) within the Resource Management cluster (SFP37).

Go

893

This category identifies Software Fault Patterns (SFPs) within the Path Resolution cluster (SFP16, SFP17, SFP18).

Go

894

This category identifies Software Fault Patterns (SFPs) within the Synchronization cluster (SFP19, SFP20, SFP21, SFP22).

Go

895

This category identifies Software Fault Patterns (SFPs) within the Information Leak cluster (SFP23).

Go

896

This category identifies Software Fault Patterns (SFPs) within the Tainted Input cluster (SFP24, SFP25, SFP26, SFP27).

Go

898

This category identifies Software Fault Patterns (SFPs) within the Authentication cluster (SFP29, SFP30, SFP31, SFP32, SFP33, SFP34).

Go

899

This category identifies Software Fault Patterns (SFPs) within the Access Control cluster (SFP35).

Go

900

CWE entries in this view (graph) are listed in the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.

Go

902

This category identifies Software Fault Patterns (SFPs) within the Channel cluster.

Go

903

This category identifies Software Fault Patterns (SFPs) within the Cryptography cluster.

Go

905

This category identifies Software Fault Patterns (SFPs) within the Predictability cluster.

Go

906

This category identifies Software Fault Patterns (SFPs) within the UI cluster.

Go

907

This category identifies Software Fault Patterns (SFPs) within the Other cluster.

Go

913

The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements.

Go

918

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Go

922

The product stores sensitive information without properly limiting read or write access by unauthorized actors.

Go

923

The product establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that it is communicating with the correct endpoint.

Go

928

CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2013. This view is considered obsolete as a newer version of the OWASP Top 10 is available.

Go

929

Weaknesses in this category are related to the A1 category in the OWASP Top 10 2013.

Go

930

Weaknesses in this category are related to the A2 category in the OWASP Top 10 2013.

Go

931

Weaknesses in this category are related to the A3 category in the OWASP Top 10 2013.

Go

932

Weaknesses in this category are related to the A4 category in the OWASP Top 10 2013.

Go

933

Weaknesses in this category are related to the A5 category in the OWASP Top 10 2013.

Go

934

Weaknesses in this category are related to the A6 category in the OWASP Top 10 2013.

Go

935

Weaknesses in this category are related to the A7 category in the OWASP Top 10 2013.

Go

936

Weaknesses in this category are related to the A8 category in the OWASP Top 10 2013.

Go

938

Weaknesses in this category are related to the A10 category in the OWASP Top 10 2013.

Go

942

The product uses a cross-domain policy file that includes domains that should not be trusted.

Go

943

The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query.

Go

944

This category identifies Software Fault Patterns (SFPs) within the Access Management cluster.

Go

945

This category identifies Software Fault Patterns (SFPs) within the Insecure Resource Access cluster (SFP35).

Go

946

This category identifies Software Fault Patterns (SFPs) within the Insecure Resource Permissions cluster.

Go

947

This category identifies Software Fault Patterns (SFPs) within the Authentication Bypass cluster.

Go

949

This category identifies Software Fault Patterns (SFPs) within the Faulty Endpoint Authentication cluster (SFP29).

Go

950

This category identifies Software Fault Patterns (SFPs) within the Hardcoded Sensitive Data cluster (SFP33).

Go

951

This category identifies Software Fault Patterns (SFPs) within the Insecure Authentication Policy cluster.

Go

952

This category identifies Software Fault Patterns (SFPs) within the Missing Authentication cluster.

Go

956

This category identifies Software Fault Patterns (SFPs) within the Channel Attack cluster.

Go

957

This category identifies Software Fault Patterns (SFPs) within the Protocol Error cluster.

Go

958

This category identifies Software Fault Patterns (SFPs) within the Broken Cryptography cluster.

Go

959

This category identifies Software Fault Patterns (SFPs) within the Weak Cryptography cluster.

Go

961

This category identifies Software Fault Patterns (SFPs) within the Incorrect Exception Behavior cluster (SFP6).

Go

962

This category identifies Software Fault Patterns (SFPs) within the Unchecked Status Condition cluster (SFP4).

Go

963

This category identifies Software Fault Patterns (SFPs) within the Exposed Data cluster (SFP23).

Go

966

This category identifies Software Fault Patterns (SFPs) within the Other Exposures cluster.

Go

970

This category identifies Software Fault Patterns (SFPs) within the Faulty Buffer Access cluster (SFP8).

Go

971

This category identifies Software Fault Patterns (SFPs) within the Faulty Pointer Use cluster (SFP7).

Go

975

This category identifies Software Fault Patterns (SFPs) within the Architecture cluster.

Go

977

This category identifies Software Fault Patterns (SFPs) within the Design cluster.

Go

978

This category identifies Software Fault Patterns (SFPs) within the Implementation cluster.

Go

980

This category identifies Software Fault Patterns (SFPs) within the Link in Resource Name Resolution cluster (SFP18).

Go

981

This category identifies Software Fault Patterns (SFPs) within the Path Traversal cluster (SFP16).

Go

982

This category identifies Software Fault Patterns (SFPs) within the Failure to Release Resource cluster (SFP14).

Go

983

This category identifies Software Fault Patterns (SFPs) within the Faulty Resource Use cluster (SFP15).

Go

984

This category identifies Software Fault Patterns (SFPs) within the Life Cycle cluster.

Go

985

This category identifies Software Fault Patterns (SFPs) within the Unrestricted Consumption cluster (SFP13).

Go

986

This category identifies Software Fault Patterns (SFPs) within the Missing Lock cluster (SFP19).

Go

987

This category identifies Software Fault Patterns (SFPs) within the Multiple Locks/Unlocks cluster (SFP21).

Go

988

This category identifies Software Fault Patterns (SFPs) within the Race Condition Window cluster (SFP20).

Go

990

This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Command cluster (SFP24).

Go

991

This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Environment cluster (SFP27).

Go

992

This category identifies Software Fault Patterns (SFPs) within the Faulty Input Transformation cluster.

Go

994

This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Variable cluster (SFP25).

Go

997

This category identifies Software Fault Patterns (SFPs) within the Information Loss cluster.

Go

998

This category identifies Software Fault Patterns (SFPs) within the Glitch in Computation cluster (SFP1).

Go

1000

This view is intended to facilitate research into weaknesses, including their inter-dependencies, and can be leveraged to systematically identify theoretical gaps within CWE. It is mainly organized according to abstractions of behaviors instead of how they can be detected, where they appear in code, or when they are introduced in the development life cycle. By design, this view is expected to include every weakness within CWE.

Go

1001

This category identifies Software Fault Patterns (SFPs) within the Use of an Improper API cluster (SFP3).

Go

1003

CWE entries in this view (graph) may be used to categorize potential weaknesses within sources that handle public, third-party vulnerability information, such as the National Vulnerability Database (NVD). By design, this view is incomplete; it is limited to a small number of the most commonly-seen weaknesses, so that it is easier for humans to use. This view uses a shallow hierarchy of two levels in order to simplify the complex, category-oriented navigation of the entire CWE corpus.

Go

1004

The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag.

Go

1005

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that exist when an application does not properly validate or represent input. According to the authors of the Seven Pernicious Kingdoms, "Input validation and representation problems are caused by metacharacters, alternate encodings and numeric representations. Security problems result from trusting input."

Go

1006

Weaknesses in this category are related to coding practices that are deemed unsafe and increase the chances that an exploitable vulnerability will be present in the application. These weaknesses do not directly introduce a vulnerability, but indicate that the product has not been carefully developed or maintained. If a program is complex, difficult to maintain, not portable, or shows evidence of neglect, then there is a higher likelihood that weaknesses are buried in the code.

Go

1008

This view organizes weaknesses according to common architectural security tactics. It is intended to assist architects in identifying potential mistakes that can be made when designing software.

Go

1009

Weaknesses in this category are related to the design and architecture of audit-based components of the system. Frequently these deal with logging user activities in order to identify attackers and modifications to the system. The weaknesses in this category could lead to a degradation of the quality of the audit capability if they are not addressed when designing or implementing a secure architecture.

Go

1010

Weaknesses in this category are related to the design and architecture of authentication components of the system. Frequently these deal with verifying the entity is indeed who it claims to be. The weaknesses in this category could lead to a degradation of the quality of authentication if they are not addressed when designing or implementing a secure architecture.

Go

1011

Weaknesses in this category are related to the design and architecture of a system's authorization components. Frequently these deal with enforcing that agents have the required permissions before performing certain operations, such as modifying data. The weaknesses in this category could lead to a degradation of quality of the authorization capability if they are not addressed when designing or implementing a secure architecture.

Go

1012

Weaknesses in this category are related to the design and architecture of multiple security tactics and how they affect a system. For example, information exposure can impact the Limit Access and Limit Exposure security tactics. The weaknesses in this category could lead to a degradation of the quality of many capabilities if they are not addressed when designing or implementing a secure architecture.

Go

1013

Weaknesses in this category are related to the design and architecture of data confidentiality in a system. Frequently these deal with the use of encryption libraries. The weaknesses in this category could lead to a degradation of the quality data encryption if they are not addressed when designing or implementing a secure architecture.

Go

1014

Weaknesses in this category are related to the design and architecture of a system's identification management components. Frequently these deal with verifying that external agents provide inputs into the system. The weaknesses in this category could lead to a degradation of the quality of identification management if they are not addressed when designing or implementing a secure architecture.

Go

1015

Weaknesses in this category are related to the design and architecture of system resources. Frequently these deal with restricting the amount of resources that are accessed by actors, such as memory, network connections, CPU or access points. The weaknesses in this category could lead to a degradation of the quality of authentication if they are not addressed when designing or implementing a secure architecture.

Go

1016

Weaknesses in this category are related to the design and architecture of the entry points to a system. Frequently these deal with minimizing the attack surface through designing the system with the least needed amount of entry points. The weaknesses in this category could lead to a degradation of a system's defenses if they are not addressed when designing or implementing a secure architecture.

Go

1018

Weaknesses in this category are related to the design and architecture of session management. Frequently these deal with the information or status about each user and their access rights for the duration of multiple requests. The weaknesses in this category could lead to a degradation of the quality of session management if they are not addressed when designing or implementing a secure architecture.

Go

1019

Weaknesses in this category are related to the design and architecture of a system's input validation components. Frequently these deal with sanitizing, neutralizing and validating any externally provided inputs to minimize malformed data from entering the system and preventing code injection in the input data. The weaknesses in this category could lead to a degradation of the quality of data flow in a system if they are not addressed when designing or implementing a secure architecture.

Go

1020

Weaknesses in this category are related to the design and architecture of a system's data integrity components. Frequently these deal with ensuring integrity of data, such as messages, resource files, deployment files, and configuration files. The weaknesses in this category could lead to a degradation of data integrity quality if they are not addressed when designing or implementing a secure architecture.

Go

1025

The code performs a comparison between two entities, but the comparison examines the wrong factors or characteristics of the entities, which can lead to incorrect results and resultant weaknesses.

Go

1026

CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2017.

Go

1027

Weaknesses in this category are related to the A1 category in the OWASP Top 10 2017.

Go

1028

Weaknesses in this category are related to the A2 category in the OWASP Top 10 2017.

Go

1029

Weaknesses in this category are related to the A3 category in the OWASP Top 10 2017.

Go

1030

Weaknesses in this category are related to the A4 category in the OWASP Top 10 2017.

Go

1031

Weaknesses in this category are related to the A5 category in the OWASP Top 10 2017.

Go

1032

Weaknesses in this category are related to the A6 category in the OWASP Top 10 2017.

Go

1033

Weaknesses in this category are related to the A7 category in the OWASP Top 10 2017.

Go

1034

Weaknesses in this category are related to the A8 category in the OWASP Top 10 2017.

Go

1036

Weaknesses in this category are related to the A10 category in the OWASP Top 10 2017.

Go

1041

The product has multiple functions, methods, procedures, macros, etc. that contain the same code.

Go

1128

This view outlines the most important software quality issues as identified by the Consortium for Information & Software Quality (CISQ) Automated Quality Characteristic Measures, released in 2016. These measures are derived from Object Management Group (OMG) standards.

Go

1129

Weaknesses in this category are related to the CISQ Quality Measures for Reliability, as documented in 2016 with the Automated Source Code CISQ Reliability Measure (ASCRM) Specification 1.0. Presence of these weaknesses could reduce the reliability of the software.

Go

1130

Weaknesses in this category are related to the CISQ Quality Measures for Maintainability, as documented in 2016 with the Automated Source Code Maintainability Measure (ASCMM) Specification 1.0. Presence of these weaknesses could reduce the maintainability of the software.

Go

1131

Weaknesses in this category are related to the CISQ Quality Measures for Security, as documented in 2016 with the Automated Source Code Security Measure (ASCSM) Specification 1.0. Presence of these weaknesses could reduce the security of the software.

Go

1133

CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT Oracle Coding Standard for Java.

Go

1134

Weaknesses in this category are related to the rules and recommendations in the Input Validation and Data Sanitization (IDS) section of the SEI CERT Oracle Secure Coding Standard for Java.

Go

1136

Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) section of the SEI CERT Oracle Secure Coding Standard for Java.

Go

1137

Weaknesses in this category are related to the rules and recommendations in the Numeric Types and Operations (NUM) section of the SEI CERT Oracle Secure Coding Standard for Java.

Go

1140

Weaknesses in this category are related to the rules and recommendations in the Methods (MET) section of the SEI CERT Oracle Secure Coding Standard for Java.

Go

1141

Weaknesses in this category are related to the rules and recommendations in the Exceptional Behavior (ERR) section of the SEI CERT Oracle Secure Coding Standard for Java.

Go

1142

Weaknesses in this category are related to the rules and recommendations in the Visibility and Atomicity (VNA) section of the SEI CERT Oracle Secure Coding Standard for Java.

Go

1143

Weaknesses in this category are related to the rules and recommendations in the Locking (LCK) section of the SEI CERT Oracle Secure Coding Standard for Java.

Go

1145

Weaknesses in this category are related to the rules and recommendations in the Thread Pools (TPS) section of the SEI CERT Oracle Secure Coding Standard for Java.

Go

1147

Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) section of the SEI CERT Oracle Secure Coding Standard for Java.

Go

1148

Weaknesses in this category are related to the rules and recommendations in the Serialization (SER) section of the SEI CERT Oracle Secure Coding Standard for Java.

Go

1149

Weaknesses in this category are related to the rules and recommendations in the Platform Security (SEC) section of the SEI CERT Oracle Secure Coding Standard for Java.

Go

1150

Weaknesses in this category are related to the rules and recommendations in the Runtime Environment (ENV) section of the SEI CERT Oracle Secure Coding Standard for Java.

Go

1152

Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT Oracle Secure Coding Standard for Java.

Go

1154

CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT C Coding Standard.

Go

1157

Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) section of the SEI CERT C Coding Standard.

Go

1158

Weaknesses in this category are related to the rules and recommendations in the Integers (INT) section of the SEI CERT C Coding Standard.

Go

1159

Weaknesses in this category are related to the rules and recommendations in the Floating Point (FLP) section of the SEI CERT C Coding Standard.

Go

1160

Weaknesses in this category are related to the rules and recommendations in the Arrays (ARR) section of the SEI CERT C Coding Standard.

Go

1161

Weaknesses in this category are related to the rules and recommendations in the Characters and Strings (STR) section of the SEI CERT C Coding Standard.

Go

1162

Weaknesses in this category are related to the rules and recommendations in the Memory Management (MEM) section of the SEI CERT C Coding Standard.

Go

1163

Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) section of the SEI CERT C Coding Standard.

Go

1164

The product contains code that is not essential for execution, i.e. makes no state changes and has no side effects that alter data or control flow, such that removal of the code would have no impact to functionality or correctness.

Go

1165

Weaknesses in this category are related to the rules and recommendations in the Environment (ENV) section of the SEI CERT C Coding Standard.

Go

1166

Weaknesses in this category are related to the rules and recommendations in the Signals (SIG) section of the SEI CERT C Coding Standard.

Go

1167

Weaknesses in this category are related to the rules and recommendations in the Error Handling (ERR) section of the SEI CERT C Coding Standard.

Go

1169

Weaknesses in this category are related to the rules and recommendations in the Concurrency (CON) section of the SEI CERT C Coding Standard.

Go

1170

Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT C Coding Standard.

Go

1171

Weaknesses in this category are related to the rules and recommendations in the POSIX (POS) section of the SEI CERT C Coding Standard.

Go

1172

Weaknesses in this category are related to the rules and recommendations in the Microsoft Windows (WIN) section of the SEI CERT C Coding Standard.

Go

1178

CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT Perl Coding Standard.

Go

1179

Weaknesses in this category are related to the rules and recommendations in the Input Validation and Data Sanitization (IDS) section of the SEI CERT Perl Coding Standard.

Go

1181

Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) section of the SEI CERT Perl Coding Standard.

Go

1182

Weaknesses in this category are related to the rules and recommendations in the Integers (INT) section of the SEI CERT Perl Coding Standard.

Go

1186

Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT Perl Coding Standard.

Go

1194

This view organizes weaknesses around concepts that are frequently used or encountered in hardware design. Accordingly, this view can align closely with the perspectives of designers, manufacturers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping.

Go

1198

Weaknesses in this category are related to features and mechanisms providing hardware-based isolation and access control (e.g., identity, policy, locking control) of sensitive shared hardware resources such as registers and fuses.

Go

1200

CWE entries in this view are listed in the 2019 CWE Top 25 Most Dangerous Software Errors.

Go

1202

Weaknesses in this category are typically associated with memory (e.g., DRAM, SRAM) and storage technologies (e.g., NAND Flash, OTP, EEPROM, and eMMC).

Go

1207

Weaknesses in this category are related to hardware debug and test interfaces such as JTAG and scan chain.

Go

1210

Weaknesses in this category are related to audit-based components of a software system. Frequently these deal with logging user activities in order to identify undesired access and modifications to the system. The weaknesses in this category could lead to a degradation of the quality of the audit capability if they are not addressed.

Go

1211

Weaknesses in this category are related to authentication components of a system. Frequently these deal with the ability to verify that an entity is indeed who it claims to be. If not addressed when designing or implementing a software system, these weaknesses could lead to a degradation of the quality of the authentication capability.

Go

1212

Weaknesses in this category are related to authorization components of a system. Frequently these deal with the ability to enforce that agents have the required permissions before performing certain operations, such as modifying data. If not addressed when designing or implementing a software system, these weaknesses could lead to a degradation of the quality of the authorization capability.

Go

1213

Weaknesses in this category are related to a software system's random number generation.

Go

1214

Weaknesses in this category are related to a software system's data integrity components. Frequently these deal with the ability to ensure the integrity of data, such as messages, resource files, deployment files, and configuration files. The weaknesses in this category could lead to a degradation of data integrity quality if they are not addressed.

Go

1215

Weaknesses in this category are related to a software system's components for input validation, output validation, or other kinds of validation. Validation is a frequently-used technique for ensuring that data conforms to expectations before it is further processed as input or output. There are many varieties of validation (see CWE-20, which is just for input validation). Validation is distinct from other techniques that attempt to modify data before processing it, although developers may consider all attempts to product "safe" inputs or outputs as some kind of validation. Regardless, validation is a powerful tool that is often used to minimize malformed data from entering the system, or indirectly avoid code injection or other potentially-malicious patterns when generating output. The weaknesses in this category could lead to a degradation of the quality of data flow in a system if they are not addressed.

Go

1217

Weaknesses in this category are related to session management. Frequently these deal with the information or status about each user and their access rights for the duration of multiple requests. The weaknesses in this category could lead to a degradation of the quality of session management if they are not addressed.

Go

1219

Weaknesses in this category are related to the handling of files within a software system. Files, directories, and folders are so central to information technology that many different weaknesses and variants have been discovered.

Go

1228

Weaknesses in this category are related to the use of built-in functions or external APIs.

Go

1275

The SameSite attribute for sensitive cookies is not set, or an insecure value is used.

Go

1305

This view outlines the most important software quality issues as identified by the Consortium for Information & Software Quality (CISQ) Automated Quality Characteristic Measures, released in 2020. These measures are derived from Object Management Group (OMG) standards.

Go

1306

Weaknesses in this category are related to the CISQ Quality Measures for Reliability. Presence of these weaknesses could reduce the reliability of the software.

Go

1307

Weaknesses in this category are related to the CISQ Quality Measures for Maintainability. Presence of these weaknesses could reduce the maintainability of the software.

Go

1308

Weaknesses in this category are related to the CISQ Quality Measures for Security. Presence of these weaknesses could reduce the security of the software.

Go

1309

Weaknesses in this category are related to the CISQ Quality Measures for Efficiency. Presence of these weaknesses could reduce the efficiency of the software.

Go

1337

CWE entries in this view are listed in the 2021 CWE Top 25 Most Dangerous Software Weaknesses.

Go

1340

This view outlines the SMM representation of the Automated Source Code Data Protection Measurement specifications, as identified by the Consortium for Information & Software Quality (CISQ) Working Group.

Go

1344

CWE entries in this view (graph) are associated with the OWASP Top 10, as released in 2021.

Go

1345

Weaknesses in this category are related to the A01 category "Broken Access Control" in the OWASP Top 10 2021.

Go

1346

Weaknesses in this category are related to the A02 category "Cryptographic Failures" in the OWASP Top 10 2021.

Go

1347

Weaknesses in this category are related to the A03 category "Injection" in the OWASP Top 10 2021.

Go

1348

Weaknesses in this category are related to the A04 "Insecure Design" category in the OWASP Top 10 2021.

Go

1349

Weaknesses in this category are related to the A05 category "Security Misconfiguration" in the OWASP Top 10 2021.

Go

1350

CWE entries in this view are listed in the 2020 CWE Top 25 Most Dangerous Software Weaknesses.

Go

1353

Weaknesses in this category are related to the A07 category "Identification and Authentication Failures" in the OWASP Top 10 2021.

Go

1354

Weaknesses in this category are related to the A08 category "Software and Data Integrity Failures" in the OWASP Top 10 2021.

Go

1355

Weaknesses in this category are related to the A09 category "Security Logging and Monitoring Failures" in the OWASP Top 10 2021.

Go

1356

Weaknesses in this category are related to the A10 category "Server-Side Request Forgery (SSRF)" in the OWASP Top 10 2021.

Go

1358

CWE entries in this view (graph) are associated with the Categories of Security Vulnerabilities in ICS, as published by the Securing Energy Infrastructure Executive Task Force (SEI ETF) in March 2022. Weaknesses and categories in this view are focused on issues that affect ICS (Industrial Control Systems) but have not been traditionally covered by CWE in the past due to its earlier emphasis on enterprise IT software. Note: weaknesses in this view are based on "Nearest IT Neighbor" recommendations and other suggestions by the CWE team. These relationships are likely to change in future CWE versions.

Go

1359

Weaknesses in this category are related to the "ICS Communications" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.

Go

1360

Weaknesses in this category are related to the "ICS Dependencies (& Architecture)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.

Go

1361

Weaknesses in this category are related to the "ICS Supply Chain" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.

Go

1362

Weaknesses in this category are related to the "ICS Engineering (Constructions/Deployment)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.

Go

1363

Weaknesses in this category are related to the "ICS Operations (& Maintenance)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.

Go

1364

Weaknesses in this category are related to the "Zone Boundary Failures" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Within an ICS system, for traffic that crosses through network zone boundaries, vulnerabilities arise when those boundaries were designed for safety or other purposes but are being repurposed for security." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

Go

1366

Weaknesses in this category are related to the "Frail Security in Protocols" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Vulnerabilities arise as a result of mis-implementation or incomplete implementation of security in ICS implementations of communication protocols." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

Go

1368

Weaknesses in this category are related to the "External Digital Systems" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Due to the highly interconnected technologies in use, an external dependency on another digital system could cause a confidentiality, integrity, or availability incident for the protected system." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

Go

1369

Weaknesses in this category are related to the "IT/OT Convergence/Expansion" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "The increased penetration of DER devices and smart loads make emerging ICS networks more like IT networks and thus susceptible to vulnerabilities similar to those of IT networks." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

Go

1370

Weaknesses in this category are related to the "Common Mode Frailties" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "At the component level, most ICS systems are assembled from common parts made by other companies. One or more of these common parts might contain a vulnerability that could result in a wide-spread incident." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

Go

1372

Weaknesses in this category are related to the "OT Counterfeit and Malicious Corruption" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "In ICS, when this procurement process results in a vulnerability or component damage, it can have grid impacts or cause physical harm." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

Go

1375

Weaknesses in this category are related to the "Gaps in Details/Data" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Highly complex systems are often operated by personnel who have years of experience in managing that particular facility or plant. Much of their knowledge is passed along through verbal or hands-on training but may not be fully documented in written practices and procedures." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

Go

1376

Weaknesses in this category are related to the "Security Gaps in Commissioning" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "As a large system is brought online components of the system may remain vulnerable until the entire system is operating and functional and security controls are put in place. This creates a window of opportunity for an adversary during the commissioning process." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

Go

1382

Weaknesses in this category are related to the "Emerging Energy Technologies" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "With the rapid evolution of the energy system accelerated by the emergence of new technologies such as DERs, electric vehicles, advanced communications (5G+), novel and diverse challenges arise for secure and resilient operation of the system." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

Go

1383

Weaknesses in this category are related to the "Compliance/Conformance with Regulatory Requirements" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "The ICS environment faces overlapping regulatory regimes and authorities with multiple focus areas (e.g., operational resiliency, physical safety, interoperability, and security) which can result in cyber security vulnerabilities when implemented as written due to gaps in considerations, outdatedness, or conflicting requirements." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

Go

1387

CWE entries in this view are listed in the 2022 CWE Top 25 Most Dangerous Software Weaknesses.

Go

1396

Weaknesses in this category are related to access control.

Go

1397

Weaknesses in this category are related to comparison.

Go

1398

Weaknesses in this category are related to component interaction.

Go

1399

Weaknesses in this category are related to memory safety.

Go

1400

This view organizes weaknesses around categories that are of interest to large-scale software assurance research to support the elimination of weaknesses using tactics such as secure language development. It is also intended to help tracking weakness trends in publicly disclosed vulnerability data. This view is comprehensive in that every weakness must be contained in it, unlike most other views that only use a subset of weaknesses. This view is structured with categories at the top level, with a second level of only weaknesses. Relationships among the weaknesses presented under the research view (CWE-1000) are not shown. Each weakness is added to only one category. All categories are mutually exclusive; that is, no weakness can be a member of more than one category. While weaknesses defy strict categorization along only one characteristic, the forced bucketing into a single category can simplify certain kinds of analysis. Note that the size of each category can vary widely because (1) CWE is not as well fleshed-out in some areas compared to others; (2) abstraction of the CWEs in the grouping might go down to Variant level for some buckets, versus others.

Go

1401

Weaknesses in this category are related to concurrency.

Go

1402

Weaknesses in this category are related to encryption.

Go

1403

Weaknesses in this category are related to exposed resource.

Go

1404

Weaknesses in this category are related to file handling.

Go

1405

Weaknesses in this category are related to improper check or handling of exceptional conditions.

Go

1406

Weaknesses in this category are related to improper input validation.

Go

1407

Weaknesses in this category are related to improper neutralization.

Go

1408

Weaknesses in this category are related to incorrect calculation.

Go

1409

Weaknesses in this category are related to injection.

Go

1410

Weaknesses in this category are related to insufficient control flow management.

Go

1411

Weaknesses in this category are related to insufficient verification of data authenticity.

Go

1412

Weaknesses in this category are related to poor coding practices.

Go

1413

Weaknesses in this category are related to protection mechanism failure.

Go

1414

Weaknesses in this category are related to randomness.

Go

1415

Weaknesses in this category are related to resource control.

Go

1416

Weaknesses in this category are related to resource lifecycle management.

Go

1417

Weaknesses in this category are related to sensitive information exposure.

Go

1418

Weaknesses in this category are related to violation of secure design principles.

Java

2

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that are typically introduced during unexpected environmental conditions. According to the authors of the Seven Pernicious Kingdoms, "This section includes everything that is outside of the source code but is still critical to the security of the product that is being created. Because the issues covered by this kingdom are not directly related to source code, we separated it from the rest of the kingdoms."

Java

4

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

Java

5

Information sent over a network can be compromised while in transit. An attacker may be able to read or modify the contents if the data are sent in plaintext or are weakly encrypted.

Java

16

Weaknesses in this category are typically introduced during the configuration of the software.

Java

17

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

Java

18

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

Java

19

Weaknesses in this category are typically found in functionality that processes data. Data processing is the manipulation of input to retrieve or save information.

Java

20

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Java

21

This category has been deprecated. It was originally used for organizing weaknesses involving file names, which enabled access to files outside of a restricted directory (path traversal) or to perform operations on files that would otherwise be restricted (path equivalence). Consider using either the File Handling Issues category (CWE-1219) or the class Use of Incorrectly-Resolved Name or Reference (CWE-706).

Java

22

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Java

23

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.

Java

36

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as "/abs/path" that can resolve to a location that is outside of that directory.

Java

66

The product does not handle or incorrectly handles a file name that identifies a "virtual" resource that is not directly specified within the directory that is associated with the file name, causing the product to perform file-based operations on a resource that is not a file.

Java

67

The product constructs pathnames from user input, but it does not handle or incorrectly handles a pathname containing a Windows device name such as AUX or CON. This typically leads to denial of service or an information exposure when the application attempts to process the pathname as a regular file.

Java

68

This category has been deprecated as it was found to be an unnecessary abstraction of platform specific details. Please refer to the category CWE-632 and weakness CWE-66 for relevant relationships.

Java

73

The product allows user input to control or influence paths or file names that are used in filesystem operations.

Java

74

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Java

77

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

Java

78

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Java

79

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Java

80

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.

Java

81

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters that could be interpreted as web-scripting elements when they are sent to an error page.

Java

82

The web application does not neutralize or incorrectly neutralizes scripting elements within attributes of HTML IMG tags, such as the src attribute.

Java

83

The product does not neutralize or incorrectly neutralizes "javascript:" or other URIs from dangerous attributes within tags, such as onmouseover, onload, onerror, or style.

Java

85

The web application does not filter user-controlled input for executable script disguised using doubling of the involved characters.

Java

86

The product does not neutralize or incorrectly neutralizes invalid characters or byte sequences in the middle of tag names, URI schemes, and other identifiers.

Java

87

The product does not neutralize or incorrectly neutralizes user-controlled input for alternate script syntax.

Java

88

The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.

Java

89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.

Java

90

The product constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component.

Java

91

The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.

Java

93

The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.

Java

94

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Java

95

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").

Java

96

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before inserting the input into an executable resource, such as a library, configuration file, or template.

Java

97

The product generates a web page, but does not neutralize or incorrectly neutralizes user-controllable input that could be interpreted as a server-side include (SSI) directive.

Java

99

The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control.

Java

100

This category has been deprecated. It was originally intended as a "catch-all" for input validation problems in technologies that did not have their own CWE, but introduces unnecessary depth to the hierarchy.

Java

101

This category has been deprecated. It was originally used for organizing the Development View (CWE-69 9), but it introduced unnecessary complexity and depth to the resulting tree.

Java

102

The product uses multiple validation forms with the same name, which might cause the Struts Validator to validate a form that the programmer does not expect.

Java

103

The product has a validator form that either does not define a validate() method, or defines a validate() method but does not call super.validate().

Java

104

If a form bean does not extend an ActionForm subclass of the Validator framework, it can expose the application to other weaknesses related to insufficient input validation.

Java

106

When an application does not use an input validation framework such as the Struts Validator, there is a greater risk of introducing weaknesses related to insufficient input validation.

Java

111

When a Java application uses the Java Native Interface (JNI) to call code written in another programming language, it can expose the application to weaknesses in that code, even if those weaknesses cannot occur in Java.

Java

113

The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.

Java

114

Executing commands or loading libraries from an untrusted source or in an untrusted environment can cause an application to execute malicious commands (and payloads) on behalf of an attacker.

Java

116

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

Java

117

The product does not neutralize or incorrectly neutralizes output that is written to logs.

Java

118

The product does not restrict or incorrectly restricts operations within the boundaries of a resource that is accessed using an index or pointer, such as memory or files.

Java

119

The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.

Java

133

Weaknesses in this category are related to the creation and modification of strings.

Java

134

The product uses a function that accepts a format string as an argument, but the format string originates from an external source.

Java

135

The product does not correctly calculate the length of strings that can contain wide or multi-byte characters.

Java

136

Weaknesses in this category are caused by improper data type transformation or improper handling of multiple data types.

Java

137

Weaknesses in this category are related to the creation or neutralization of data using an incorrect format.

Java

138

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as control elements or syntactic markers when they are sent to a downstream component.

Java

140

The product does not neutralize or incorrectly neutralizes delimiters.

Java

141

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as parameter or argument delimiters when they are sent to a downstream component.

Java

142

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as value delimiters when they are sent to a downstream component.

Java

143

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as record delimiters when they are sent to a downstream component.

Java

146

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as expression or command delimiters when they are sent to a downstream component.

Java

149

Quotes injected into a product can be used to compromise a system. As data are parsed, an injected/absent/duplicate/malformed use of quotes may cause the process to take unexpected actions.

Java

150

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component.

Java

157

The product does not properly handle the characters that are used to mark the beginning and ending of a group of entities, such as parentheses, brackets, and braces.

Java

171

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. Weaknesses in this category were related to improper handling of data within protection mechanisms that attempt to perform neutralization for untrusted data. These weaknesses can be found in other similar categories.

Java

172

The product does not properly encode or decode the data, resulting in unexpected values.

Java

176

The product does not properly handle when an input contains Unicode encoding.

Java

179

The product validates input before applying protection mechanisms that modify the input, which could allow an attacker to bypass the validation via dangerous inputs that only arise after the modification.

Java

180

The product validates input before it is canonicalized, which prevents the product from detecting data that becomes invalid after the canonicalization step.

Java

182

The product filters data in a way that causes it to be reduced or "collapsed" into an unsafe value that violates an expected security property.

Java

183

The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is too permissive - that is, it allows an input that is unsafe, leading to resultant weaknesses.

Java

185

The product specifies a regular expression in a way that causes data to be improperly matched or compared.

Java

187

The product performs a comparison that only examines a portion of a factor before determining whether there is a match, such as a substring, leading to resultant weaknesses.

Java

188

The product makes invalid assumptions about how protocol data or memory is organized at a lower level, resulting in unintended program behavior.

Java

189

Weaknesses in this category are related to improper calculation or conversion of numbers.

Java

190

The product performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control.

Java

192

Integer coercion refers to a set of flaws pertaining to the type casting, extension, or truncation of primitive data types.

Java

198

The product receives input from an upstream component, but it does not account for byte ordering (e.g. big-endian and little-endian) when processing the input, causing an incorrect number or value to be used.

Java

199

Weaknesses in this category are related to improper handling of sensitive information.

Java

200

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Java

201

The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.

Java

209

The product generates an error message that includes sensitive information about its environment, users, or associated data.

Java

210

The product identifies an error condition and creates its own diagnostic or error messages that contain sensitive information.

Java

211

The product performs an operation that triggers an external diagnostic or error message that is not directly generated or controlled by the product, such as an error generated by the programming language interpreter that a software application uses. The error can contain sensitive system information.

Java

216

This entry has been deprecated, as it was not effective as a weakness and was structured more like a category. In addition, the name is inappropriate, since the "container" term is widely understood by developers in different ways than originally intended by PLOVER, the original source for this entry.

Java

218

This weakness has been deprecated because it was a duplicate of CWE-493. All content has been transferred to CWE-493.

Java

221

The product does not record, or improperly records, security-relevant information that leads to an incorrect decision or hampers later analysis.

Java

223

The product does not record or display information that would be important for identifying the source or nature of an attack, or determining if an action is safe.

Java

226

The product releases a resource such as memory or a file so that it can be made available for reuse, but it does not clear or "zeroize" the information contained in the resource before the product performs a critical state transition or makes the resource available for reuse by other entities.

Java

227

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that involve the software using an API in a manner contrary to its intended use. According to the authors of the Seven Pernicious Kingdoms, "An API is a contract between a caller and a callee. The most common forms of API misuse occurs when the caller does not honor its end of this contract. For example, if a program does not call chdir() after calling chroot(), it violates the contract that specifies how to change the active root directory in a secure fashion. Another good example of library abuse is expecting the callee to return trustworthy DNS information to the caller. In this case, the caller misuses the callee API by making certain assumptions about its behavior (that the return value can be used for authentication purposes). One can also violate the caller-callee contract from the other side. For example, if a coder subclasses SecureRandom and returns a non-random value, the contract is violated."

Java

242

The product calls a function that can never be guaranteed to work safely.

Java

245

The J2EE application directly manages connections, instead of using the container's connection management facilities.

Java

246

The J2EE application directly uses sockets instead of using framework method calls.

Java

247

This entry has been deprecated because it was a duplicate of CWE-350. All content has been transferred to CWE-350.

Java

249

This entry has been deprecated because of name confusion and an accidental combination of multiple weaknesses. Most of its content has been transferred to CWE-785.

Java

250

The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.

Java

252

The product does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions.

Java

253

The product incorrectly checks a return value from a function, which prevents it from detecting errors or exceptional conditions.

Java

254

Software security is not security software. Here we're concerned with topics like authentication, access control, confidentiality, cryptography, and privilege management.

Java

255

Weaknesses in this category are related to the management of credentials.

Java

256

Storing a password in plaintext may result in a system compromise.

Java

257

The storage of passwords in a recoverable format makes them subject to password reuse attacks by malicious users. In fact, it should be noted that recoverable encrypted passwords provide no significant benefit over plaintext passwords since they are subject not only to reuse by malicious attackers but also by malicious insiders. If a system administrator can recover a password directly, or use a brute force search on the available information, the administrator can use the password on other accounts.

Java

258

Using an empty string as a password is insecure.

Java

259

The product contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components.

Java

260

The product stores a password in a configuration file that might be accessible to actors who do not know the password.

Java

261

Obscuring a password with a trivial encoding does not protect the password.

Java

263

The product supports password aging, but the expiration period is too long.

Java

264

Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control.

Java

265

Weaknesses in this category occur with improper handling, assignment, or management of privileges. A privilege is a property of an agent, such as a user. It lets the agent do things that are not ordinarily allowed. For example, there are privileges which allow an agent to perform maintenance functions such as restart a computer.

Java

266

A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

Java

269

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Java

271

The product does not drop privileges before passing control of a resource to an actor that does not have those privileges.

Java

272

The elevated privilege level required to perform operations such as chroot() should be dropped immediately after the operation is performed.

Java

275

Weaknesses in this category are related to improper assignment or handling of permissions.

Java

276

During installation, installed file permissions are set to allow anyone to modify those files.

Java

284

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Java

285

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

Java

287

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Java

290

This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.

Java

291

The product uses an IP address for authentication.

Java

293

The referer field in HTTP requests can be easily modified and, as such, is not a valid means of message integrity checking.

Java

295

The product does not validate, or incorrectly validates, a certificate.

Java

296

The product does not follow, or incorrectly follows, the chain of trust for a certificate back to a trusted root certificate, resulting in incorrect trust of any resource that is associated with that certificate.

Java

297

The product communicates with a host that provides a certificate, but the product does not properly ensure that the certificate is actually associated with that host.

Java

299

The product does not check or incorrectly checks the revocation status of a certificate, which may cause it to use a certificate that has been compromised.

Java

300

The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint.

Java

302

The authentication scheme or implementation uses key data elements that are assumed to be immutable, but can be controlled or modified by the attacker.

Java

304

The product implements an authentication technique, but it skips a step that weakens the technique.

Java

306

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Java

308

The use of single-factor authentication can lead to unnecessary risk of compromise when compared with the benefits of a dual-factor authentication scheme.

Java

309

The use of password systems as the primary means of authentication may be subject to several flaws or shortcomings, each reducing the effectiveness of the mechanism.

Java

310

Weaknesses in this category are related to the design and implementation of data confidentiality and integrity. Frequently these deal with the use of encoding techniques, encryption libraries, and hashing algorithms. The weaknesses in this category could lead to a degradation of the quality data if they are not addressed.

Java

311

The product does not encrypt sensitive or critical information before storage or transmission.

Java

312

The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

Java

313

The product stores sensitive information in cleartext in a file, or on disk.

Java

314

The product stores sensitive information in cleartext in the registry.

Java

315

The product stores sensitive information in cleartext in a cookie.

Java

317

The product stores sensitive information in cleartext within the GUI.

Java

318

The product stores sensitive information in cleartext in an executable.

Java

319

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

Java

320

Weaknesses in this category are related to errors in the management of cryptographic keys.

Java

321

The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.

Java

324

The product uses a cryptographic key or password past its expiration date, which diminishes its safety significantly by increasing the timing window for cracking attacks against that key.

Java

326

The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

Java

327

The product uses a broken or risky cryptographic algorithm or protocol.

Java

328

The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (2nd preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack).

Java

330

The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.

Java

335

The product uses a Pseudo-Random Number Generator (PRNG) but does not correctly manage seeds.

Java

336

A Pseudo-Random Number Generator (PRNG) uses the same seed each time the product is initialized.

Java

337

A Pseudo-Random Number Generator (PRNG) is initialized from a predictable seed, such as the process ID or system time.

Java

338

The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.

Java

344

The product uses a constant value, name, or reference, but this value can (or should) vary across different environments.

Java

345

The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

Java

346

The product does not properly verify that the source of data or communication is valid.

Java

347

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

Java

350

The product performs reverse DNS resolution on an IP address to obtain the hostname and make a security decision, but it does not properly ensure that the IP address is truly associated with the hostname.

Java

352

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

Java

353

The product uses a transmission protocol that does not include a mechanism for verifying the integrity of the data during transmission, such as a checksum.

Java

355

Weaknesses in this category are related to or introduced in the User Interface (UI).

Java

358

The product does not implement or incorrectly implements one or more security-relevant checks as specified by the design of a standardized algorithm, protocol, or technique.

Java

359

The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.

Java

361

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses related to the improper management of time and state in an environment that supports simultaneous or near-simultaneous computation by multiple systems, processes, or threads. According to the authors of the Seven Pernicious Kingdoms, "Distributed computation is about time and state. That is, in order for more than one component to communicate, state must be shared, and all that takes time. Most programmers anthropomorphize their work. They think about one thread of control carrying out the entire program in the same way they would if they had to do the job themselves. Modern computers, however, switch between tasks very quickly, and in multi-core, multi-CPU, or distributed systems, two events may take place at exactly the same time. Defects rush to fill the gap between the programmer's model of how a program executes and what happens in reality. These defects are related to unexpected interactions between threads, processes, time, and information. These interactions happen through shared state: semaphores, variables, the file system, and, basically, anything that can store information."

Java

362

The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.

Java

366

If two threads of execution use a resource simultaneously, there exists the possibility that resources may be used while invalid, in turn making the state of execution undefined.

Java

369

The product divides a value by zero.

Java

371

Weaknesses in this category are related to improper management of system state.

Java

374

The product sends non-cloned mutable data as an argument to a method or function.

Java

375

Sending non-cloned mutable data as a return value may result in that data being altered or deleted by the calling function.

Java

380

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

Java

381

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

Java

382

A J2EE application uses System.exit(), which also shuts down its container.

Java

383

Thread management in a Web application is forbidden in some circumstances and is always highly error prone.

Java

384

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

Java

388

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that occur when an application does not properly handle errors that occur during processing. According to the authors of the Seven Pernicious Kingdoms, "Errors and error handling represent a class of API. Errors related to error handling are so common that they deserve a special kingdom of their own. As with 'API Abuse,' there are two ways to introduce an error-related security vulnerability: the most common one is handling errors poorly (or not at all). The second is producing errors that either give out too much information (to possible attackers) or are difficult to handle."

Java

389

This category includes weaknesses that occur if a function does not generate the correct return/status code, or if the application does not handle all possible return/status codes that could be generated by a function. This type of problem is most often found in conditions that are rarely encountered during the normal operation of the product. Presumably, most bugs related to common conditions are found and eliminated during development and testing. In some cases, the attacker can directly control or influence the environment to trigger the rare conditions.

Java

390

The product detects a specific error, but takes no actions to handle the error.

Java

391

[PLANNED FOR DEPRECATION. SEE MAINTENANCE NOTES AND CONSIDER CWE-252, CWE-248, OR CWE-1069.] Ignoring exceptions and other error conditions may allow an attacker to induce unexpected behavior unnoticed.

Java

392

The product encounters an error but does not provide a status code or return value to indicate that an error has occurred.

Java

396

Catching overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities.

Java

397

Throwing overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities.

Java

398

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that do not directly introduce a weakness or vulnerability, but indicate that the product has not been carefully developed or maintained. According to the authors of the Seven Pernicious Kingdoms, "Poor code quality leads to unpredictable behavior. From a user's perspective that often manifests itself as poor usability. For an adversary it provides an opportunity to stress the system in unexpected ways."

Java

399

Weaknesses in this category are related to improper management of system resources.

Java

400

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

Java

401

The product does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory.

Java

402

The product makes resources available to untrusted parties when those resources are only intended to be accessed by the product.

Java

403

A process does not close sensitive file descriptors before invoking a child process, which allows the child to perform unauthorized I/O operations using those descriptors.

Java

404

The product does not release or incorrectly releases a resource before it is made available for re-use.

Java

405

The product does not properly control situations in which an adversary can cause the product to consume or produce excessive resources without requiring the adversary to invest equivalent work or otherwise prove authorization, i.e., the adversary's influence is "asymmetric."

Java

409

The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.

Java

411

Weaknesses in this category are related to improper handling of locks that are used to control access to resources.

Java

413

The product does not lock or does not correctly lock a resource when the product must have exclusive access to the resource.

Java

417

Weaknesses in this category are related to improper handling of communication channels and access paths. These weaknesses include problems in creating, managing, or removing alternate channels and alternate paths. Some of these can overlap virtual file problems and are commonly used in "bypass" attacks, such as those that exploit authentication errors.

Java

427

The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.

Java

435

An interaction error occurs when two entities have correct behavior when running independently of each other, but when they are integrated as components in a larger system or process, they introduce incorrect behaviors that may cause resultant weaknesses.

Java

436

Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.

Java

438

Weaknesses in this category are related to unexpected behaviors from code that an application uses.

Java

440

A feature, API, or function does not perform according to its specification.

Java

441

The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor.

Java

442

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

Java

452

Weaknesses in this category occur in behaviors that are used for initialization and breakdown.

Java

459

The product does not properly "clean up" and remove temporary or supporting resources after they have been used.

Java

460

The product does not clean up its state or incorrectly cleans up its state when an exception is thrown, leading to unexpected state or control flow.

Java

461

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

Java

463

The accidental deletion of a data-structure sentinel can cause serious programming logic problems.

Java

465

Weaknesses in this category are related to improper handling of pointers.

Java

470

The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code.

Java

471

The product does not properly protect an assumed-immutable element from being modified by an attacker.

Java

474

The code uses a function that has inconsistent implementations across operating systems and versions.

Java

476

A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.

Java

480

The product accidentally uses the wrong operator, which changes the logic in security-relevant ways.

Java

481

The code uses an operator for assignment when the intention was to perform a comparison.

Java

483

The code does not explicitly delimit a block that is intended to contain 2 or more statements, creating a logic error.

Java

484

The product omits a break statement within a switch or similar construct, causing code associated with multiple conditions to execute. This can cause problems when the programmer only intended to execute code associated with one condition.

Java

485

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that occur when the product does not sufficiently encapsulate critical data or functionality. According to the authors of the Seven Pernicious Kingdoms, "Encapsulation is about drawing strong boundaries. In a web browser that might mean ensuring that your mobile code cannot be abused by other mobile code. On the server it might mean differentiation between validated data and unvalidated data, between one user's data and another's, or between data users are allowed to see and data that they are not."

Java

486

The product compares classes by name, which can cause it to use the wrong class when multiple classes can have the same name.

Java

487

Java packages are not inherently closed; therefore, relying on them for code security is not a good practice.

Java

488

The product does not sufficiently enforce boundaries between the states of different sessions, causing data to be provided to, or used by, the wrong session.

Java

489

The product is deployed to unauthorized actors with debugging code still enabled or active, which can create unintended entry points or expose sensitive information.

Java

490

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

Java

492

Inner classes are translated into classes that are accessible at package scope and may expose code that the programmer intended to keep private to attackers.

Java

493

The product has a critical public variable that is not final, which allows the variable to be modified to contain unexpected values.

Java

494

The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.

Java

495

The product has a method that is declared public, but returns a reference to a private data structure, which could then be modified in unexpected ways.

Java

496

Assigning public data to a private array is equivalent to giving public access to the array.

Java

497

The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does.

Java

498

The code contains a class with sensitive data, but the class is cloneable. The data can then be accessed by cloning the class.

Java

499

The code contains a class with sensitive data, but the class does not explicitly deny serialization. The data can be accessed by serializing the class through another class.

Java

500

An object contains a public static field that is not marked final, which might allow it to be modified in unexpected ways.

Java

501

The product mixes trusted and untrusted data in the same data structure or structured message.

Java

502

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

Java

505

This category has been deprecated as it was originally used for organizing the Development View (CWE-699), but it introduced unnecessary complexity and depth to the resulting tree.

Java

521

The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts.

Java

522

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

Java

523

Login pages do not use adequate measures to protect the user name and password while they are in transit from the client to the server.

Java

524

The code uses a cache that contains sensitive information, but the cache can be read by an actor outside of the intended control sphere.

Java

525

The web application does not use an appropriate caching policy that specifies the extent to which each web page and associated form fields should be cached.

Java

526

The product uses an environment variable to store unencrypted sensitive information.

Java

532

Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.

Java

536

A servlet error message indicates that there exists an unhandled exception in your web application code and may provide useful information to an attacker.

Java

537

In many cases, an attacker can leverage the conditions that cause unhandled exception errors in order to gain unauthorized access to the system.

Java

538

The product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the sensitive information.

Java

539

The web application uses persistent cookies, but the cookies contain sensitive information.

Java

540

Source code on a web server or repository often contains sensitive information and should generally not be accessible to users.

Java

543

The product uses the singleton pattern when creating a resource within a multithreaded environment.

Java

548

A directory listing is inappropriately exposed, yielding potentially sensitive information to attackers.

Java

550

Certain conditions, such as network failure, will cause a server error message to be displayed.

Java

552

The product makes files or directories accessible to unauthorized actors, even though they should not be.

Java

557

Weaknesses in this category are related to concurrent use of shared resources.

Java

558

The product uses the getlogin() function in a multithreaded context, potentially causing it to return incorrect values.

Java

559

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

Java

561

The product contains dead code, which can never be executed.

Java

563

The variable's value is assigned but never used, making it a dead store.

Java

566

The product uses a database table that includes records that should not be accessible to an actor, but it executes a SQL statement with a primary key that can be controlled by that actor.

Java

567

The product does not properly synchronize shared data, such as static variables across threads, which can lead to undefined behavior and unpredictable data changes.

Java

568

The product contains a finalize() method that does not call super.finalize().

Java

569

Weaknesses in this category are related to incorrectly written expressions within code.

Java

570

The product contains an expression that will always evaluate to false.

Java

571

The product contains an expression that will always evaluate to true.

Java

572

The product calls a thread's run() method instead of calling start(), which causes the code to run in the thread of the caller instead of the callee.

Java

573

The product does not follow or incorrectly follows the specifications as required by the implementation language, environment, framework, protocol, or platform.

Java

574

The product violates the Enterprise JavaBeans (EJB) specification by using thread synchronization primitives.

Java

575

The product violates the Enterprise JavaBeans (EJB) specification by using AWT/Swing.

Java

576

The product violates the Enterprise JavaBeans (EJB) specification by using the java.io package.

Java

577

The product violates the Enterprise JavaBeans (EJB) specification by using sockets.

Java

579

The product stores a non-serializable object as an HttpSession attribute, which can hurt reliability.

Java

580

The product contains a clone() method that does not call super.clone() to obtain the new object.

Java

581

The product does not maintain equal hashcodes for equal objects.

Java

583

The product violates secure coding principles for mobile code by declaring a finalize() method public.

Java

584

The code has a return statement inside a finally block, which will cause any thrown exception in the try block to be discarded.

Java

585

The product contains an empty synchronized block.

Java

586

The product makes an explicit call to the finalize() method from outside the finalizer.

Java

589

The product uses an API function that does not exist on all versions of the target platform. This could cause portability problems or inconsistencies that allow denial of service or other consequences.

Java

592

This weakness has been deprecated because it covered redundant concepts already described in CWE-287.

Java

594

When the J2EE container attempts to write unserializable objects to disk there is no guarantee that the process will complete successfully.

Java

595

The product compares object references instead of the contents of the objects themselves, preventing it from detecting equivalent objects.

Java

596

This weakness has been deprecated. It was poorly described and difficult to distinguish from other entries. It was also inappropriate to assign a separate ID solely because of domain-specific considerations. Its closest equivalent is CWE-1023.

Java

597

The product uses the wrong operator when comparing a string, such as using "==" when the .equals() method should be used instead.

Java

598

The web application uses the HTTP GET method to process a request and includes sensitive information in the query string of that request.

Java

601

A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.

Java

607

A public or protected static final field references a mutable object, which allows the object to be changed by malicious code, or accidentally from another package.

Java

609

The product uses double-checked locking to access a resource without the overhead of explicit synchronization, but the locking is insufficient.

Java

610

The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.

Java

611

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

Java

613

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

Java

614

The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session.

Java

615

While adding general comments is very useful, some programmers tend to leave important data, such as: filenames related to the web application, old links or links which were not meant to be browsed by users, old code fragments, etc.

Java

617

The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.

Java

624

The product uses a regular expression that either (1) contains an executable component with user-controlled inputs, or (2) allows a user to enable execution by inserting pattern modifiers.

Java

625

The product uses a regular expression that does not sufficiently restrict the set of allowed values.

Java

628

The product calls a function, procedure, or routine with arguments that are not correctly specified, leading to always-incorrect behavior and resultant weaknesses.

Java

629

CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2007. This view is considered obsolete as a newer version of the OWASP Top 10 is available.

Java

632

This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE.

Java

633

This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE.

Java

634

This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE.

Java

635

CWE nodes in this view (slice) were used by NIST to categorize vulnerabilities within NVD, from 2008 to 2016. This original version has been used by many other projects.

Java

639

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Java

642

The product stores security-critical state information about its users, or the product itself, in a location that is accessible to unauthorized actors.

Java

643

The product uses external input to dynamically construct an XPath expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query.

Java

644

The product does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers, such as Flash.

Java

647

The product defines policy namespaces and makes authorization decisions based on the assumption that a URL is canonical. This can allow a non-canonical URL to bypass the authorization.

Java

650

The server contains a protection mechanism that assumes that any URI that is accessed using HTTP GET will not cause a state change to the associated resource. This might allow attackers to bypass intended access restrictions and conduct resource modification and deletion attacks, since some applications allow GET to modify state.

Java

654

A protection mechanism relies exclusively, or to a large extent, on the evaluation of a single condition or the integrity of a single object or entity in order to make a decision about granting access to restricted resources or functionality.

Java

657

The product violates well-established principles for secure design.

Java

662

The product utilizes multiple threads or processes to allow temporary access to a shared resource that can only be exclusive to one process at a time, but it does not properly synchronize these actions, which might cause simultaneous accesses of this resource by multiple threads or processes.

Java

663

The product calls a non-reentrant function in a concurrent context in which a competing code sequence (e.g. thread or signal handler) may have an opportunity to call the same function or otherwise influence its state.

Java

664

The product does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release.

Java

665

The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.

Java

666

The product performs an operation on a resource at the wrong phase of the resource's lifecycle, which can lead to unexpected behaviors.

Java

667

The product does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors.

Java

668

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

Java

669

The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource.

Java

670

The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated.

Java

671

The product uses security features in a way that prevents the product's administrator from tailoring security settings to reflect the environment in which the product is being used. This introduces resultant weaknesses or prevents it from operating at a level of security that is desired by the administrator.

Java

672

The product uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked.

Java

674

The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.

Java

676

The product invokes a potentially dangerous function that could introduce a vulnerability if it is used incorrectly, but the function can also be used safely.

Java

681

When converting from one data type to another, such as long to integer, data can be omitted or translated in a way that produces unexpected values. If the resulting values are used in a sensitive context, then dangerous behaviors may occur.

Java

682

The product performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management.

Java

683

The product calls a function, procedure, or routine, but the caller specifies the arguments in an incorrect order, leading to resultant weaknesses.

Java

684

The code does not function according to its published specifications, potentially leading to incorrect usage.

Java

691

The code does not sufficiently manage its control flow during execution, creating conditions in which the control flow can be modified in unexpected ways.

Java

692

The product uses a denylist-based protection mechanism to defend against XSS attacks, but the denylist is incomplete, allowing XSS variants to succeed.

Java

693

The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.

Java

694

The product uses multiple resources that can have the same identifier, in a context in which unique identifiers are required.

Java

695

The product uses low-level functionality that is explicitly prohibited by the framework or specification under which the product is supposed to operate.

Java

696

The product performs multiple related behaviors, but the behaviors are performed in the wrong order in ways which may produce resultant weaknesses.

Java

697

The product compares two entities in a security-relevant context, but the comparison is incorrect, which may lead to resultant weaknesses.

Java

699

This view organizes weaknesses around concepts that are frequently used or encountered in software development. This includes all aspects of the software development lifecycle including both architecture and implementation. Accordingly, this view can align closely with the perspectives of architects, developers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping.

Java

700

This view (graph) organizes weaknesses using a hierarchical structure that is similar to that used by Seven Pernicious Kingdoms.

Java

703

The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product.

Java

704

The product does not correctly convert an object, resource, or structure from one type to a different type.

Java

705

The product does not properly return control flow to the proper location after it has completed a task or detected an unusual condition.

Java

706

The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.

Java

707

The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component.

Java

710

The product does not follow certain coding rules for development, which can lead to resultant weaknesses or increase the severity of the associated vulnerabilities.

Java

711

CWE entries in this view (graph) are associated with the OWASP Top 10, as released in 2004, and as required for compliance with PCI DSS version 1.1. This view is considered obsolete as a newer version of the OWASP Top 10 is available.

Java

712

Weaknesses in this category are related to the A1 category in the OWASP Top 10 2007.

Java

713

Weaknesses in this category are related to the A2 category in the OWASP Top 10 2007.

Java

714

Weaknesses in this category are related to the A3 category in the OWASP Top 10 2007.

Java

715

Weaknesses in this category are related to the A4 category in the OWASP Top 10 2007.

Java

716

Weaknesses in this category are related to the A5 category in the OWASP Top 10 2007.

Java

717

Weaknesses in this category are related to the A6 category in the OWASP Top 10 2007.

Java

718

Weaknesses in this category are related to the A7 category in the OWASP Top 10 2007.

Java

719

Weaknesses in this category are related to the A8 category in the OWASP Top 10 2007.

Java

720

Weaknesses in this category are related to the A9 category in the OWASP Top 10 2007.

Java

721

Weaknesses in this category are related to the A10 category in the OWASP Top 10 2007.

Java

722

Weaknesses in this category are related to the A1 category in the OWASP Top 10 2004.

Java

723

Weaknesses in this category are related to the A2 category in the OWASP Top 10 2004.

Java

724

Weaknesses in this category are related to the A3 category in the OWASP Top 10 2004.

Java

725

Weaknesses in this category are related to the A4 category in the OWASP Top 10 2004.

Java

726

Weaknesses in this category are related to the A5 category in the OWASP Top 10 2004.

Java

727

Weaknesses in this category are related to the A6 category in the OWASP Top 10 2004.

Java

728

Weaknesses in this category are related to the A7 category in the OWASP Top 10 2004.

Java

729

Weaknesses in this category are related to the A8 category in the OWASP Top 10 2004.

Java

730

Weaknesses in this category are related to the A9 category in the OWASP Top 10 2004.

Java

731

Weaknesses in this category are related to the A10 category in the OWASP Top 10 2004.

Java

732

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

Java

734

CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT C Secure Coding Standard" published in 2008. This view is considered obsolete, as a newer version of the coding standard is available. This view statically represents the coding rules as they were in 2008.

Java

735

Weaknesses in this category are related to the rules and recommendations in the Preprocessor (PRE) chapter of the CERT C Secure Coding Standard (2008).

Java

736

Weaknesses in this category are related to the rules and recommendations in the Declarations and Initialization (DCL) chapter of the CERT C Secure Coding Standard (2008).

Java

737

Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) chapter of the CERT C Secure Coding Standard (2008).

Java

738

Weaknesses in this category are related to the rules and recommendations in the Integers (INT) chapter of the CERT C Secure Coding Standard (2008).

Java

739

Weaknesses in this category are related to the rules and recommendations in the Floating Point (FLP) chapter of the CERT C Secure Coding Standard (2008).

Java

740

Weaknesses in this category are related to the rules and recommendations in the Arrays (ARR) chapter of the CERT C Secure Coding Standard (2008).

Java

741

Weaknesses in this category are related to the rules and recommendations in the Characters and Strings (STR) chapter of the CERT C Secure Coding Standard (2008).

Java

742

Weaknesses in this category are related to the rules and recommendations in the Memory Management (MEM) chapter of the CERT C Secure Coding Standard (2008).

Java

743

Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) chapter of the CERT C Secure Coding Standard (2008).

Java

744

Weaknesses in this category are related to the rules and recommendations in the Environment (ENV) chapter of the CERT C Secure Coding Standard (2008).

Java

745

Weaknesses in this category are related to the rules and recommendations in the Signals (SIG) chapter of the CERT C Secure Coding Standard (2008).

Java

746

Weaknesses in this category are related to the rules and recommendations in the Error Handling (ERR) chapter of the CERT C Secure Coding Standard (2008).

Java

747

Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) chapter of the CERT C Secure Coding Standard (2008).

Java

748

Weaknesses in this category are related to the rules and recommendations in the POSIX (POS) appendix of the CERT C Secure Coding Standard (2008).

Java

749

The product provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted.

Java

750

CWE entries in this view (graph) are listed in the 2009 CWE/SANS Top 25 Programming Errors. This view is considered obsolete as a newer version of the Top 25 is available.

Java

751

Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2009 CWE/SANS Top 25 Programming Errors.

Java

752

Weaknesses in this category are listed in the "Risky Resource Management" section of the 2009 CWE/SANS Top 25 Programming Errors.

Java

753

Weaknesses in this category are listed in the "Porous Defenses" section of the 2009 CWE/SANS Top 25 Programming Errors.

Java

754

The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.

Java

755

The product does not handle or incorrectly handles an exceptional condition.

Java

757

A protocol or its implementation supports interaction between multiple actors and allows those actors to negotiate which algorithm should be used as a protection mechanism such as encryption or authentication, but it does not select the strongest algorithm that is available to both parties.

Java

758

The product uses an API function, data structure, or other entity in a way that relies on properties that are not always guaranteed to hold for that entity.

Java

759

The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product does not also use a salt as part of the input.

Java

760

The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product uses a predictable salt as part of the input.

Java

766

The product declares a critical variable, field, or member to be public when intended security policy requires it to be private.

Java

772

The product does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.

Java

776

The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.

Java

778

When a security-critical event occurs, the product either does not record the event or omits important details about the event when logging it.

Java

779

The product logs too much information, making log files hard to process and possibly hindering recovery efforts or forensic analysis after an attack.

Java

780

The product uses the RSA algorithm but does not incorporate Optimal Asymmetric Encryption Padding (OAEP), which might weaken the encryption.

Java

783

The product uses an expression in which operator precedence causes incorrect logic to be used.

Java

798

The product contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.

Java

800

CWE entries in this view (graph) are listed in the 2010 CWE/SANS Top 25 Programming Errors. This view is considered obsolete as a newer version of the Top 25 is available.

Java

801

Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2010 CWE/SANS Top 25 Programming Errors.

Java

802

Weaknesses in this category are listed in the "Risky Resource Management" section of the 2010 CWE/SANS Top 25 Programming Errors.

Java

803

Weaknesses in this category are listed in the "Porous Defenses" section of the 2010 CWE/SANS Top 25 Programming Errors.

Java

807

The product uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism.

Java

808

Weaknesses in this category are not part of the general Top 25, but they were part of the original nominee list from which the Top 25 was drawn.

Java

809

CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2010. This view is considered obsolete as a newer version of the OWASP Top 10 is available.

Java

810

Weaknesses in this category are related to the A1 category in the OWASP Top 10 2010.

Java

811

Weaknesses in this category are related to the A2 category in the OWASP Top 10 2010.

Java

812

Weaknesses in this category are related to the A3 category in the OWASP Top 10 2010.

Java

813

Weaknesses in this category are related to the A4 category in the OWASP Top 10 2010.

Java

814

Weaknesses in this category are related to the A5 category in the OWASP Top 10 2010.

Java

815

Weaknesses in this category are related to the A6 category in the OWASP Top 10 2010.

Java

816

Weaknesses in this category are related to the A7 category in the OWASP Top 10 2010.

Java

817

Weaknesses in this category are related to the A8 category in the OWASP Top 10 2010.

Java

818

Weaknesses in this category are related to the A9 category in the OWASP Top 10 2010.

Java

819

Weaknesses in this category are related to the A10 category in the OWASP Top 10 2010.

Java

820

The product utilizes a shared resource in a concurrent manner but does not attempt to synchronize access to the resource.

Java

821

The product utilizes a shared resource in a concurrent manner, but it does not correctly synchronize access to the resource.

Java

827

The product does not restrict a reference to a Document Type Definition (DTD) to the intended control sphere. This might allow attackers to reference arbitrary DTDs, possibly causing the product to expose files, consume excessive system resources, or execute arbitrary http requests on behalf of the attacker.

Java

829

The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.

Java

833

The product contains multiple threads or executable segments that are waiting for each other to release a necessary lock, resulting in deadlock.

Java

834

The product performs an iteration or loop without sufficiently limiting the number of times that the loop is executed.

Java

835

The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.

Java

838

The product uses or specifies an encoding when generating output to a downstream component, but the specified encoding is not the same as the encoding that is expected by the downstream component.

Java

840

Weaknesses in this category identify some of the underlying problems that commonly allow attackers to manipulate the business logic of an application. Errors in business logic can be devastating to an entire application. They can be difficult to find automatically, since they typically involve legitimate use of the application's functionality. However, many business logic errors can exhibit patterns that are similar to well-understood implementation and design weaknesses.

Java

844

CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT Oracle Secure Coding Standard for Java" published in 2011. This view is considered obsolete as a newer version of the coding standard is available.

Java

845

Weaknesses in this category are related to rules in the Input Validation and Data Sanitization (IDS) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

Java

846

Weaknesses in this category are related to rules in the Declarations and Initialization (DCL) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

Java

847

Weaknesses in this category are related to rules in the Expressions (EXP) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

Java

848

Weaknesses in this category are related to rules in the Numeric Types and Operations (NUM) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

Java

849

Weaknesses in this category are related to rules in the Object Orientation (OBJ) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

Java

850

Weaknesses in this category are related to rules in the Methods (MET) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

Java

851

Weaknesses in this category are related to rules in the Exceptional Behavior (ERR) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

Java

852

Weaknesses in this category are related to rules in the Visibility and Atomicity (VNA) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

Java

853

Weaknesses in this category are related to rules in the Locking (LCK) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

Java

854

Weaknesses in this category are related to rules in the Thread APIs (THI) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

Java

855

Weaknesses in this category are related to rules in the Thread Pools (TPS) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

Java

857

Weaknesses in this category are related to rules in the Input Output (FIO) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

Java

858

Weaknesses in this category are related to rules in the Serialization (SER) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

Java

859

Weaknesses in this category are related to rules in the Platform Security (SEC) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

Java

860

Weaknesses in this category are related to rules in the Runtime Environment (ENV) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

Java

861

Weaknesses in this category are related to rules in the Miscellaneous (MSC) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

Java

862

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Java

863

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

Java

864

Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.

Java

865

Weaknesses in this category are listed in the "Risky Resource Management" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.

Java

866

Weaknesses in this category are listed in the "Porous Defenses" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.

Java

867

Weaknesses in this category are not part of the general Top 25, but they were part of the original nominee list from which the Top 25 was drawn.

Java

868

CWE entries in this view (graph) are fully or partially eliminated by following the SEI CERT C++ Coding Standard, as published in 2016. This view is no longer being actively maintained, since it statically represents the coding rules as they were in 2016.

Java

871

Weaknesses in this category are related to rules in the Expressions (EXP) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

Java

872

Weaknesses in this category are related to rules in the Integers (INT) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

Java

873

Weaknesses in this category are related to rules in the Floating Point Arithmetic (FLP) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

Java

874

Weaknesses in this category are related to rules in the Arrays and the STL (ARR) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

Java

875

Weaknesses in this category are related to rules in the Characters and Strings (STR) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

Java

876

Weaknesses in this category are related to rules in the Memory Management (MEM) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

Java

877

Weaknesses in this category are related to rules in the Input Output (FIO) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

Java

878

Weaknesses in this category are related to rules in the Environment (ENV) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

Java

879

Weaknesses in this category are related to rules in the Signals (SIG) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

Java

880

Weaknesses in this category are related to rules in the Exceptions and Error Handling (ERR) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

Java

881

Weaknesses in this category are related to rules in the Object Oriented Programming (OOP) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

Java

882

Weaknesses in this category are related to rules in the Concurrency (CON) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

Java

883

Weaknesses in this category are related to rules in the Miscellaneous (MSC) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

Java

884

This view contains a selection of weaknesses that represent the variety of weaknesses that are captured in CWE, at a level of abstraction that is likely to be useful to most audiences. It can be used by researchers to determine how broad their theories, models, or tools are. It will also be used by the CWE content team in 2012 to focus quality improvement efforts for individual CWE entries.

Java

885

This category identifies Software Fault Patterns (SFPs) within the Risky Values cluster (SFP1).

Java

886

This category identifies Software Fault Patterns (SFPs) within the Unused entities cluster (SFP2).

Java

887

This category identifies Software Fault Patterns (SFPs) within the API cluster (SFP3).

Java

888

CWE identifiers in this view are associated with clusters of Software Fault Patterns (SFPs).

Java

889

This category identifies Software Fault Patterns (SFPs) within the Exception Management cluster (SFP4, SFP5, SFP6).

Java

890

This category identifies Software Fault Patterns (SFPs) within the Memory Access cluster (SFP7, SFP8).

Java

892

This category identifies Software Fault Patterns (SFPs) within the Resource Management cluster (SFP37).

Java

893

This category identifies Software Fault Patterns (SFPs) within the Path Resolution cluster (SFP16, SFP17, SFP18).

Java

894

This category identifies Software Fault Patterns (SFPs) within the Synchronization cluster (SFP19, SFP20, SFP21, SFP22).

Java

895

This category identifies Software Fault Patterns (SFPs) within the Information Leak cluster (SFP23).

Java

896

This category identifies Software Fault Patterns (SFPs) within the Tainted Input cluster (SFP24, SFP25, SFP26, SFP27).

Java

897

This category identifies Software Fault Patterns (SFPs) within the Entry Points cluster (SFP28).

Java

898

This category identifies Software Fault Patterns (SFPs) within the Authentication cluster (SFP29, SFP30, SFP31, SFP32, SFP33, SFP34).

Java

899

This category identifies Software Fault Patterns (SFPs) within the Access Control cluster (SFP35).

Java

900

CWE entries in this view (graph) are listed in the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.

Java

901

This category identifies Software Fault Patterns (SFPs) within the Privilege cluster (SFP36).

Java

902

This category identifies Software Fault Patterns (SFPs) within the Channel cluster.

Java

903

This category identifies Software Fault Patterns (SFPs) within the Cryptography cluster.

Java

905

This category identifies Software Fault Patterns (SFPs) within the Predictability cluster.

Java

906

This category identifies Software Fault Patterns (SFPs) within the UI cluster.

Java

907

This category identifies Software Fault Patterns (SFPs) within the Other cluster.

Java

913

The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements.

Java

915

The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.

Java

916

The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive.

Java

917

The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.

Java

918

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Java

921

The product stores sensitive information in a file system or device that does not have built-in access control.

Java

922

The product stores sensitive information without properly limiting read or write access by unauthorized actors.

Java

923

The product establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that it is communicating with the correct endpoint.

Java

925

The Android application uses a Broadcast Receiver that receives an Intent but does not properly verify that the Intent came from an authorized source.

Java

926

The Android application exports a component for use by other applications, but does not properly restrict which applications can launch the component or access the data it contains.

Java

927

The Android application uses an implicit intent for transmitting sensitive data to other applications.

Java

928

CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2013. This view is considered obsolete as a newer version of the OWASP Top 10 is available.

Java

929

Weaknesses in this category are related to the A1 category in the OWASP Top 10 2013.

Java

930

Weaknesses in this category are related to the A2 category in the OWASP Top 10 2013.

Java

931

Weaknesses in this category are related to the A3 category in the OWASP Top 10 2013.

Java

932

Weaknesses in this category are related to the A4 category in the OWASP Top 10 2013.

Java

933

Weaknesses in this category are related to the A5 category in the OWASP Top 10 2013.

Java

934

Weaknesses in this category are related to the A6 category in the OWASP Top 10 2013.

Java

935

Weaknesses in this category are related to the A7 category in the OWASP Top 10 2013.

Java

936

Weaknesses in this category are related to the A8 category in the OWASP Top 10 2013.

Java

938

Weaknesses in this category are related to the A10 category in the OWASP Top 10 2013.

Java

942

The product uses a cross-domain policy file that includes domains that should not be trusted.

Java

943

The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query.

Java

944

This category identifies Software Fault Patterns (SFPs) within the Access Management cluster.

Java

945

This category identifies Software Fault Patterns (SFPs) within the Insecure Resource Access cluster (SFP35).

Java

946

This category identifies Software Fault Patterns (SFPs) within the Insecure Resource Permissions cluster.

Java

947

This category identifies Software Fault Patterns (SFPs) within the Authentication Bypass cluster.

Java

948

This category identifies Software Fault Patterns (SFPs) within the Digital Certificate cluster.

Java

949

This category identifies Software Fault Patterns (SFPs) within the Faulty Endpoint Authentication cluster (SFP29).

Java

950

This category identifies Software Fault Patterns (SFPs) within the Hardcoded Sensitive Data cluster (SFP33).

Java

951

This category identifies Software Fault Patterns (SFPs) within the Insecure Authentication Policy cluster.

Java

952

This category identifies Software Fault Patterns (SFPs) within the Missing Authentication cluster.

Java

956

This category identifies Software Fault Patterns (SFPs) within the Channel Attack cluster.

Java

957

This category identifies Software Fault Patterns (SFPs) within the Protocol Error cluster.

Java

958

This category identifies Software Fault Patterns (SFPs) within the Broken Cryptography cluster.

Java

959

This category identifies Software Fault Patterns (SFPs) within the Weak Cryptography cluster.

Java

960

This category identifies Software Fault Patterns (SFPs) within the Ambiguous Exception Type cluster (SFP5).

Java

961

This category identifies Software Fault Patterns (SFPs) within the Incorrect Exception Behavior cluster (SFP6).

Java

962

This category identifies Software Fault Patterns (SFPs) within the Unchecked Status Condition cluster (SFP4).

Java

963

This category identifies Software Fault Patterns (SFPs) within the Exposed Data cluster (SFP23).

Java

965

This category identifies Software Fault Patterns (SFPs) within the Insecure Session Management cluster.

Java

966

This category identifies Software Fault Patterns (SFPs) within the Other Exposures cluster.

Java

970

This category identifies Software Fault Patterns (SFPs) within the Faulty Buffer Access cluster (SFP8).

Java

971

This category identifies Software Fault Patterns (SFPs) within the Faulty Pointer Use cluster (SFP7).

Java

974

This category identifies Software Fault Patterns (SFPs) within the Incorrect Buffer Length Computation cluster (SFP10).

Java

975

This category identifies Software Fault Patterns (SFPs) within the Architecture cluster.

Java

977

This category identifies Software Fault Patterns (SFPs) within the Design cluster.

Java

978

This category identifies Software Fault Patterns (SFPs) within the Implementation cluster.

Java

980

This category identifies Software Fault Patterns (SFPs) within the Link in Resource Name Resolution cluster (SFP18).

Java

981

This category identifies Software Fault Patterns (SFPs) within the Path Traversal cluster (SFP16).

Java

982

This category identifies Software Fault Patterns (SFPs) within the Failure to Release Resource cluster (SFP14).

Java

983

This category identifies Software Fault Patterns (SFPs) within the Faulty Resource Use cluster (SFP15).

Java

984

This category identifies Software Fault Patterns (SFPs) within the Life Cycle cluster.

Java

985

This category identifies Software Fault Patterns (SFPs) within the Unrestricted Consumption cluster (SFP13).

Java

986

This category identifies Software Fault Patterns (SFPs) within the Missing Lock cluster (SFP19).

Java

987

This category identifies Software Fault Patterns (SFPs) within the Multiple Locks/Unlocks cluster (SFP21).

Java

988

This category identifies Software Fault Patterns (SFPs) within the Race Condition Window cluster (SFP20).

Java

990

This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Command cluster (SFP24).

Java

991

This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Environment cluster (SFP27).

Java

992

This category identifies Software Fault Patterns (SFPs) within the Faulty Input Transformation cluster.

Java

993

This category identifies Software Fault Patterns (SFPs) within the Incorrect Input Handling cluster.

Java

994

This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Variable cluster (SFP25).

Java

997

This category identifies Software Fault Patterns (SFPs) within the Information Loss cluster.

Java

998

This category identifies Software Fault Patterns (SFPs) within the Glitch in Computation cluster (SFP1).

Java

1000

This view is intended to facilitate research into weaknesses, including their inter-dependencies, and can be leveraged to systematically identify theoretical gaps within CWE. It is mainly organized according to abstractions of behaviors instead of how they can be detected, where they appear in code, or when they are introduced in the development life cycle. By design, this view is expected to include every weakness within CWE.

Java

1001

This category identifies Software Fault Patterns (SFPs) within the Use of an Improper API cluster (SFP3).

Java

1002

This category identifies Software Fault Patterns (SFPs) within the Unexpected Entry Points cluster.

Java

1003

CWE entries in this view (graph) may be used to categorize potential weaknesses within sources that handle public, third-party vulnerability information, such as the National Vulnerability Database (NVD). By design, this view is incomplete; it is limited to a small number of the most commonly-seen weaknesses, so that it is easier for humans to use. This view uses a shallow hierarchy of two levels in order to simplify the complex, category-oriented navigation of the entire CWE corpus.

Java

1004

The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag.

Java

1005

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that exist when an application does not properly validate or represent input. According to the authors of the Seven Pernicious Kingdoms, "Input validation and representation problems are caused by metacharacters, alternate encodings and numeric representations. Security problems result from trusting input."

Java

1006

Weaknesses in this category are related to coding practices that are deemed unsafe and increase the chances that an exploitable vulnerability will be present in the application. These weaknesses do not directly introduce a vulnerability, but indicate that the product has not been carefully developed or maintained. If a program is complex, difficult to maintain, not portable, or shows evidence of neglect, then there is a higher likelihood that weaknesses are buried in the code.

Java

1008

This view organizes weaknesses according to common architectural security tactics. It is intended to assist architects in identifying potential mistakes that can be made when designing software.

Java

1009

Weaknesses in this category are related to the design and architecture of audit-based components of the system. Frequently these deal with logging user activities in order to identify attackers and modifications to the system. The weaknesses in this category could lead to a degradation of the quality of the audit capability if they are not addressed when designing or implementing a secure architecture.

Java

1010

Weaknesses in this category are related to the design and architecture of authentication components of the system. Frequently these deal with verifying the entity is indeed who it claims to be. The weaknesses in this category could lead to a degradation of the quality of authentication if they are not addressed when designing or implementing a secure architecture.

Java

1011

Weaknesses in this category are related to the design and architecture of a system's authorization components. Frequently these deal with enforcing that agents have the required permissions before performing certain operations, such as modifying data. The weaknesses in this category could lead to a degradation of quality of the authorization capability if they are not addressed when designing or implementing a secure architecture.

Java

1012

Weaknesses in this category are related to the design and architecture of multiple security tactics and how they affect a system. For example, information exposure can impact the Limit Access and Limit Exposure security tactics. The weaknesses in this category could lead to a degradation of the quality of many capabilities if they are not addressed when designing or implementing a secure architecture.

Java

1013

Weaknesses in this category are related to the design and architecture of data confidentiality in a system. Frequently these deal with the use of encryption libraries. The weaknesses in this category could lead to a degradation of the quality data encryption if they are not addressed when designing or implementing a secure architecture.

Java

1014

Weaknesses in this category are related to the design and architecture of a system's identification management components. Frequently these deal with verifying that external agents provide inputs into the system. The weaknesses in this category could lead to a degradation of the quality of identification management if they are not addressed when designing or implementing a secure architecture.

Java

1015

Weaknesses in this category are related to the design and architecture of system resources. Frequently these deal with restricting the amount of resources that are accessed by actors, such as memory, network connections, CPU or access points. The weaknesses in this category could lead to a degradation of the quality of authentication if they are not addressed when designing or implementing a secure architecture.

Java

1016

Weaknesses in this category are related to the design and architecture of the entry points to a system. Frequently these deal with minimizing the attack surface through designing the system with the least needed amount of entry points. The weaknesses in this category could lead to a degradation of a system's defenses if they are not addressed when designing or implementing a secure architecture.

Java

1018

Weaknesses in this category are related to the design and architecture of session management. Frequently these deal with the information or status about each user and their access rights for the duration of multiple requests. The weaknesses in this category could lead to a degradation of the quality of session management if they are not addressed when designing or implementing a secure architecture.

Java

1019

Weaknesses in this category are related to the design and architecture of a system's input validation components. Frequently these deal with sanitizing, neutralizing and validating any externally provided inputs to minimize malformed data from entering the system and preventing code injection in the input data. The weaknesses in this category could lead to a degradation of the quality of data flow in a system if they are not addressed when designing or implementing a secure architecture.

Java

1020

Weaknesses in this category are related to the design and architecture of a system's data integrity components. Frequently these deal with ensuring integrity of data, such as messages, resource files, deployment files, and configuration files. The weaknesses in this category could lead to a degradation of data integrity quality if they are not addressed when designing or implementing a secure architecture.

Java

1023

The product performs a comparison between entities that must consider multiple factors or characteristics of each entity, but the comparison does not include one or more of these factors.

Java

1025

The code performs a comparison between two entities, but the comparison examines the wrong factors or characteristics of the entities, which can lead to incorrect results and resultant weaknesses.

Java

1026

CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2017.

Java

1027

Weaknesses in this category are related to the A1 category in the OWASP Top 10 2017.

Java

1028

Weaknesses in this category are related to the A2 category in the OWASP Top 10 2017.

Java

1029

Weaknesses in this category are related to the A3 category in the OWASP Top 10 2017.

Java

1030

Weaknesses in this category are related to the A4 category in the OWASP Top 10 2017.

Java

1031

Weaknesses in this category are related to the A5 category in the OWASP Top 10 2017.

Java

1032

Weaknesses in this category are related to the A6 category in the OWASP Top 10 2017.

Java

1033

Weaknesses in this category are related to the A7 category in the OWASP Top 10 2017.

Java

1034

Weaknesses in this category are related to the A8 category in the OWASP Top 10 2017.

Java

1036

Weaknesses in this category are related to the A10 category in the OWASP Top 10 2017.

Java

1041

The product has multiple functions, methods, procedures, macros, etc. that contain the same code.

Java

1071

The source code contains a block that does not contain any code, i.e., the block is empty.

Java

1078

The source code does not follow desired style or formatting for indentation, white space, comments, etc.

Java

1104

The product relies on third-party components that are not actively supported or maintained by the original developer or a trusted proxy for the original developer.

Java

1114

The source code contains whitespace that is inconsistent across the code or does not follow expected standards for the product.

Java

1128

This view outlines the most important software quality issues as identified by the Consortium for Information & Software Quality (CISQ) Automated Quality Characteristic Measures, released in 2016. These measures are derived from Object Management Group (OMG) standards.

Java

1129

Weaknesses in this category are related to the CISQ Quality Measures for Reliability, as documented in 2016 with the Automated Source Code CISQ Reliability Measure (ASCRM) Specification 1.0. Presence of these weaknesses could reduce the reliability of the software.

Java

1130

Weaknesses in this category are related to the CISQ Quality Measures for Maintainability, as documented in 2016 with the Automated Source Code Maintainability Measure (ASCMM) Specification 1.0. Presence of these weaknesses could reduce the maintainability of the software.

Java

1131

Weaknesses in this category are related to the CISQ Quality Measures for Security, as documented in 2016 with the Automated Source Code Security Measure (ASCSM) Specification 1.0. Presence of these weaknesses could reduce the security of the software.

Java

1133

CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT Oracle Coding Standard for Java.

Java

1134

Weaknesses in this category are related to the rules and recommendations in the Input Validation and Data Sanitization (IDS) section of the SEI CERT Oracle Secure Coding Standard for Java.

Java

1135

Weaknesses in this category are related to the rules and recommendations in the Declarations and Initialization (DCL) section of the SEI CERT Oracle Secure Coding Standard for Java.

Java

1136

Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) section of the SEI CERT Oracle Secure Coding Standard for Java.

Java

1137

Weaknesses in this category are related to the rules and recommendations in the Numeric Types and Operations (NUM) section of the SEI CERT Oracle Secure Coding Standard for Java.

Java

1138

Weaknesses in this category are related to the rules and recommendations in the Characters and Strings (STR) section of the SEI CERT Oracle Secure Coding Standard for Java.

Java

1139

Weaknesses in this category are related to the rules and recommendations in the Object Orientation (OBJ) section of the SEI CERT Oracle Secure Coding Standard for Java.

Java

1140

Weaknesses in this category are related to the rules and recommendations in the Methods (MET) section of the SEI CERT Oracle Secure Coding Standard for Java.

Java

1141

Weaknesses in this category are related to the rules and recommendations in the Exceptional Behavior (ERR) section of the SEI CERT Oracle Secure Coding Standard for Java.

Java

1142

Weaknesses in this category are related to the rules and recommendations in the Visibility and Atomicity (VNA) section of the SEI CERT Oracle Secure Coding Standard for Java.

Java

1143

Weaknesses in this category are related to the rules and recommendations in the Locking (LCK) section of the SEI CERT Oracle Secure Coding Standard for Java.

Java

1144

Weaknesses in this category are related to the rules and recommendations in the Thread APIs (THI) section of the SEI CERT Oracle Secure Coding Standard for Java.

Java

1145

Weaknesses in this category are related to the rules and recommendations in the Thread Pools (TPS) section of the SEI CERT Oracle Secure Coding Standard for Java.

Java

1146

Weaknesses in this category are related to the rules and recommendations in the Thread-Safety Miscellaneous (TSM) section of the SEI CERT Oracle Secure Coding Standard for Java.

Java

1147

Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) section of the SEI CERT Oracle Secure Coding Standard for Java.

Java

1148

Weaknesses in this category are related to the rules and recommendations in the Serialization (SER) section of the SEI CERT Oracle Secure Coding Standard for Java.

Java

1149

Weaknesses in this category are related to the rules and recommendations in the Platform Security (SEC) section of the SEI CERT Oracle Secure Coding Standard for Java.

Java

1150

Weaknesses in this category are related to the rules and recommendations in the Runtime Environment (ENV) section of the SEI CERT Oracle Secure Coding Standard for Java.

Java

1151

Weaknesses in this category are related to the rules and recommendations in the Java Native Interface (JNI) section of the SEI CERT Oracle Secure Coding Standard for Java.

Java

1152

Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT Oracle Secure Coding Standard for Java.

Java

1154

CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT C Coding Standard.

Java

1157

Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) section of the SEI CERT C Coding Standard.

Java

1158

Weaknesses in this category are related to the rules and recommendations in the Integers (INT) section of the SEI CERT C Coding Standard.

Java

1159

Weaknesses in this category are related to the rules and recommendations in the Floating Point (FLP) section of the SEI CERT C Coding Standard.

Java

1160

Weaknesses in this category are related to the rules and recommendations in the Arrays (ARR) section of the SEI CERT C Coding Standard.

Java

1161

Weaknesses in this category are related to the rules and recommendations in the Characters and Strings (STR) section of the SEI CERT C Coding Standard.

Java

1162

Weaknesses in this category are related to the rules and recommendations in the Memory Management (MEM) section of the SEI CERT C Coding Standard.

Java

1163

Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) section of the SEI CERT C Coding Standard.

Java

1164

The product contains code that is not essential for execution, i.e. makes no state changes and has no side effects that alter data or control flow, such that removal of the code would have no impact to functionality or correctness.

Java

1165

Weaknesses in this category are related to the rules and recommendations in the Environment (ENV) section of the SEI CERT C Coding Standard.

Java

1166

Weaknesses in this category are related to the rules and recommendations in the Signals (SIG) section of the SEI CERT C Coding Standard.

Java

1167

Weaknesses in this category are related to the rules and recommendations in the Error Handling (ERR) section of the SEI CERT C Coding Standard.

Java

1169

Weaknesses in this category are related to the rules and recommendations in the Concurrency (CON) section of the SEI CERT C Coding Standard.

Java

1170

Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT C Coding Standard.

Java

1171

Weaknesses in this category are related to the rules and recommendations in the POSIX (POS) section of the SEI CERT C Coding Standard.

Java

1172

Weaknesses in this category are related to the rules and recommendations in the Microsoft Windows (WIN) section of the SEI CERT C Coding Standard.

Java

1178

CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT Perl Coding Standard.

Java

1179

Weaknesses in this category are related to the rules and recommendations in the Input Validation and Data Sanitization (IDS) section of the SEI CERT Perl Coding Standard.

Java

1180

Weaknesses in this category are related to the rules and recommendations in the Declarations and Initialization (DCL) section of the SEI CERT Perl Coding Standard.

Java

1181

Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) section of the SEI CERT Perl Coding Standard.

Java

1182

Weaknesses in this category are related to the rules and recommendations in the Integers (INT) section of the SEI CERT Perl Coding Standard.

Java

1186

Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT Perl Coding Standard.

Java

1194

This view organizes weaknesses around concepts that are frequently used or encountered in hardware design. Accordingly, this view can align closely with the perspectives of designers, manufacturers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping.

Java

1198

Weaknesses in this category are related to features and mechanisms providing hardware-based isolation and access control (e.g., identity, policy, locking control) of sensitive shared hardware resources such as registers and fuses.

Java

1200

CWE entries in this view are listed in the 2019 CWE Top 25 Most Dangerous Software Errors.

Java

1202

Weaknesses in this category are typically associated with memory (e.g., DRAM, SRAM) and storage technologies (e.g., NAND Flash, OTP, EEPROM, and eMMC).

Java

1207

Weaknesses in this category are related to hardware debug and test interfaces such as JTAG and scan chain.

Java

1208

Weaknesses in this category can arise in multiple areas of hardware design or can apply to a wide cross-section of components.

Java

1210

Weaknesses in this category are related to audit-based components of a software system. Frequently these deal with logging user activities in order to identify undesired access and modifications to the system. The weaknesses in this category could lead to a degradation of the quality of the audit capability if they are not addressed.

Java

1211

Weaknesses in this category are related to authentication components of a system. Frequently these deal with the ability to verify that an entity is indeed who it claims to be. If not addressed when designing or implementing a software system, these weaknesses could lead to a degradation of the quality of the authentication capability.

Java

1212

Weaknesses in this category are related to authorization components of a system. Frequently these deal with the ability to enforce that agents have the required permissions before performing certain operations, such as modifying data. If not addressed when designing or implementing a software system, these weaknesses could lead to a degradation of the quality of the authorization capability.

Java

1213

Weaknesses in this category are related to a software system's random number generation.

Java

1214

Weaknesses in this category are related to a software system's data integrity components. Frequently these deal with the ability to ensure the integrity of data, such as messages, resource files, deployment files, and configuration files. The weaknesses in this category could lead to a degradation of data integrity quality if they are not addressed.

Java

1215

Weaknesses in this category are related to a software system's components for input validation, output validation, or other kinds of validation. Validation is a frequently-used technique for ensuring that data conforms to expectations before it is further processed as input or output. There are many varieties of validation (see CWE-20, which is just for input validation). Validation is distinct from other techniques that attempt to modify data before processing it, although developers may consider all attempts to product "safe" inputs or outputs as some kind of validation. Regardless, validation is a powerful tool that is often used to minimize malformed data from entering the system, or indirectly avoid code injection or other potentially-malicious patterns when generating output. The weaknesses in this category could lead to a degradation of the quality of data flow in a system if they are not addressed.

Java

1217

Weaknesses in this category are related to session management. Frequently these deal with the information or status about each user and their access rights for the duration of multiple requests. The weaknesses in this category could lead to a degradation of the quality of session management if they are not addressed.

Java

1219

Weaknesses in this category are related to the handling of files within a software system. Files, directories, and folders are so central to information technology that many different weaknesses and variants have been discovered.

Java

1228

Weaknesses in this category are related to the use of built-in functions or external APIs.

Java

1238

This category identifies Software Fault Patterns (SFPs) within the Failure to Release Memory cluster (SFP38).

Java

1275

The SameSite attribute for sensitive cookies is not set, or an insecure value is used.

Java

1305

This view outlines the most important software quality issues as identified by the Consortium for Information & Software Quality (CISQ) Automated Quality Characteristic Measures, released in 2020. These measures are derived from Object Management Group (OMG) standards.

Java

1306

Weaknesses in this category are related to the CISQ Quality Measures for Reliability. Presence of these weaknesses could reduce the reliability of the software.

Java

1307

Weaknesses in this category are related to the CISQ Quality Measures for Maintainability. Presence of these weaknesses could reduce the maintainability of the software.

Java

1308

Weaknesses in this category are related to the CISQ Quality Measures for Security. Presence of these weaknesses could reduce the security of the software.

Java

1309

Weaknesses in this category are related to the CISQ Quality Measures for Efficiency. Presence of these weaknesses could reduce the efficiency of the software.

Java

1327

The product assigns the address 0.0.0.0 for a database server, a cloud service/instance, or any computing resource that communicates remotely.

Java

1337

CWE entries in this view are listed in the 2021 CWE Top 25 Most Dangerous Software Weaknesses.

Java

1340

This view outlines the SMM representation of the Automated Source Code Data Protection Measurement specifications, as identified by the Consortium for Information & Software Quality (CISQ) Working Group.

Java

1344

CWE entries in this view (graph) are associated with the OWASP Top 10, as released in 2021.

Java

1345

Weaknesses in this category are related to the A01 category "Broken Access Control" in the OWASP Top 10 2021.

Java

1346

Weaknesses in this category are related to the A02 category "Cryptographic Failures" in the OWASP Top 10 2021.

Java

1347

Weaknesses in this category are related to the A03 category "Injection" in the OWASP Top 10 2021.

Java

1348

Weaknesses in this category are related to the A04 "Insecure Design" category in the OWASP Top 10 2021.

Java

1349

Weaknesses in this category are related to the A05 category "Security Misconfiguration" in the OWASP Top 10 2021.

Java

1350

CWE entries in this view are listed in the 2020 CWE Top 25 Most Dangerous Software Weaknesses.

Java

1352

Weaknesses in this category are related to the A06 category "Vulnerable and Outdated Components" in the OWASP Top 10 2021.

Java

1353

Weaknesses in this category are related to the A07 category "Identification and Authentication Failures" in the OWASP Top 10 2021.

Java

1354

Weaknesses in this category are related to the A08 category "Software and Data Integrity Failures" in the OWASP Top 10 2021.

Java

1355

Weaknesses in this category are related to the A09 category "Security Logging and Monitoring Failures" in the OWASP Top 10 2021.

Java

1356

Weaknesses in this category are related to the A10 category "Server-Side Request Forgery (SSRF)" in the OWASP Top 10 2021.

Java

1358

CWE entries in this view (graph) are associated with the Categories of Security Vulnerabilities in ICS, as published by the Securing Energy Infrastructure Executive Task Force (SEI ETF) in March 2022. Weaknesses and categories in this view are focused on issues that affect ICS (Industrial Control Systems) but have not been traditionally covered by CWE in the past due to its earlier emphasis on enterprise IT software. Note: weaknesses in this view are based on "Nearest IT Neighbor" recommendations and other suggestions by the CWE team. These relationships are likely to change in future CWE versions.

Java

1359

Weaknesses in this category are related to the "ICS Communications" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.

Java

1360

Weaknesses in this category are related to the "ICS Dependencies (& Architecture)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.

Java

1361

Weaknesses in this category are related to the "ICS Supply Chain" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.

Java

1362

Weaknesses in this category are related to the "ICS Engineering (Constructions/Deployment)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.

Java

1363

Weaknesses in this category are related to the "ICS Operations (& Maintenance)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.

Java

1364

Weaknesses in this category are related to the "Zone Boundary Failures" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Within an ICS system, for traffic that crosses through network zone boundaries, vulnerabilities arise when those boundaries were designed for safety or other purposes but are being repurposed for security." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

Java

1366

Weaknesses in this category are related to the "Frail Security in Protocols" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Vulnerabilities arise as a result of mis-implementation or incomplete implementation of security in ICS implementations of communication protocols." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

Java

1368

Weaknesses in this category are related to the "External Digital Systems" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Due to the highly interconnected technologies in use, an external dependency on another digital system could cause a confidentiality, integrity, or availability incident for the protected system." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

Java

1369

Weaknesses in this category are related to the "IT/OT Convergence/Expansion" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "The increased penetration of DER devices and smart loads make emerging ICS networks more like IT networks and thus susceptible to vulnerabilities similar to those of IT networks." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

Java

1370

Weaknesses in this category are related to the "Common Mode Frailties" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "At the component level, most ICS systems are assembled from common parts made by other companies. One or more of these common parts might contain a vulnerability that could result in a wide-spread incident." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

Java

1371

Weaknesses in this category are related to the "Poorly Documented or Undocumented Features" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Undocumented capabilities and configurations pose a risk by not having a clear understanding of what the device is specifically supposed to do and only do. Therefore possibly opening up the attack surface and vulnerabilities." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

Java

1372

Weaknesses in this category are related to the "OT Counterfeit and Malicious Corruption" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "In ICS, when this procurement process results in a vulnerability or component damage, it can have grid impacts or cause physical harm." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

Java

1373

Weaknesses in this category are related to the "Trust Model Problems" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Assumptions made about the user during the design or construction phase may result in vulnerabilities after the system is installed if the user operates it using a different security approach or process than what was designed or built." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

Java

1375

Weaknesses in this category are related to the "Gaps in Details/Data" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Highly complex systems are often operated by personnel who have years of experience in managing that particular facility or plant. Much of their knowledge is passed along through verbal or hands-on training but may not be fully documented in written practices and procedures." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

Java

1376

Weaknesses in this category are related to the "Security Gaps in Commissioning" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "As a large system is brought online components of the system may remain vulnerable until the entire system is operating and functional and security controls are put in place. This creates a window of opportunity for an adversary during the commissioning process." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

Java

1382

Weaknesses in this category are related to the "Emerging Energy Technologies" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "With the rapid evolution of the energy system accelerated by the emergence of new technologies such as DERs, electric vehicles, advanced communications (5G+), novel and diverse challenges arise for secure and resilient operation of the system." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

Java

1383

Weaknesses in this category are related to the "Compliance/Conformance with Regulatory Requirements" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "The ICS environment faces overlapping regulatory regimes and authorities with multiple focus areas (e.g., operational resiliency, physical safety, interoperability, and security) which can result in cyber security vulnerabilities when implemented as written due to gaps in considerations, outdatedness, or conflicting requirements." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

Java

1387

CWE entries in this view are listed in the 2022 CWE Top 25 Most Dangerous Software Weaknesses.

Java

1396

Weaknesses in this category are related to access control.

Java

1397

Weaknesses in this category are related to comparison.

Java

1398

Weaknesses in this category are related to component interaction.

Java

1399

Weaknesses in this category are related to memory safety.

Java

1400

This view organizes weaknesses around categories that are of interest to large-scale software assurance research to support the elimination of weaknesses using tactics such as secure language development. It is also intended to help tracking weakness trends in publicly disclosed vulnerability data. This view is comprehensive in that every weakness must be contained in it, unlike most other views that only use a subset of weaknesses. This view is structured with categories at the top level, with a second level of only weaknesses. Relationships among the weaknesses presented under the research view (CWE-1000) are not shown. Each weakness is added to only one category. All categories are mutually exclusive; that is, no weakness can be a member of more than one category. While weaknesses defy strict categorization along only one characteristic, the forced bucketing into a single category can simplify certain kinds of analysis. Note that the size of each category can vary widely because (1) CWE is not as well fleshed-out in some areas compared to others; (2) abstraction of the CWEs in the grouping might go down to Variant level for some buckets, versus others.

Java

1401

Weaknesses in this category are related to concurrency.

Java

1402

Weaknesses in this category are related to encryption.

Java

1403

Weaknesses in this category are related to exposed resource.

Java

1404

Weaknesses in this category are related to file handling.

Java

1405

Weaknesses in this category are related to improper check or handling of exceptional conditions.

Java

1406

Weaknesses in this category are related to improper input validation.

Java

1407

Weaknesses in this category are related to improper neutralization.

Java

1408

Weaknesses in this category are related to incorrect calculation.

Java

1409

Weaknesses in this category are related to injection.

Java

1410

Weaknesses in this category are related to insufficient control flow management.

Java

1411

Weaknesses in this category are related to insufficient verification of data authenticity.

Java

1412

Weaknesses in this category are related to poor coding practices.

Java

1413

Weaknesses in this category are related to protection mechanism failure.

Java

1414

Weaknesses in this category are related to randomness.

Java

1415

Weaknesses in this category are related to resource control.

Java

1416

Weaknesses in this category are related to resource lifecycle management.

Java

1417

Weaknesses in this category are related to sensitive information exposure.

Java

1418

Weaknesses in this category are related to violation of secure design principles.

JavaScript

2

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that are typically introduced during unexpected environmental conditions. According to the authors of the Seven Pernicious Kingdoms, "This section includes everything that is outside of the source code but is still critical to the security of the product that is being created. Because the issues covered by this kingdom are not directly related to source code, we separated it from the rest of the kingdoms."

JavaScript

4

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

JavaScript

5

Information sent over a network can be compromised while in transit. An attacker may be able to read or modify the contents if the data are sent in plaintext or are weakly encrypted.

JavaScript

16

Weaknesses in this category are typically introduced during the configuration of the software.

JavaScript

17

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

JavaScript

18

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

JavaScript

19

Weaknesses in this category are typically found in functionality that processes data. Data processing is the manipulation of input to retrieve or save information.

JavaScript

20

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

JavaScript

21

This category has been deprecated. It was originally used for organizing weaknesses involving file names, which enabled access to files outside of a restricted directory (path traversal) or to perform operations on files that would otherwise be restricted (path equivalence). Consider using either the File Handling Issues category (CWE-1219) or the class Use of Incorrectly-Resolved Name or Reference (CWE-706).

JavaScript

22

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

JavaScript

23

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.

JavaScript

36

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as "/abs/path" that can resolve to a location that is outside of that directory.

JavaScript

73

The product allows user input to control or influence paths or file names that are used in filesystem operations.

JavaScript

74

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

JavaScript

77

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

JavaScript

78

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

JavaScript

79

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

JavaScript

80

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.

JavaScript

82

The web application does not neutralize or incorrectly neutralizes scripting elements within attributes of HTML IMG tags, such as the src attribute.

JavaScript

83

The product does not neutralize or incorrectly neutralizes "javascript:" or other URIs from dangerous attributes within tags, such as onmouseover, onload, onerror, or style.

JavaScript

85

The web application does not filter user-controlled input for executable script disguised using doubling of the involved characters.

JavaScript

86

The product does not neutralize or incorrectly neutralizes invalid characters or byte sequences in the middle of tag names, URI schemes, and other identifiers.

JavaScript

87

The product does not neutralize or incorrectly neutralizes user-controlled input for alternate script syntax.

JavaScript

88

The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.

JavaScript

89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.

JavaScript

93

The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.

JavaScript

94

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

JavaScript

95

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").

JavaScript

99

The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control.

JavaScript

113

The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.

JavaScript

116

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

JavaScript

117

The product does not neutralize or incorrectly neutralizes output that is written to logs.

JavaScript

133

Weaknesses in this category are related to the creation and modification of strings.

JavaScript

137

Weaknesses in this category are related to the creation or neutralization of data using an incorrect format.

JavaScript

138

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as control elements or syntactic markers when they are sent to a downstream component.

JavaScript

140

The product does not neutralize or incorrectly neutralizes delimiters.

JavaScript

141

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as parameter or argument delimiters when they are sent to a downstream component.

JavaScript

142

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as value delimiters when they are sent to a downstream component.

JavaScript

143

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as record delimiters when they are sent to a downstream component.

JavaScript

146

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as expression or command delimiters when they are sent to a downstream component.

JavaScript

149

Quotes injected into a product can be used to compromise a system. As data are parsed, an injected/absent/duplicate/malformed use of quotes may cause the process to take unexpected actions.

JavaScript

150

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component.

JavaScript

157

The product does not properly handle the characters that are used to mark the beginning and ending of a group of entities, such as parentheses, brackets, and braces.

JavaScript

171

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. Weaknesses in this category were related to improper handling of data within protection mechanisms that attempt to perform neutralization for untrusted data. These weaknesses can be found in other similar categories.

JavaScript

183

The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is too permissive - that is, it allows an input that is unsafe, leading to resultant weaknesses.

JavaScript

185

The product specifies a regular expression in a way that causes data to be improperly matched or compared.

JavaScript

187

The product performs a comparison that only examines a portion of a factor before determining whether there is a match, such as a substring, leading to resultant weaknesses.

JavaScript

199

Weaknesses in this category are related to improper handling of sensitive information.

JavaScript

200

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

JavaScript

201

The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.

JavaScript

209

The product generates an error message that includes sensitive information about its environment, users, or associated data.

JavaScript

210

The product identifies an error condition and creates its own diagnostic or error messages that contain sensitive information.

JavaScript

211

The product performs an operation that triggers an external diagnostic or error message that is not directly generated or controlled by the product, such as an error generated by the programming language interpreter that a software application uses. The error can contain sensitive system information.

JavaScript

215

The product inserts sensitive information into debugging code, which could expose this information if the debugging code is not disabled in production.

JavaScript

221

The product does not record, or improperly records, security-relevant information that leads to an incorrect decision or hampers later analysis.

JavaScript

223

The product does not record or display information that would be important for identifying the source or nature of an attack, or determining if an action is safe.

JavaScript

226

The product releases a resource such as memory or a file so that it can be made available for reuse, but it does not clear or "zeroize" the information contained in the resource before the product performs a critical state transition or makes the resource available for reuse by other entities.

JavaScript

227

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that involve the software using an API in a manner contrary to its intended use. According to the authors of the Seven Pernicious Kingdoms, "An API is a contract between a caller and a callee. The most common forms of API misuse occurs when the caller does not honor its end of this contract. For example, if a program does not call chdir() after calling chroot(), it violates the contract that specifies how to change the active root directory in a secure fashion. Another good example of library abuse is expecting the callee to return trustworthy DNS information to the caller. In this case, the caller misuses the callee API by making certain assumptions about its behavior (that the return value can be used for authentication purposes). One can also violate the caller-callee contract from the other side. For example, if a coder subclasses SecureRandom and returns a non-random value, the contract is violated."

JavaScript

228

The product does not handle or incorrectly handles input that is not syntactically well-formed with respect to the associated specification.

JavaScript

233

The product does not properly handle when the expected number of parameters, fields, or arguments is not provided in input, or if those parameters are undefined.

JavaScript

248

An exception is thrown from a function, but it is not caught.

JavaScript

249

This entry has been deprecated because of name confusion and an accidental combination of multiple weaknesses. Most of its content has been transferred to CWE-785.

JavaScript

254

Software security is not security software. Here we're concerned with topics like authentication, access control, confidentiality, cryptography, and privilege management.

JavaScript

255

Weaknesses in this category are related to the management of credentials.

JavaScript

256

Storing a password in plaintext may result in a system compromise.

JavaScript

257

The storage of passwords in a recoverable format makes them subject to password reuse attacks by malicious users. In fact, it should be noted that recoverable encrypted passwords provide no significant benefit over plaintext passwords since they are subject not only to reuse by malicious attackers but also by malicious insiders. If a system administrator can recover a password directly, or use a brute force search on the available information, the administrator can use the password on other accounts.

JavaScript

258

Using an empty string as a password is insecure.

JavaScript

260

The product stores a password in a configuration file that might be accessible to actors who do not know the password.

JavaScript

263

The product supports password aging, but the expiration period is too long.

JavaScript

264

Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control.

JavaScript

265

Weaknesses in this category occur with improper handling, assignment, or management of privileges. A privilege is a property of an agent, such as a user. It lets the agent do things that are not ordinarily allowed. For example, there are privileges which allow an agent to perform maintenance functions such as restart a computer.

JavaScript

269

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

JavaScript

271

The product does not drop privileges before passing control of a resource to an actor that does not have those privileges.

JavaScript

272

The elevated privilege level required to perform operations such as chroot() should be dropped immediately after the operation is performed.

JavaScript

275

Weaknesses in this category are related to improper assignment or handling of permissions.

JavaScript

284

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

JavaScript

285

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

JavaScript

287

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

JavaScript

289

The product performs authentication based on the name of a resource being accessed, or the name of the actor performing the access, but it does not properly check all possible names for that resource or actor.

JavaScript

290

This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.

JavaScript

295

The product does not validate, or incorrectly validates, a certificate.

JavaScript

296

The product does not follow, or incorrectly follows, the chain of trust for a certificate back to a trusted root certificate, resulting in incorrect trust of any resource that is associated with that certificate.

JavaScript

300

The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint.

JavaScript

304

The product implements an authentication technique, but it skips a step that weakens the technique.

JavaScript

305

The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error.

JavaScript

306

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

JavaScript

307

The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it more susceptible to brute force attacks.

JavaScript

308

The use of single-factor authentication can lead to unnecessary risk of compromise when compared with the benefits of a dual-factor authentication scheme.

JavaScript

309

The use of password systems as the primary means of authentication may be subject to several flaws or shortcomings, each reducing the effectiveness of the mechanism.

JavaScript

310

Weaknesses in this category are related to the design and implementation of data confidentiality and integrity. Frequently these deal with the use of encoding techniques, encryption libraries, and hashing algorithms. The weaknesses in this category could lead to a degradation of the quality data if they are not addressed.

JavaScript

311

The product does not encrypt sensitive or critical information before storage or transmission.

JavaScript

312

The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

JavaScript

313

The product stores sensitive information in cleartext in a file, or on disk.

JavaScript

314

The product stores sensitive information in cleartext in the registry.

JavaScript

315

The product stores sensitive information in cleartext in a cookie.

JavaScript

317

The product stores sensitive information in cleartext within the GUI.

JavaScript

319

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

JavaScript

320

Weaknesses in this category are related to errors in the management of cryptographic keys.

JavaScript

322

The product performs a key exchange with an actor without verifying the identity of that actor.

JavaScript

324

The product uses a cryptographic key or password past its expiration date, which diminishes its safety significantly by increasing the timing window for cracking attacks against that key.

JavaScript

326

The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

JavaScript

327

The product uses a broken or risky cryptographic algorithm or protocol.

JavaScript

328

The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (2nd preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack).

JavaScript

330

The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.

JavaScript

338

The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.

JavaScript

344

The product uses a constant value, name, or reference, but this value can (or should) vary across different environments.

JavaScript

345

The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

JavaScript

346

The product does not properly verify that the source of data or communication is valid.

JavaScript

347

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

JavaScript

352

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

JavaScript

353

The product uses a transmission protocol that does not include a mechanism for verifying the integrity of the data during transmission, such as a checksum.

JavaScript

355

Weaknesses in this category are related to or introduced in the User Interface (UI).

JavaScript

358

The product does not implement or incorrectly implements one or more security-relevant checks as specified by the design of a standardized algorithm, protocol, or technique.

JavaScript

359

The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.

JavaScript

361

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses related to the improper management of time and state in an environment that supports simultaneous or near-simultaneous computation by multiple systems, processes, or threads. According to the authors of the Seven Pernicious Kingdoms, "Distributed computation is about time and state. That is, in order for more than one component to communicate, state must be shared, and all that takes time. Most programmers anthropomorphize their work. They think about one thread of control carrying out the entire program in the same way they would if they had to do the job themselves. Modern computers, however, switch between tasks very quickly, and in multi-core, multi-CPU, or distributed systems, two events may take place at exactly the same time. Defects rush to fill the gap between the programmer's model of how a program executes and what happens in reality. These defects are related to unexpected interactions between threads, processes, time, and information. These interactions happen through shared state: semaphores, variables, the file system, and, basically, anything that can store information."

JavaScript

371

Weaknesses in this category are related to improper management of system state.

JavaScript

388

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that occur when an application does not properly handle errors that occur during processing. According to the authors of the Seven Pernicious Kingdoms, "Errors and error handling represent a class of API. Errors related to error handling are so common that they deserve a special kingdom of their own. As with 'API Abuse,' there are two ways to introduce an error-related security vulnerability: the most common one is handling errors poorly (or not at all). The second is producing errors that either give out too much information (to possible attackers) or are difficult to handle."

JavaScript

389

This category includes weaknesses that occur if a function does not generate the correct return/status code, or if the application does not handle all possible return/status codes that could be generated by a function. This type of problem is most often found in conditions that are rarely encountered during the normal operation of the product. Presumably, most bugs related to common conditions are found and eliminated during development and testing. In some cases, the attacker can directly control or influence the environment to trigger the rare conditions.

JavaScript

398

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that do not directly introduce a weakness or vulnerability, but indicate that the product has not been carefully developed or maintained. According to the authors of the Seven Pernicious Kingdoms, "Poor code quality leads to unpredictable behavior. From a user's perspective that often manifests itself as poor usability. For an adversary it provides an opportunity to stress the system in unexpected ways."

JavaScript

399

Weaknesses in this category are related to improper management of system resources.

JavaScript

400

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

JavaScript

404

The product does not release or incorrectly releases a resource before it is made available for re-use.

JavaScript

405

The product does not properly control situations in which an adversary can cause the product to consume or produce excessive resources without requiring the adversary to invest equivalent work or otherwise prove authorization, i.e., the adversary's influence is "asymmetric."

JavaScript

409

The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.

JavaScript

417

Weaknesses in this category are related to improper handling of communication channels and access paths. These weaknesses include problems in creating, managing, or removing alternate channels and alternate paths. Some of these can overlap virtual file problems and are commonly used in "bypass" attacks, such as those that exploit authentication errors.

JavaScript

418

This category has been deprecated because it redundant with the grouping provided by CWE-417.

JavaScript

419

The product uses a primary channel for administration or restricted functionality, but it does not properly protect the channel.

JavaScript

435

An interaction error occurs when two entities have correct behavior when running independently of each other, but when they are integrated as components in a larger system or process, they introduce incorrect behaviors that may cause resultant weaknesses.

JavaScript

436

Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.

JavaScript

438

Weaknesses in this category are related to unexpected behaviors from code that an application uses.

JavaScript

441

The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor.

JavaScript

442

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

JavaScript

452

Weaknesses in this category occur in behaviors that are used for initialization and breakdown.

JavaScript

455

The product does not exit or otherwise modify its operation when security-relevant errors occur during initialization, such as when a configuration file has a format error or a hardware security module (HSM) cannot be activated, which can cause the product to execute in a less secure fashion than intended by the administrator.

JavaScript

459

The product does not properly "clean up" and remove temporary or supporting resources after they have been used.

JavaScript

461

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

JavaScript

463

The accidental deletion of a data-structure sentinel can cause serious programming logic problems.

JavaScript

465

Weaknesses in this category are related to improper handling of pointers.

JavaScript

476

A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.

JavaScript

480

The product accidentally uses the wrong operator, which changes the logic in security-relevant ways.

JavaScript

483

The code does not explicitly delimit a block that is intended to contain 2 or more statements, creating a logic error.

JavaScript

484

The product omits a break statement within a switch or similar construct, causing code associated with multiple conditions to execute. This can cause problems when the programmer only intended to execute code associated with one condition.

JavaScript

485

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that occur when the product does not sufficiently encapsulate critical data or functionality. According to the authors of the Seven Pernicious Kingdoms, "Encapsulation is about drawing strong boundaries. In a web browser that might mean ensuring that your mobile code cannot be abused by other mobile code. On the server it might mean differentiation between validated data and unvalidated data, between one user's data and another's, or between data users are allowed to see and data that they are not."

JavaScript

489

The product is deployed to unauthorized actors with debugging code still enabled or active, which can create unintended entry points or expose sensitive information.

JavaScript

497

The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does.

JavaScript

502

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

JavaScript

505

This category has been deprecated as it was originally used for organizing the Development View (CWE-699), but it introduced unnecessary complexity and depth to the resulting tree.

JavaScript

506

The product contains code that appears to be malicious in nature.

JavaScript

521

The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts.

JavaScript

522

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

JavaScript

523

Login pages do not use adequate measures to protect the user name and password while they are in transit from the client to the server.

JavaScript

524

The code uses a cache that contains sensitive information, but the cache can be read by an actor outside of the intended control sphere.

JavaScript

525

The web application does not use an appropriate caching policy that specifies the extent to which each web page and associated form fields should be cached.

JavaScript

526

The product uses an environment variable to store unencrypted sensitive information.

JavaScript

530

A backup file is stored in a directory or archive that is made accessible to unauthorized actors.

JavaScript

532

Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.

JavaScript

536

A servlet error message indicates that there exists an unhandled exception in your web application code and may provide useful information to an attacker.

JavaScript

538

The product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the sensitive information.

JavaScript

539

The web application uses persistent cookies, but the cookies contain sensitive information.

JavaScript

548

A directory listing is inappropriately exposed, yielding potentially sensitive information to attackers.

JavaScript

549

The product does not mask passwords during entry, increasing the potential for attackers to observe and capture passwords.

JavaScript

550

Certain conditions, such as network failure, will cause a server error message to be displayed.

JavaScript

552

The product makes files or directories accessible to unauthorized actors, even though they should not be.

JavaScript

559

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

JavaScript

561

The product contains dead code, which can never be executed.

JavaScript

565

The product relies on the existence or values of cookies when performing security-critical operations, but it does not properly ensure that the setting is valid for the associated user.

JavaScript

566

The product uses a database table that includes records that should not be accessible to an actor, but it executes a SQL statement with a primary key that can be controlled by that actor.

JavaScript

569

Weaknesses in this category are related to incorrectly written expressions within code.

JavaScript

573

The product does not follow or incorrectly follows the specifications as required by the implementation language, environment, framework, protocol, or platform.

JavaScript

592

This weakness has been deprecated because it covered redundant concepts already described in CWE-287.

JavaScript

601

A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.

JavaScript

602

The product is composed of a server that relies on the client to implement a mechanism that is intended to protect the server.

JavaScript

610

The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.

JavaScript

611

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

JavaScript

613

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

JavaScript

614

The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session.

JavaScript

624

The product uses a regular expression that either (1) contains an executable component with user-controlled inputs, or (2) allows a user to enable execution by inserting pattern modifiers.

JavaScript

625

The product uses a regular expression that does not sufficiently restrict the set of allowed values.

JavaScript

628

The product calls a function, procedure, or routine with arguments that are not correctly specified, leading to always-incorrect behavior and resultant weaknesses.

JavaScript

629

CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2007. This view is considered obsolete as a newer version of the OWASP Top 10 is available.

JavaScript

632

This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE.

JavaScript

633

This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE.

JavaScript

634

This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE.

JavaScript

635

CWE nodes in this view (slice) were used by NIST to categorize vulnerabilities within NVD, from 2008 to 2016. This original version has been used by many other projects.

JavaScript

636

When the product encounters an error condition or failure, its design requires it to fall back to a state that is less secure than other options that are available, such as selecting the weakest encryption algorithm or using the most permissive access control restrictions.

JavaScript

639

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

JavaScript

642

The product stores security-critical state information about its users, or the product itself, in a location that is accessible to unauthorized actors.

JavaScript

644

The product does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers, such as Flash.

JavaScript

654

A protection mechanism relies exclusively, or to a large extent, on the evaluation of a single condition or the integrity of a single object or entity in order to make a decision about granting access to restricted resources or functionality.

JavaScript

657

The product violates well-established principles for secure design.

JavaScript

664

The product does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release.

JavaScript

665

The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.

JavaScript

666

The product performs an operation on a resource at the wrong phase of the resource's lifecycle, which can lead to unexpected behaviors.

JavaScript

668

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

JavaScript

669

The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource.

JavaScript

670

The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated.

JavaScript

671

The product uses security features in a way that prevents the product's administrator from tailoring security settings to reflect the environment in which the product is being used. This introduces resultant weaknesses or prevents it from operating at a level of security that is desired by the administrator.

JavaScript

672

The product uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked.

JavaScript

674

The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.

JavaScript

676

The product invokes a potentially dangerous function that could introduce a vulnerability if it is used incorrectly, but the function can also be used safely.

JavaScript

688

The product calls a function, procedure, or routine, but the caller specifies the wrong variable or reference as one of the arguments, which may lead to undefined behavior and resultant weaknesses.

JavaScript

691

The code does not sufficiently manage its control flow during execution, creating conditions in which the control flow can be modified in unexpected ways.

JavaScript

692

The product uses a denylist-based protection mechanism to defend against XSS attacks, but the denylist is incomplete, allowing XSS variants to succeed.

JavaScript

693

The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.

JavaScript

697

The product compares two entities in a security-relevant context, but the comparison is incorrect, which may lead to resultant weaknesses.

JavaScript

699

This view organizes weaknesses around concepts that are frequently used or encountered in software development. This includes all aspects of the software development lifecycle including both architecture and implementation. Accordingly, this view can align closely with the perspectives of architects, developers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping.

JavaScript

700

This view (graph) organizes weaknesses using a hierarchical structure that is similar to that used by Seven Pernicious Kingdoms.

JavaScript

703

The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product.

JavaScript

705

The product does not properly return control flow to the proper location after it has completed a task or detected an unusual condition.

JavaScript

706

The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.

JavaScript

707

The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component.

JavaScript

710

The product does not follow certain coding rules for development, which can lead to resultant weaknesses or increase the severity of the associated vulnerabilities.

JavaScript

711

CWE entries in this view (graph) are associated with the OWASP Top 10, as released in 2004, and as required for compliance with PCI DSS version 1.1. This view is considered obsolete as a newer version of the OWASP Top 10 is available.

JavaScript

712

Weaknesses in this category are related to the A1 category in the OWASP Top 10 2007.

JavaScript

713

Weaknesses in this category are related to the A2 category in the OWASP Top 10 2007.

JavaScript

714

Weaknesses in this category are related to the A3 category in the OWASP Top 10 2007.

JavaScript

715

Weaknesses in this category are related to the A4 category in the OWASP Top 10 2007.

JavaScript

716

Weaknesses in this category are related to the A5 category in the OWASP Top 10 2007.

JavaScript

717

Weaknesses in this category are related to the A6 category in the OWASP Top 10 2007.

JavaScript

718

Weaknesses in this category are related to the A7 category in the OWASP Top 10 2007.

JavaScript

719

Weaknesses in this category are related to the A8 category in the OWASP Top 10 2007.

JavaScript

720

Weaknesses in this category are related to the A9 category in the OWASP Top 10 2007.

JavaScript

721

Weaknesses in this category are related to the A10 category in the OWASP Top 10 2007.

JavaScript

722

Weaknesses in this category are related to the A1 category in the OWASP Top 10 2004.

JavaScript

723

Weaknesses in this category are related to the A2 category in the OWASP Top 10 2004.

JavaScript

724

Weaknesses in this category are related to the A3 category in the OWASP Top 10 2004.

JavaScript

725

Weaknesses in this category are related to the A4 category in the OWASP Top 10 2004.

JavaScript

727

Weaknesses in this category are related to the A6 category in the OWASP Top 10 2004.

JavaScript

728

Weaknesses in this category are related to the A7 category in the OWASP Top 10 2004.

JavaScript

729

Weaknesses in this category are related to the A8 category in the OWASP Top 10 2004.

JavaScript

730

Weaknesses in this category are related to the A9 category in the OWASP Top 10 2004.

JavaScript

731

Weaknesses in this category are related to the A10 category in the OWASP Top 10 2004.

JavaScript

732

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

JavaScript

734

CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT C Secure Coding Standard" published in 2008. This view is considered obsolete, as a newer version of the coding standard is available. This view statically represents the coding rules as they were in 2008.

JavaScript

736

Weaknesses in this category are related to the rules and recommendations in the Declarations and Initialization (DCL) chapter of the CERT C Secure Coding Standard (2008).

JavaScript

737

Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) chapter of the CERT C Secure Coding Standard (2008).

JavaScript

738

Weaknesses in this category are related to the rules and recommendations in the Integers (INT) chapter of the CERT C Secure Coding Standard (2008).

JavaScript

740

Weaknesses in this category are related to the rules and recommendations in the Arrays (ARR) chapter of the CERT C Secure Coding Standard (2008).

JavaScript

741

Weaknesses in this category are related to the rules and recommendations in the Characters and Strings (STR) chapter of the CERT C Secure Coding Standard (2008).

JavaScript

742

Weaknesses in this category are related to the rules and recommendations in the Memory Management (MEM) chapter of the CERT C Secure Coding Standard (2008).

JavaScript

743

Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) chapter of the CERT C Secure Coding Standard (2008).

JavaScript

744

Weaknesses in this category are related to the rules and recommendations in the Environment (ENV) chapter of the CERT C Secure Coding Standard (2008).

JavaScript

746

Weaknesses in this category are related to the rules and recommendations in the Error Handling (ERR) chapter of the CERT C Secure Coding Standard (2008).

JavaScript

747

Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) chapter of the CERT C Secure Coding Standard (2008).

JavaScript

748

Weaknesses in this category are related to the rules and recommendations in the POSIX (POS) appendix of the CERT C Secure Coding Standard (2008).

JavaScript

750

CWE entries in this view (graph) are listed in the 2009 CWE/SANS Top 25 Programming Errors. This view is considered obsolete as a newer version of the Top 25 is available.

JavaScript

751

Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2009 CWE/SANS Top 25 Programming Errors.

JavaScript

752

Weaknesses in this category are listed in the "Risky Resource Management" section of the 2009 CWE/SANS Top 25 Programming Errors.

JavaScript

753

Weaknesses in this category are listed in the "Porous Defenses" section of the 2009 CWE/SANS Top 25 Programming Errors.

JavaScript

755

The product does not handle or incorrectly handles an exceptional condition.

JavaScript

757

A protocol or its implementation supports interaction between multiple actors and allows those actors to negotiate which algorithm should be used as a protection mechanism such as encryption or authentication, but it does not select the strongest algorithm that is available to both parties.

JavaScript

759

The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product does not also use a salt as part of the input.

JavaScript

760

The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product uses a predictable salt as part of the input.

JavaScript

776

The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.

JavaScript

778

When a security-critical event occurs, the product either does not record the event or omits important details about the event when logging it.

JavaScript

779

The product logs too much information, making log files hard to process and possibly hindering recovery efforts or forensic analysis after an attack.

JavaScript

783

The product uses an expression in which operator precedence causes incorrect logic to be used.

JavaScript

798

The product contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.

JavaScript

799

The product does not properly limit the number or frequency of interactions that it has with an actor, such as the number of incoming requests.

JavaScript

800

CWE entries in this view (graph) are listed in the 2010 CWE/SANS Top 25 Programming Errors. This view is considered obsolete as a newer version of the Top 25 is available.

JavaScript

801

Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2010 CWE/SANS Top 25 Programming Errors.

JavaScript

802

Weaknesses in this category are listed in the "Risky Resource Management" section of the 2010 CWE/SANS Top 25 Programming Errors.

JavaScript

803

Weaknesses in this category are listed in the "Porous Defenses" section of the 2010 CWE/SANS Top 25 Programming Errors.

JavaScript

807

The product uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism.

JavaScript

808

Weaknesses in this category are not part of the general Top 25, but they were part of the original nominee list from which the Top 25 was drawn.

JavaScript

809

CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2010. This view is considered obsolete as a newer version of the OWASP Top 10 is available.

JavaScript

810

Weaknesses in this category are related to the A1 category in the OWASP Top 10 2010.

JavaScript

811

Weaknesses in this category are related to the A2 category in the OWASP Top 10 2010.

JavaScript

812

Weaknesses in this category are related to the A3 category in the OWASP Top 10 2010.

JavaScript

813

Weaknesses in this category are related to the A4 category in the OWASP Top 10 2010.

JavaScript

814

Weaknesses in this category are related to the A5 category in the OWASP Top 10 2010.

JavaScript

815

Weaknesses in this category are related to the A6 category in the OWASP Top 10 2010.

JavaScript

816

Weaknesses in this category are related to the A7 category in the OWASP Top 10 2010.

JavaScript

817

Weaknesses in this category are related to the A8 category in the OWASP Top 10 2010.

JavaScript

818

Weaknesses in this category are related to the A9 category in the OWASP Top 10 2010.

JavaScript

819

Weaknesses in this category are related to the A10 category in the OWASP Top 10 2010.

JavaScript

829

The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.

JavaScript

834

The product performs an iteration or loop without sufficiently limiting the number of times that the loop is executed.

JavaScript

840

Weaknesses in this category identify some of the underlying problems that commonly allow attackers to manipulate the business logic of an application. Errors in business logic can be devastating to an entire application. They can be difficult to find automatically, since they typically involve legitimate use of the application's functionality. However, many business logic errors can exhibit patterns that are similar to well-understood implementation and design weaknesses.

JavaScript

844

CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT Oracle Secure Coding Standard for Java" published in 2011. This view is considered obsolete as a newer version of the coding standard is available.

JavaScript

845

Weaknesses in this category are related to rules in the Input Validation and Data Sanitization (IDS) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

JavaScript

846

Weaknesses in this category are related to rules in the Declarations and Initialization (DCL) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

JavaScript

850

Weaknesses in this category are related to rules in the Methods (MET) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

JavaScript

851

Weaknesses in this category are related to rules in the Exceptional Behavior (ERR) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

JavaScript

854

Weaknesses in this category are related to rules in the Thread APIs (THI) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

JavaScript

855

Weaknesses in this category are related to rules in the Thread Pools (TPS) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

JavaScript

857

Weaknesses in this category are related to rules in the Input Output (FIO) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

JavaScript

858

Weaknesses in this category are related to rules in the Serialization (SER) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

JavaScript

859

Weaknesses in this category are related to rules in the Platform Security (SEC) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

JavaScript

860

Weaknesses in this category are related to rules in the Runtime Environment (ENV) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

JavaScript

861

Weaknesses in this category are related to rules in the Miscellaneous (MSC) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

JavaScript

862

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

JavaScript

864

Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.

JavaScript

865

Weaknesses in this category are listed in the "Risky Resource Management" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.

JavaScript

866

Weaknesses in this category are listed in the "Porous Defenses" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.

JavaScript

867

Weaknesses in this category are not part of the general Top 25, but they were part of the original nominee list from which the Top 25 was drawn.

JavaScript

868

CWE entries in this view (graph) are fully or partially eliminated by following the SEI CERT C++ Coding Standard, as published in 2016. This view is no longer being actively maintained, since it statically represents the coding rules as they were in 2016.

JavaScript

871

Weaknesses in this category are related to rules in the Expressions (EXP) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

JavaScript

872

Weaknesses in this category are related to rules in the Integers (INT) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

JavaScript

874

Weaknesses in this category are related to rules in the Arrays and the STL (ARR) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

JavaScript

875

Weaknesses in this category are related to rules in the Characters and Strings (STR) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

JavaScript

876

Weaknesses in this category are related to rules in the Memory Management (MEM) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

JavaScript

877

Weaknesses in this category are related to rules in the Input Output (FIO) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

JavaScript

878

Weaknesses in this category are related to rules in the Environment (ENV) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

JavaScript

880

Weaknesses in this category are related to rules in the Exceptions and Error Handling (ERR) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

JavaScript

881

Weaknesses in this category are related to rules in the Object Oriented Programming (OOP) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

JavaScript

882

Weaknesses in this category are related to rules in the Concurrency (CON) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

JavaScript

883

Weaknesses in this category are related to rules in the Miscellaneous (MSC) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

JavaScript

884

This view contains a selection of weaknesses that represent the variety of weaknesses that are captured in CWE, at a level of abstraction that is likely to be useful to most audiences. It can be used by researchers to determine how broad their theories, models, or tools are. It will also be used by the CWE content team in 2012 to focus quality improvement efforts for individual CWE entries.

JavaScript

885

This category identifies Software Fault Patterns (SFPs) within the Risky Values cluster (SFP1).

JavaScript

886

This category identifies Software Fault Patterns (SFPs) within the Unused entities cluster (SFP2).

JavaScript

887

This category identifies Software Fault Patterns (SFPs) within the API cluster (SFP3).

JavaScript

888

CWE identifiers in this view are associated with clusters of Software Fault Patterns (SFPs).

JavaScript

889

This category identifies Software Fault Patterns (SFPs) within the Exception Management cluster (SFP4, SFP5, SFP6).

JavaScript

890

This category identifies Software Fault Patterns (SFPs) within the Memory Access cluster (SFP7, SFP8).

JavaScript

892

This category identifies Software Fault Patterns (SFPs) within the Resource Management cluster (SFP37).

JavaScript

893

This category identifies Software Fault Patterns (SFPs) within the Path Resolution cluster (SFP16, SFP17, SFP18).

JavaScript

895

This category identifies Software Fault Patterns (SFPs) within the Information Leak cluster (SFP23).

JavaScript

896

This category identifies Software Fault Patterns (SFPs) within the Tainted Input cluster (SFP24, SFP25, SFP26, SFP27).

JavaScript

897

This category identifies Software Fault Patterns (SFPs) within the Entry Points cluster (SFP28).

JavaScript

898

This category identifies Software Fault Patterns (SFPs) within the Authentication cluster (SFP29, SFP30, SFP31, SFP32, SFP33, SFP34).

JavaScript

899

This category identifies Software Fault Patterns (SFPs) within the Access Control cluster (SFP35).

JavaScript

900

CWE entries in this view (graph) are listed in the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.

JavaScript

901

This category identifies Software Fault Patterns (SFPs) within the Privilege cluster (SFP36).

JavaScript

902

This category identifies Software Fault Patterns (SFPs) within the Channel cluster.

JavaScript

903

This category identifies Software Fault Patterns (SFPs) within the Cryptography cluster.

JavaScript

904

This category identifies Software Fault Patterns (SFPs) within the Malware cluster.

JavaScript

905

This category identifies Software Fault Patterns (SFPs) within the Predictability cluster.

JavaScript

906

This category identifies Software Fault Patterns (SFPs) within the UI cluster.

JavaScript

907

This category identifies Software Fault Patterns (SFPs) within the Other cluster.

JavaScript

908

The product uses or accesses a resource that has not been initialized.

JavaScript

912

The product contains functionality that is not documented, not part of the specification, and not accessible through an interface or command sequence that is obvious to the product's users or administrators.

JavaScript

913

The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements.

JavaScript

916

The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive.

JavaScript

917

The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.

JavaScript

918

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

JavaScript

921

The product stores sensitive information in a file system or device that does not have built-in access control.

JavaScript

922

The product stores sensitive information without properly limiting read or write access by unauthorized actors.

JavaScript

923

The product establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that it is communicating with the correct endpoint.

JavaScript

928

CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2013. This view is considered obsolete as a newer version of the OWASP Top 10 is available.

JavaScript

929

Weaknesses in this category are related to the A1 category in the OWASP Top 10 2013.

JavaScript

930

Weaknesses in this category are related to the A2 category in the OWASP Top 10 2013.

JavaScript

931

Weaknesses in this category are related to the A3 category in the OWASP Top 10 2013.

JavaScript

932

Weaknesses in this category are related to the A4 category in the OWASP Top 10 2013.

JavaScript

933

Weaknesses in this category are related to the A5 category in the OWASP Top 10 2013.

JavaScript

934

Weaknesses in this category are related to the A6 category in the OWASP Top 10 2013.

JavaScript

935

Weaknesses in this category are related to the A7 category in the OWASP Top 10 2013.

JavaScript

936

Weaknesses in this category are related to the A8 category in the OWASP Top 10 2013.

JavaScript

938

Weaknesses in this category are related to the A10 category in the OWASP Top 10 2013.

JavaScript

942

The product uses a cross-domain policy file that includes domains that should not be trusted.

JavaScript

943

The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query.

JavaScript

944

This category identifies Software Fault Patterns (SFPs) within the Access Management cluster.

JavaScript

945

This category identifies Software Fault Patterns (SFPs) within the Insecure Resource Access cluster (SFP35).

JavaScript

946

This category identifies Software Fault Patterns (SFPs) within the Insecure Resource Permissions cluster.

JavaScript

947

This category identifies Software Fault Patterns (SFPs) within the Authentication Bypass cluster.

JavaScript

948

This category identifies Software Fault Patterns (SFPs) within the Digital Certificate cluster.

JavaScript

949

This category identifies Software Fault Patterns (SFPs) within the Faulty Endpoint Authentication cluster (SFP29).

JavaScript

950

This category identifies Software Fault Patterns (SFPs) within the Hardcoded Sensitive Data cluster (SFP33).

JavaScript

951

This category identifies Software Fault Patterns (SFPs) within the Insecure Authentication Policy cluster.

JavaScript

952

This category identifies Software Fault Patterns (SFPs) within the Missing Authentication cluster.

JavaScript

955

This category identifies Software Fault Patterns (SFPs) within the Unrestricted Authentication cluster (SFP34).

JavaScript

956

This category identifies Software Fault Patterns (SFPs) within the Channel Attack cluster.

JavaScript

957

This category identifies Software Fault Patterns (SFPs) within the Protocol Error cluster.

JavaScript

958

This category identifies Software Fault Patterns (SFPs) within the Broken Cryptography cluster.

JavaScript

959

This category identifies Software Fault Patterns (SFPs) within the Weak Cryptography cluster.

JavaScript

961

This category identifies Software Fault Patterns (SFPs) within the Incorrect Exception Behavior cluster (SFP6).

JavaScript

962

This category identifies Software Fault Patterns (SFPs) within the Unchecked Status Condition cluster (SFP4).

JavaScript

963

This category identifies Software Fault Patterns (SFPs) within the Exposed Data cluster (SFP23).

JavaScript

965

This category identifies Software Fault Patterns (SFPs) within the Insecure Session Management cluster.

JavaScript

966

This category identifies Software Fault Patterns (SFPs) within the Other Exposures cluster.

JavaScript

971

This category identifies Software Fault Patterns (SFPs) within the Faulty Pointer Use cluster (SFP7).

JavaScript

975

This category identifies Software Fault Patterns (SFPs) within the Architecture cluster.

JavaScript

977

This category identifies Software Fault Patterns (SFPs) within the Design cluster.

JavaScript

978

This category identifies Software Fault Patterns (SFPs) within the Implementation cluster.

JavaScript

980

This category identifies Software Fault Patterns (SFPs) within the Link in Resource Name Resolution cluster (SFP18).

JavaScript

981

This category identifies Software Fault Patterns (SFPs) within the Path Traversal cluster (SFP16).

JavaScript

982

This category identifies Software Fault Patterns (SFPs) within the Failure to Release Resource cluster (SFP14).

JavaScript

983

This category identifies Software Fault Patterns (SFPs) within the Faulty Resource Use cluster (SFP15).

JavaScript

984

This category identifies Software Fault Patterns (SFPs) within the Life Cycle cluster.

JavaScript

985

This category identifies Software Fault Patterns (SFPs) within the Unrestricted Consumption cluster (SFP13).

JavaScript

990

This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Command cluster (SFP24).

JavaScript

991

This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Environment cluster (SFP27).

JavaScript

992

This category identifies Software Fault Patterns (SFPs) within the Faulty Input Transformation cluster.

JavaScript

993

This category identifies Software Fault Patterns (SFPs) within the Incorrect Input Handling cluster.

JavaScript

994

This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Variable cluster (SFP25).

JavaScript

995

This category identifies Software Fault Patterns (SFPs) within the Feature cluster.

JavaScript

997

This category identifies Software Fault Patterns (SFPs) within the Information Loss cluster.

JavaScript

998

This category identifies Software Fault Patterns (SFPs) within the Glitch in Computation cluster (SFP1).

JavaScript

1000

This view is intended to facilitate research into weaknesses, including their inter-dependencies, and can be leveraged to systematically identify theoretical gaps within CWE. It is mainly organized according to abstractions of behaviors instead of how they can be detected, where they appear in code, or when they are introduced in the development life cycle. By design, this view is expected to include every weakness within CWE.

JavaScript

1001

This category identifies Software Fault Patterns (SFPs) within the Use of an Improper API cluster (SFP3).

JavaScript

1002

This category identifies Software Fault Patterns (SFPs) within the Unexpected Entry Points cluster.

JavaScript

1003

CWE entries in this view (graph) may be used to categorize potential weaknesses within sources that handle public, third-party vulnerability information, such as the National Vulnerability Database (NVD). By design, this view is incomplete; it is limited to a small number of the most commonly-seen weaknesses, so that it is easier for humans to use. This view uses a shallow hierarchy of two levels in order to simplify the complex, category-oriented navigation of the entire CWE corpus.

JavaScript

1004

The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag.

JavaScript

1005

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that exist when an application does not properly validate or represent input. According to the authors of the Seven Pernicious Kingdoms, "Input validation and representation problems are caused by metacharacters, alternate encodings and numeric representations. Security problems result from trusting input."

JavaScript

1006

Weaknesses in this category are related to coding practices that are deemed unsafe and increase the chances that an exploitable vulnerability will be present in the application. These weaknesses do not directly introduce a vulnerability, but indicate that the product has not been carefully developed or maintained. If a program is complex, difficult to maintain, not portable, or shows evidence of neglect, then there is a higher likelihood that weaknesses are buried in the code.

JavaScript

1008

This view organizes weaknesses according to common architectural security tactics. It is intended to assist architects in identifying potential mistakes that can be made when designing software.

JavaScript

1009

Weaknesses in this category are related to the design and architecture of audit-based components of the system. Frequently these deal with logging user activities in order to identify attackers and modifications to the system. The weaknesses in this category could lead to a degradation of the quality of the audit capability if they are not addressed when designing or implementing a secure architecture.

JavaScript

1010

Weaknesses in this category are related to the design and architecture of authentication components of the system. Frequently these deal with verifying the entity is indeed who it claims to be. The weaknesses in this category could lead to a degradation of the quality of authentication if they are not addressed when designing or implementing a secure architecture.

JavaScript

1011

Weaknesses in this category are related to the design and architecture of a system's authorization components. Frequently these deal with enforcing that agents have the required permissions before performing certain operations, such as modifying data. The weaknesses in this category could lead to a degradation of quality of the authorization capability if they are not addressed when designing or implementing a secure architecture.

JavaScript

1012

Weaknesses in this category are related to the design and architecture of multiple security tactics and how they affect a system. For example, information exposure can impact the Limit Access and Limit Exposure security tactics. The weaknesses in this category could lead to a degradation of the quality of many capabilities if they are not addressed when designing or implementing a secure architecture.

JavaScript

1013

Weaknesses in this category are related to the design and architecture of data confidentiality in a system. Frequently these deal with the use of encryption libraries. The weaknesses in this category could lead to a degradation of the quality data encryption if they are not addressed when designing or implementing a secure architecture.

JavaScript

1014

Weaknesses in this category are related to the design and architecture of a system's identification management components. Frequently these deal with verifying that external agents provide inputs into the system. The weaknesses in this category could lead to a degradation of the quality of identification management if they are not addressed when designing or implementing a secure architecture.

JavaScript

1015

Weaknesses in this category are related to the design and architecture of system resources. Frequently these deal with restricting the amount of resources that are accessed by actors, such as memory, network connections, CPU or access points. The weaknesses in this category could lead to a degradation of the quality of authentication if they are not addressed when designing or implementing a secure architecture.

JavaScript

1016

Weaknesses in this category are related to the design and architecture of the entry points to a system. Frequently these deal with minimizing the attack surface through designing the system with the least needed amount of entry points. The weaknesses in this category could lead to a degradation of a system's defenses if they are not addressed when designing or implementing a secure architecture.

JavaScript

1018

Weaknesses in this category are related to the design and architecture of session management. Frequently these deal with the information or status about each user and their access rights for the duration of multiple requests. The weaknesses in this category could lead to a degradation of the quality of session management if they are not addressed when designing or implementing a secure architecture.

JavaScript

1019

Weaknesses in this category are related to the design and architecture of a system's input validation components. Frequently these deal with sanitizing, neutralizing and validating any externally provided inputs to minimize malformed data from entering the system and preventing code injection in the input data. The weaknesses in this category could lead to a degradation of the quality of data flow in a system if they are not addressed when designing or implementing a secure architecture.

JavaScript

1020

Weaknesses in this category are related to the design and architecture of a system's data integrity components. Frequently these deal with ensuring integrity of data, such as messages, resource files, deployment files, and configuration files. The weaknesses in this category could lead to a degradation of data integrity quality if they are not addressed when designing or implementing a secure architecture.

JavaScript

1021

The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with.

JavaScript

1022

The web application produces links to untrusted external sites outside of its sphere of control, but it does not properly prevent the external site from modifying security-critical properties of the window.opener object, such as the location property.

JavaScript

1025

The code performs a comparison between two entities, but the comparison examines the wrong factors or characteristics of the entities, which can lead to incorrect results and resultant weaknesses.

JavaScript

1026

CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2017.

JavaScript

1027

Weaknesses in this category are related to the A1 category in the OWASP Top 10 2017.

JavaScript

1028

Weaknesses in this category are related to the A2 category in the OWASP Top 10 2017.

JavaScript

1029

Weaknesses in this category are related to the A3 category in the OWASP Top 10 2017.

JavaScript

1030

Weaknesses in this category are related to the A4 category in the OWASP Top 10 2017.

JavaScript

1031

Weaknesses in this category are related to the A5 category in the OWASP Top 10 2017.

JavaScript

1032

Weaknesses in this category are related to the A6 category in the OWASP Top 10 2017.

JavaScript

1033

Weaknesses in this category are related to the A7 category in the OWASP Top 10 2017.

JavaScript

1034

Weaknesses in this category are related to the A8 category in the OWASP Top 10 2017.

JavaScript

1036

Weaknesses in this category are related to the A10 category in the OWASP Top 10 2017.

JavaScript

1041

The product has multiple functions, methods, procedures, macros, etc. that contain the same code.

JavaScript

1078

The source code does not follow desired style or formatting for indentation, white space, comments, etc.

JavaScript

1104

The product relies on third-party components that are not actively supported or maintained by the original developer or a trusted proxy for the original developer.

JavaScript

1114

The source code contains whitespace that is inconsistent across the code or does not follow expected standards for the product.

JavaScript

1128

This view outlines the most important software quality issues as identified by the Consortium for Information & Software Quality (CISQ) Automated Quality Characteristic Measures, released in 2016. These measures are derived from Object Management Group (OMG) standards.

JavaScript

1129

Weaknesses in this category are related to the CISQ Quality Measures for Reliability, as documented in 2016 with the Automated Source Code CISQ Reliability Measure (ASCRM) Specification 1.0. Presence of these weaknesses could reduce the reliability of the software.

JavaScript

1130

Weaknesses in this category are related to the CISQ Quality Measures for Maintainability, as documented in 2016 with the Automated Source Code Maintainability Measure (ASCMM) Specification 1.0. Presence of these weaknesses could reduce the maintainability of the software.

JavaScript

1131

Weaknesses in this category are related to the CISQ Quality Measures for Security, as documented in 2016 with the Automated Source Code Security Measure (ASCSM) Specification 1.0. Presence of these weaknesses could reduce the security of the software.

JavaScript

1133

CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT Oracle Coding Standard for Java.

JavaScript

1134

Weaknesses in this category are related to the rules and recommendations in the Input Validation and Data Sanitization (IDS) section of the SEI CERT Oracle Secure Coding Standard for Java.

JavaScript

1135

Weaknesses in this category are related to the rules and recommendations in the Declarations and Initialization (DCL) section of the SEI CERT Oracle Secure Coding Standard for Java.

JavaScript

1136

Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) section of the SEI CERT Oracle Secure Coding Standard for Java.

JavaScript

1140

Weaknesses in this category are related to the rules and recommendations in the Methods (MET) section of the SEI CERT Oracle Secure Coding Standard for Java.

JavaScript

1141

Weaknesses in this category are related to the rules and recommendations in the Exceptional Behavior (ERR) section of the SEI CERT Oracle Secure Coding Standard for Java.

JavaScript

1145

Weaknesses in this category are related to the rules and recommendations in the Thread Pools (TPS) section of the SEI CERT Oracle Secure Coding Standard for Java.

JavaScript

1147

Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) section of the SEI CERT Oracle Secure Coding Standard for Java.

JavaScript

1148

Weaknesses in this category are related to the rules and recommendations in the Serialization (SER) section of the SEI CERT Oracle Secure Coding Standard for Java.

JavaScript

1149

Weaknesses in this category are related to the rules and recommendations in the Platform Security (SEC) section of the SEI CERT Oracle Secure Coding Standard for Java.

JavaScript

1150

Weaknesses in this category are related to the rules and recommendations in the Runtime Environment (ENV) section of the SEI CERT Oracle Secure Coding Standard for Java.

JavaScript

1152

Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT Oracle Secure Coding Standard for Java.

JavaScript

1154

CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT C Coding Standard.

JavaScript

1157

Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) section of the SEI CERT C Coding Standard.

JavaScript

1161

Weaknesses in this category are related to the rules and recommendations in the Characters and Strings (STR) section of the SEI CERT C Coding Standard.

JavaScript

1162

Weaknesses in this category are related to the rules and recommendations in the Memory Management (MEM) section of the SEI CERT C Coding Standard.

JavaScript

1163

Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) section of the SEI CERT C Coding Standard.

JavaScript

1164

The product contains code that is not essential for execution, i.e. makes no state changes and has no side effects that alter data or control flow, such that removal of the code would have no impact to functionality or correctness.

JavaScript

1165

Weaknesses in this category are related to the rules and recommendations in the Environment (ENV) section of the SEI CERT C Coding Standard.

JavaScript

1167

Weaknesses in this category are related to the rules and recommendations in the Error Handling (ERR) section of the SEI CERT C Coding Standard.

JavaScript

1169

Weaknesses in this category are related to the rules and recommendations in the Concurrency (CON) section of the SEI CERT C Coding Standard.

JavaScript

1170

Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT C Coding Standard.

JavaScript

1172

Weaknesses in this category are related to the rules and recommendations in the Microsoft Windows (WIN) section of the SEI CERT C Coding Standard.

JavaScript

1178

CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT Perl Coding Standard.

JavaScript

1179

Weaknesses in this category are related to the rules and recommendations in the Input Validation and Data Sanitization (IDS) section of the SEI CERT Perl Coding Standard.

JavaScript

1180

Weaknesses in this category are related to the rules and recommendations in the Declarations and Initialization (DCL) section of the SEI CERT Perl Coding Standard.

JavaScript

1181

Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) section of the SEI CERT Perl Coding Standard.

JavaScript

1186

Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT Perl Coding Standard.

JavaScript

1187

This entry has been deprecated because it was a duplicate of CWE-908. All content has been transferred to CWE-908.

JavaScript

1194

This view organizes weaknesses around concepts that are frequently used or encountered in hardware design. Accordingly, this view can align closely with the perspectives of designers, manufacturers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping.

JavaScript

1198

Weaknesses in this category are related to features and mechanisms providing hardware-based isolation and access control (e.g., identity, policy, locking control) of sensitive shared hardware resources such as registers and fuses.

JavaScript

1200

CWE entries in this view are listed in the 2019 CWE Top 25 Most Dangerous Software Errors.

JavaScript

1202

Weaknesses in this category are typically associated with memory (e.g., DRAM, SRAM) and storage technologies (e.g., NAND Flash, OTP, EEPROM, and eMMC).

JavaScript

1207

Weaknesses in this category are related to hardware debug and test interfaces such as JTAG and scan chain.

JavaScript

1210

Weaknesses in this category are related to audit-based components of a software system. Frequently these deal with logging user activities in order to identify undesired access and modifications to the system. The weaknesses in this category could lead to a degradation of the quality of the audit capability if they are not addressed.

JavaScript

1211

Weaknesses in this category are related to authentication components of a system. Frequently these deal with the ability to verify that an entity is indeed who it claims to be. If not addressed when designing or implementing a software system, these weaknesses could lead to a degradation of the quality of the authentication capability.

JavaScript

1212

Weaknesses in this category are related to authorization components of a system. Frequently these deal with the ability to enforce that agents have the required permissions before performing certain operations, such as modifying data. If not addressed when designing or implementing a software system, these weaknesses could lead to a degradation of the quality of the authorization capability.

JavaScript

1213

Weaknesses in this category are related to a software system's random number generation.

JavaScript

1214

Weaknesses in this category are related to a software system's data integrity components. Frequently these deal with the ability to ensure the integrity of data, such as messages, resource files, deployment files, and configuration files. The weaknesses in this category could lead to a degradation of data integrity quality if they are not addressed.

JavaScript

1215

Weaknesses in this category are related to a software system's components for input validation, output validation, or other kinds of validation. Validation is a frequently-used technique for ensuring that data conforms to expectations before it is further processed as input or output. There are many varieties of validation (see CWE-20, which is just for input validation). Validation is distinct from other techniques that attempt to modify data before processing it, although developers may consider all attempts to product "safe" inputs or outputs as some kind of validation. Regardless, validation is a powerful tool that is often used to minimize malformed data from entering the system, or indirectly avoid code injection or other potentially-malicious patterns when generating output. The weaknesses in this category could lead to a degradation of the quality of data flow in a system if they are not addressed.

JavaScript

1217

Weaknesses in this category are related to session management. Frequently these deal with the information or status about each user and their access rights for the duration of multiple requests. The weaknesses in this category could lead to a degradation of the quality of session management if they are not addressed.

JavaScript

1219

Weaknesses in this category are related to the handling of files within a software system. Files, directories, and folders are so central to information technology that many different weaknesses and variants have been discovered.

JavaScript

1228

Weaknesses in this category are related to the use of built-in functions or external APIs.

JavaScript

1275

The SameSite attribute for sensitive cookies is not set, or an insecure value is used.

JavaScript

1305

This view outlines the most important software quality issues as identified by the Consortium for Information & Software Quality (CISQ) Automated Quality Characteristic Measures, released in 2020. These measures are derived from Object Management Group (OMG) standards.

JavaScript

1306

Weaknesses in this category are related to the CISQ Quality Measures for Reliability. Presence of these weaknesses could reduce the reliability of the software.

JavaScript

1307

Weaknesses in this category are related to the CISQ Quality Measures for Maintainability. Presence of these weaknesses could reduce the maintainability of the software.

JavaScript

1308

Weaknesses in this category are related to the CISQ Quality Measures for Security. Presence of these weaknesses could reduce the security of the software.

JavaScript

1309

Weaknesses in this category are related to the CISQ Quality Measures for Efficiency. Presence of these weaknesses could reduce the efficiency of the software.

JavaScript

1327

The product assigns the address 0.0.0.0 for a database server, a cloud service/instance, or any computing resource that communicates remotely.

JavaScript

1337

CWE entries in this view are listed in the 2021 CWE Top 25 Most Dangerous Software Weaknesses.

JavaScript

1340

This view outlines the SMM representation of the Automated Source Code Data Protection Measurement specifications, as identified by the Consortium for Information & Software Quality (CISQ) Working Group.

JavaScript

1344

CWE entries in this view (graph) are associated with the OWASP Top 10, as released in 2021.

JavaScript

1345

Weaknesses in this category are related to the A01 category "Broken Access Control" in the OWASP Top 10 2021.

JavaScript

1346

Weaknesses in this category are related to the A02 category "Cryptographic Failures" in the OWASP Top 10 2021.

JavaScript

1347

Weaknesses in this category are related to the A03 category "Injection" in the OWASP Top 10 2021.

JavaScript

1348

Weaknesses in this category are related to the A04 "Insecure Design" category in the OWASP Top 10 2021.

JavaScript

1349

Weaknesses in this category are related to the A05 category "Security Misconfiguration" in the OWASP Top 10 2021.

JavaScript

1350

CWE entries in this view are listed in the 2020 CWE Top 25 Most Dangerous Software Weaknesses.

JavaScript

1352

Weaknesses in this category are related to the A06 category "Vulnerable and Outdated Components" in the OWASP Top 10 2021.

JavaScript

1353

Weaknesses in this category are related to the A07 category "Identification and Authentication Failures" in the OWASP Top 10 2021.

JavaScript

1354

Weaknesses in this category are related to the A08 category "Software and Data Integrity Failures" in the OWASP Top 10 2021.

JavaScript

1355

Weaknesses in this category are related to the A09 category "Security Logging and Monitoring Failures" in the OWASP Top 10 2021.

JavaScript

1356

Weaknesses in this category are related to the A10 category "Server-Side Request Forgery (SSRF)" in the OWASP Top 10 2021.

JavaScript

1358

CWE entries in this view (graph) are associated with the Categories of Security Vulnerabilities in ICS, as published by the Securing Energy Infrastructure Executive Task Force (SEI ETF) in March 2022. Weaknesses and categories in this view are focused on issues that affect ICS (Industrial Control Systems) but have not been traditionally covered by CWE in the past due to its earlier emphasis on enterprise IT software. Note: weaknesses in this view are based on "Nearest IT Neighbor" recommendations and other suggestions by the CWE team. These relationships are likely to change in future CWE versions.

JavaScript

1359

Weaknesses in this category are related to the "ICS Communications" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.

JavaScript

1360

Weaknesses in this category are related to the "ICS Dependencies (& Architecture)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.

JavaScript

1361

Weaknesses in this category are related to the "ICS Supply Chain" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.

JavaScript

1362

Weaknesses in this category are related to the "ICS Engineering (Constructions/Deployment)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.

JavaScript

1363

Weaknesses in this category are related to the "ICS Operations (& Maintenance)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.

JavaScript

1364

Weaknesses in this category are related to the "Zone Boundary Failures" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Within an ICS system, for traffic that crosses through network zone boundaries, vulnerabilities arise when those boundaries were designed for safety or other purposes but are being repurposed for security." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

JavaScript

1366

Weaknesses in this category are related to the "Frail Security in Protocols" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Vulnerabilities arise as a result of mis-implementation or incomplete implementation of security in ICS implementations of communication protocols." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

JavaScript

1368

Weaknesses in this category are related to the "External Digital Systems" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Due to the highly interconnected technologies in use, an external dependency on another digital system could cause a confidentiality, integrity, or availability incident for the protected system." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

JavaScript

1369

Weaknesses in this category are related to the "IT/OT Convergence/Expansion" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "The increased penetration of DER devices and smart loads make emerging ICS networks more like IT networks and thus susceptible to vulnerabilities similar to those of IT networks." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

JavaScript

1370

Weaknesses in this category are related to the "Common Mode Frailties" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "At the component level, most ICS systems are assembled from common parts made by other companies. One or more of these common parts might contain a vulnerability that could result in a wide-spread incident." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

JavaScript

1371

Weaknesses in this category are related to the "Poorly Documented or Undocumented Features" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Undocumented capabilities and configurations pose a risk by not having a clear understanding of what the device is specifically supposed to do and only do. Therefore possibly opening up the attack surface and vulnerabilities." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

JavaScript

1372

Weaknesses in this category are related to the "OT Counterfeit and Malicious Corruption" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "In ICS, when this procurement process results in a vulnerability or component damage, it can have grid impacts or cause physical harm." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

JavaScript

1373

Weaknesses in this category are related to the "Trust Model Problems" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Assumptions made about the user during the design or construction phase may result in vulnerabilities after the system is installed if the user operates it using a different security approach or process than what was designed or built." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

JavaScript

1375

Weaknesses in this category are related to the "Gaps in Details/Data" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Highly complex systems are often operated by personnel who have years of experience in managing that particular facility or plant. Much of their knowledge is passed along through verbal or hands-on training but may not be fully documented in written practices and procedures." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

JavaScript

1382

Weaknesses in this category are related to the "Emerging Energy Technologies" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "With the rapid evolution of the energy system accelerated by the emergence of new technologies such as DERs, electric vehicles, advanced communications (5G+), novel and diverse challenges arise for secure and resilient operation of the system." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

JavaScript

1383

Weaknesses in this category are related to the "Compliance/Conformance with Regulatory Requirements" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "The ICS environment faces overlapping regulatory regimes and authorities with multiple focus areas (e.g., operational resiliency, physical safety, interoperability, and security) which can result in cyber security vulnerabilities when implemented as written due to gaps in considerations, outdatedness, or conflicting requirements." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

JavaScript

1387

CWE entries in this view are listed in the 2022 CWE Top 25 Most Dangerous Software Weaknesses.

JavaScript

1396

Weaknesses in this category are related to access control.

JavaScript

1397

Weaknesses in this category are related to comparison.

JavaScript

1398

Weaknesses in this category are related to component interaction.

JavaScript

1400

This view organizes weaknesses around categories that are of interest to large-scale software assurance research to support the elimination of weaknesses using tactics such as secure language development. It is also intended to help tracking weakness trends in publicly disclosed vulnerability data. This view is comprehensive in that every weakness must be contained in it, unlike most other views that only use a subset of weaknesses. This view is structured with categories at the top level, with a second level of only weaknesses. Relationships among the weaknesses presented under the research view (CWE-1000) are not shown. Each weakness is added to only one category. All categories are mutually exclusive; that is, no weakness can be a member of more than one category. While weaknesses defy strict categorization along only one characteristic, the forced bucketing into a single category can simplify certain kinds of analysis. Note that the size of each category can vary widely because (1) CWE is not as well fleshed-out in some areas compared to others; (2) abstraction of the CWEs in the grouping might go down to Variant level for some buckets, versus others.

JavaScript

1402

Weaknesses in this category are related to encryption.

JavaScript

1403

Weaknesses in this category are related to exposed resource.

JavaScript

1404

Weaknesses in this category are related to file handling.

JavaScript

1405

Weaknesses in this category are related to improper check or handling of exceptional conditions.

JavaScript

1406

Weaknesses in this category are related to improper input validation.

JavaScript

1407

Weaknesses in this category are related to improper neutralization.

JavaScript

1409

Weaknesses in this category are related to injection.

JavaScript

1410

Weaknesses in this category are related to insufficient control flow management.

JavaScript

1411

Weaknesses in this category are related to insufficient verification of data authenticity.

JavaScript

1412

Weaknesses in this category are related to poor coding practices.

JavaScript

1413

Weaknesses in this category are related to protection mechanism failure.

JavaScript

1414

Weaknesses in this category are related to randomness.

JavaScript

1415

Weaknesses in this category are related to resource control.

JavaScript

1416

Weaknesses in this category are related to resource lifecycle management.

JavaScript

1417

Weaknesses in this category are related to sensitive information exposure.

JavaScript

1418

Weaknesses in this category are related to violation of secure design principles.

Kotlin

2

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that are typically introduced during unexpected environmental conditions. According to the authors of the Seven Pernicious Kingdoms, "This section includes everything that is outside of the source code but is still critical to the security of the product that is being created. Because the issues covered by this kingdom are not directly related to source code, we separated it from the rest of the kingdoms."

Kotlin

4

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

Kotlin

5

Information sent over a network can be compromised while in transit. An attacker may be able to read or modify the contents if the data are sent in plaintext or are weakly encrypted.

Kotlin

16

Weaknesses in this category are typically introduced during the configuration of the software.

Kotlin

17

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

Kotlin

18

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

Kotlin

19

Weaknesses in this category are typically found in functionality that processes data. Data processing is the manipulation of input to retrieve or save information.

Kotlin

20

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Kotlin

21

This category has been deprecated. It was originally used for organizing weaknesses involving file names, which enabled access to files outside of a restricted directory (path traversal) or to perform operations on files that would otherwise be restricted (path equivalence). Consider using either the File Handling Issues category (CWE-1219) or the class Use of Incorrectly-Resolved Name or Reference (CWE-706).

Kotlin

22

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Kotlin

23

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.

Kotlin

36

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as "/abs/path" that can resolve to a location that is outside of that directory.

Kotlin

74

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Kotlin

77

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

Kotlin

78

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Kotlin

88

The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.

Kotlin

89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.

Kotlin

91

The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.

Kotlin

94

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Kotlin

95

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").

Kotlin

116

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

Kotlin

117

The product does not neutralize or incorrectly neutralizes output that is written to logs.

Kotlin

118

The product does not restrict or incorrectly restricts operations within the boundaries of a resource that is accessed using an index or pointer, such as memory or files.

Kotlin

119

The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.

Kotlin

133

Weaknesses in this category are related to the creation and modification of strings.

Kotlin

137

Weaknesses in this category are related to the creation or neutralization of data using an incorrect format.

Kotlin

138

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as control elements or syntactic markers when they are sent to a downstream component.

Kotlin

140

The product does not neutralize or incorrectly neutralizes delimiters.

Kotlin

141

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as parameter or argument delimiters when they are sent to a downstream component.

Kotlin

142

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as value delimiters when they are sent to a downstream component.

Kotlin

143

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as record delimiters when they are sent to a downstream component.

Kotlin

146

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as expression or command delimiters when they are sent to a downstream component.

Kotlin

149

Quotes injected into a product can be used to compromise a system. As data are parsed, an injected/absent/duplicate/malformed use of quotes may cause the process to take unexpected actions.

Kotlin

150

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component.

Kotlin

157

The product does not properly handle the characters that are used to mark the beginning and ending of a group of entities, such as parentheses, brackets, and braces.

Kotlin

171

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. Weaknesses in this category were related to improper handling of data within protection mechanisms that attempt to perform neutralization for untrusted data. These weaknesses can be found in other similar categories.

Kotlin

185

The product specifies a regular expression in a way that causes data to be improperly matched or compared.

Kotlin

189

Weaknesses in this category are related to improper calculation or conversion of numbers.

Kotlin

190

The product performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control.

Kotlin

199

Weaknesses in this category are related to improper handling of sensitive information.

Kotlin

200

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Kotlin

201

The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.

Kotlin

209

The product generates an error message that includes sensitive information about its environment, users, or associated data.

Kotlin

210

The product identifies an error condition and creates its own diagnostic or error messages that contain sensitive information.

Kotlin

211

The product performs an operation that triggers an external diagnostic or error message that is not directly generated or controlled by the product, such as an error generated by the programming language interpreter that a software application uses. The error can contain sensitive system information.

Kotlin

221

The product does not record, or improperly records, security-relevant information that leads to an incorrect decision or hampers later analysis.

Kotlin

223

The product does not record or display information that would be important for identifying the source or nature of an attack, or determining if an action is safe.

Kotlin

226

The product releases a resource such as memory or a file so that it can be made available for reuse, but it does not clear or "zeroize" the information contained in the resource before the product performs a critical state transition or makes the resource available for reuse by other entities.

Kotlin

227

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that involve the software using an API in a manner contrary to its intended use. According to the authors of the Seven Pernicious Kingdoms, "An API is a contract between a caller and a callee. The most common forms of API misuse occurs when the caller does not honor its end of this contract. For example, if a program does not call chdir() after calling chroot(), it violates the contract that specifies how to change the active root directory in a secure fashion. Another good example of library abuse is expecting the callee to return trustworthy DNS information to the caller. In this case, the caller misuses the callee API by making certain assumptions about its behavior (that the return value can be used for authentication purposes). One can also violate the caller-callee contract from the other side. For example, if a coder subclasses SecureRandom and returns a non-random value, the contract is violated."

Kotlin

242

The product calls a function that can never be guaranteed to work safely.

Kotlin

249

This entry has been deprecated because of name confusion and an accidental combination of multiple weaknesses. Most of its content has been transferred to CWE-785.

Kotlin

252

The product does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions.

Kotlin

253

The product incorrectly checks a return value from a function, which prevents it from detecting errors or exceptional conditions.

Kotlin

254

Software security is not security software. Here we're concerned with topics like authentication, access control, confidentiality, cryptography, and privilege management.

Kotlin

255

Weaknesses in this category are related to the management of credentials.

Kotlin

256

Storing a password in plaintext may result in a system compromise.

Kotlin

257

The storage of passwords in a recoverable format makes them subject to password reuse attacks by malicious users. In fact, it should be noted that recoverable encrypted passwords provide no significant benefit over plaintext passwords since they are subject not only to reuse by malicious attackers but also by malicious insiders. If a system administrator can recover a password directly, or use a brute force search on the available information, the administrator can use the password on other accounts.

Kotlin

259

The product contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components.

Kotlin

264

Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control.

Kotlin

265

Weaknesses in this category occur with improper handling, assignment, or management of privileges. A privilege is a property of an agent, such as a user. It lets the agent do things that are not ordinarily allowed. For example, there are privileges which allow an agent to perform maintenance functions such as restart a computer.

Kotlin

284

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Kotlin

285

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

Kotlin

287

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Kotlin

295

The product does not validate, or incorrectly validates, a certificate.

Kotlin

296

The product does not follow, or incorrectly follows, the chain of trust for a certificate back to a trusted root certificate, resulting in incorrect trust of any resource that is associated with that certificate.

Kotlin

297

The product communicates with a host that provides a certificate, but the product does not properly ensure that the certificate is actually associated with that host.

Kotlin

299

The product does not check or incorrectly checks the revocation status of a certificate, which may cause it to use a certificate that has been compromised.

Kotlin

300

The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint.

Kotlin

310

Weaknesses in this category are related to the design and implementation of data confidentiality and integrity. Frequently these deal with the use of encoding techniques, encryption libraries, and hashing algorithms. The weaknesses in this category could lead to a degradation of the quality data if they are not addressed.

Kotlin

311

The product does not encrypt sensitive or critical information before storage or transmission.

Kotlin

312

The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

Kotlin

313

The product stores sensitive information in cleartext in a file, or on disk.

Kotlin

314

The product stores sensitive information in cleartext in the registry.

Kotlin

315

The product stores sensitive information in cleartext in a cookie.

Kotlin

317

The product stores sensitive information in cleartext within the GUI.

Kotlin

318

The product stores sensitive information in cleartext in an executable.

Kotlin

319

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

Kotlin

320

Weaknesses in this category are related to errors in the management of cryptographic keys.

Kotlin

321

The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.

Kotlin

326

The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

Kotlin

327

The product uses a broken or risky cryptographic algorithm or protocol.

Kotlin

328

The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (2nd preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack).

Kotlin

330

The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.

Kotlin

335

The product uses a Pseudo-Random Number Generator (PRNG) but does not correctly manage seeds.

Kotlin

336

A Pseudo-Random Number Generator (PRNG) uses the same seed each time the product is initialized.

Kotlin

337

A Pseudo-Random Number Generator (PRNG) is initialized from a predictable seed, such as the process ID or system time.

Kotlin

338

The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.

Kotlin

344

The product uses a constant value, name, or reference, but this value can (or should) vary across different environments.

Kotlin

345

The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

Kotlin

353

The product uses a transmission protocol that does not include a mechanism for verifying the integrity of the data during transmission, such as a checksum.

Kotlin

355

Weaknesses in this category are related to or introduced in the User Interface (UI).

Kotlin

359

The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.

Kotlin

361

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses related to the improper management of time and state in an environment that supports simultaneous or near-simultaneous computation by multiple systems, processes, or threads. According to the authors of the Seven Pernicious Kingdoms, "Distributed computation is about time and state. That is, in order for more than one component to communicate, state must be shared, and all that takes time. Most programmers anthropomorphize their work. They think about one thread of control carrying out the entire program in the same way they would if they had to do the job themselves. Modern computers, however, switch between tasks very quickly, and in multi-core, multi-CPU, or distributed systems, two events may take place at exactly the same time. Defects rush to fill the gap between the programmer's model of how a program executes and what happens in reality. These defects are related to unexpected interactions between threads, processes, time, and information. These interactions happen through shared state: semaphores, variables, the file system, and, basically, anything that can store information."

Kotlin

362

The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.

Kotlin

366

If two threads of execution use a resource simultaneously, there exists the possibility that resources may be used while invalid, in turn making the state of execution undefined.

Kotlin

369

The product divides a value by zero.

Kotlin

380

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

Kotlin

381

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

Kotlin

388

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that occur when an application does not properly handle errors that occur during processing. According to the authors of the Seven Pernicious Kingdoms, "Errors and error handling represent a class of API. Errors related to error handling are so common that they deserve a special kingdom of their own. As with 'API Abuse,' there are two ways to introduce an error-related security vulnerability: the most common one is handling errors poorly (or not at all). The second is producing errors that either give out too much information (to possible attackers) or are difficult to handle."

Kotlin

389

This category includes weaknesses that occur if a function does not generate the correct return/status code, or if the application does not handle all possible return/status codes that could be generated by a function. This type of problem is most often found in conditions that are rarely encountered during the normal operation of the product. Presumably, most bugs related to common conditions are found and eliminated during development and testing. In some cases, the attacker can directly control or influence the environment to trigger the rare conditions.

Kotlin

390

The product detects a specific error, but takes no actions to handle the error.

Kotlin

398

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that do not directly introduce a weakness or vulnerability, but indicate that the product has not been carefully developed or maintained. According to the authors of the Seven Pernicious Kingdoms, "Poor code quality leads to unpredictable behavior. From a user's perspective that often manifests itself as poor usability. For an adversary it provides an opportunity to stress the system in unexpected ways."

Kotlin

399

Weaknesses in this category are related to improper management of system resources.

Kotlin

402

The product makes resources available to untrusted parties when those resources are only intended to be accessed by the product.

Kotlin

403

A process does not close sensitive file descriptors before invoking a child process, which allows the child to perform unauthorized I/O operations using those descriptors.

Kotlin

404

The product does not release or incorrectly releases a resource before it is made available for re-use.

Kotlin

405

The product does not properly control situations in which an adversary can cause the product to consume or produce excessive resources without requiring the adversary to invest equivalent work or otherwise prove authorization, i.e., the adversary's influence is "asymmetric."

Kotlin

409

The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.

Kotlin

411

Weaknesses in this category are related to improper handling of locks that are used to control access to resources.

Kotlin

417

Weaknesses in this category are related to improper handling of communication channels and access paths. These weaknesses include problems in creating, managing, or removing alternate channels and alternate paths. Some of these can overlap virtual file problems and are commonly used in "bypass" attacks, such as those that exploit authentication errors.

Kotlin

427

The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.

Kotlin

438

Weaknesses in this category are related to unexpected behaviors from code that an application uses.

Kotlin

441

The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor.

Kotlin

442

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

Kotlin

452

Weaknesses in this category occur in behaviors that are used for initialization and breakdown.

Kotlin

459

The product does not properly "clean up" and remove temporary or supporting resources after they have been used.

Kotlin

465

Weaknesses in this category are related to improper handling of pointers.

Kotlin

470

The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code.

Kotlin

476

A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.

Kotlin

480

The product accidentally uses the wrong operator, which changes the logic in security-relevant ways.

Kotlin

483

The code does not explicitly delimit a block that is intended to contain 2 or more statements, creating a logic error.

Kotlin

485

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that occur when the product does not sufficiently encapsulate critical data or functionality. According to the authors of the Seven Pernicious Kingdoms, "Encapsulation is about drawing strong boundaries. In a web browser that might mean ensuring that your mobile code cannot be abused by other mobile code. On the server it might mean differentiation between validated data and unvalidated data, between one user's data and another's, or between data users are allowed to see and data that they are not."

Kotlin

489

The product is deployed to unauthorized actors with debugging code still enabled or active, which can create unintended entry points or expose sensitive information.

Kotlin

497

The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does.

Kotlin

502

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

Kotlin

505

This category has been deprecated as it was originally used for organizing the Development View (CWE-699), but it introduced unnecessary complexity and depth to the resulting tree.

Kotlin

522

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

Kotlin

523

Login pages do not use adequate measures to protect the user name and password while they are in transit from the client to the server.

Kotlin

524

The code uses a cache that contains sensitive information, but the cache can be read by an actor outside of the intended control sphere.

Kotlin

525

The web application does not use an appropriate caching policy that specifies the extent to which each web page and associated form fields should be cached.

Kotlin

526

The product uses an environment variable to store unencrypted sensitive information.

Kotlin

532

Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.

Kotlin

536

A servlet error message indicates that there exists an unhandled exception in your web application code and may provide useful information to an attacker.

Kotlin

538

The product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the sensitive information.

Kotlin

539

The web application uses persistent cookies, but the cookies contain sensitive information.

Kotlin

543

The product uses the singleton pattern when creating a resource within a multithreaded environment.

Kotlin

550

Certain conditions, such as network failure, will cause a server error message to be displayed.

Kotlin

552

The product makes files or directories accessible to unauthorized actors, even though they should not be.

Kotlin

557

Weaknesses in this category are related to concurrent use of shared resources.

Kotlin

559

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

Kotlin

561

The product contains dead code, which can never be executed.

Kotlin

563

The variable's value is assigned but never used, making it a dead store.

Kotlin

566

The product uses a database table that includes records that should not be accessible to an actor, but it executes a SQL statement with a primary key that can be controlled by that actor.

Kotlin

567

The product does not properly synchronize shared data, such as static variables across threads, which can lead to undefined behavior and unpredictable data changes.

Kotlin

569

Weaknesses in this category are related to incorrectly written expressions within code.

Kotlin

573

The product does not follow or incorrectly follows the specifications as required by the implementation language, environment, framework, protocol, or platform.

Kotlin

596

This weakness has been deprecated. It was poorly described and difficult to distinguish from other entries. It was also inappropriate to assign a separate ID solely because of domain-specific considerations. Its closest equivalent is CWE-1023.

Kotlin

610

The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.

Kotlin

611

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

Kotlin

624

The product uses a regular expression that either (1) contains an executable component with user-controlled inputs, or (2) allows a user to enable execution by inserting pattern modifiers.

Kotlin

628

The product calls a function, procedure, or routine with arguments that are not correctly specified, leading to always-incorrect behavior and resultant weaknesses.

Kotlin

629

CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2007. This view is considered obsolete as a newer version of the OWASP Top 10 is available.

Kotlin

632

This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE.

Kotlin

633

This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE.

Kotlin

634

This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE.

Kotlin

635

CWE nodes in this view (slice) were used by NIST to categorize vulnerabilities within NVD, from 2008 to 2016. This original version has been used by many other projects.

Kotlin

639

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Kotlin

643

The product uses external input to dynamically construct an XPath expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query.

Kotlin

644

The product does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers, such as Flash.

Kotlin

657

The product violates well-established principles for secure design.

Kotlin

662

The product utilizes multiple threads or processes to allow temporary access to a shared resource that can only be exclusive to one process at a time, but it does not properly synchronize these actions, which might cause simultaneous accesses of this resource by multiple threads or processes.

Kotlin

664

The product does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release.

Kotlin

667

The product does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors.

Kotlin

668

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

Kotlin

669

The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource.

Kotlin

670

The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated.

Kotlin

671

The product uses security features in a way that prevents the product's administrator from tailoring security settings to reflect the environment in which the product is being used. This introduces resultant weaknesses or prevents it from operating at a level of security that is desired by the administrator.

Kotlin

674

The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.

Kotlin

682

The product performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management.

Kotlin

683

The product calls a function, procedure, or routine, but the caller specifies the arguments in an incorrect order, leading to resultant weaknesses.

Kotlin

691

The code does not sufficiently manage its control flow during execution, creating conditions in which the control flow can be modified in unexpected ways.

Kotlin

693

The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.

Kotlin

697

The product compares two entities in a security-relevant context, but the comparison is incorrect, which may lead to resultant weaknesses.

Kotlin

699

This view organizes weaknesses around concepts that are frequently used or encountered in software development. This includes all aspects of the software development lifecycle including both architecture and implementation. Accordingly, this view can align closely with the perspectives of architects, developers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping.

Kotlin

700

This view (graph) organizes weaknesses using a hierarchical structure that is similar to that used by Seven Pernicious Kingdoms.

Kotlin

703

The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product.

Kotlin

706

The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.

Kotlin

707

The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component.

Kotlin

710

The product does not follow certain coding rules for development, which can lead to resultant weaknesses or increase the severity of the associated vulnerabilities.

Kotlin

711

CWE entries in this view (graph) are associated with the OWASP Top 10, as released in 2004, and as required for compliance with PCI DSS version 1.1. This view is considered obsolete as a newer version of the OWASP Top 10 is available.

Kotlin

713

Weaknesses in this category are related to the A2 category in the OWASP Top 10 2007.

Kotlin

714

Weaknesses in this category are related to the A3 category in the OWASP Top 10 2007.

Kotlin

715

Weaknesses in this category are related to the A4 category in the OWASP Top 10 2007.

Kotlin

717

Weaknesses in this category are related to the A6 category in the OWASP Top 10 2007.

Kotlin

718

Weaknesses in this category are related to the A7 category in the OWASP Top 10 2007.

Kotlin

719

Weaknesses in this category are related to the A8 category in the OWASP Top 10 2007.

Kotlin

720

Weaknesses in this category are related to the A9 category in the OWASP Top 10 2007.

Kotlin

721

Weaknesses in this category are related to the A10 category in the OWASP Top 10 2007.

Kotlin

722

Weaknesses in this category are related to the A1 category in the OWASP Top 10 2004.

Kotlin

723

Weaknesses in this category are related to the A2 category in the OWASP Top 10 2004.

Kotlin

724

Weaknesses in this category are related to the A3 category in the OWASP Top 10 2004.

Kotlin

725

Weaknesses in this category are related to the A4 category in the OWASP Top 10 2004.

Kotlin

726

Weaknesses in this category are related to the A5 category in the OWASP Top 10 2004.

Kotlin

727

Weaknesses in this category are related to the A6 category in the OWASP Top 10 2004.

Kotlin

728

Weaknesses in this category are related to the A7 category in the OWASP Top 10 2004.

Kotlin

729

Weaknesses in this category are related to the A8 category in the OWASP Top 10 2004.

Kotlin

730

Weaknesses in this category are related to the A9 category in the OWASP Top 10 2004.

Kotlin

731

Weaknesses in this category are related to the A10 category in the OWASP Top 10 2004.

Kotlin

734

CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT C Secure Coding Standard" published in 2008. This view is considered obsolete, as a newer version of the coding standard is available. This view statically represents the coding rules as they were in 2008.

Kotlin

736

Weaknesses in this category are related to the rules and recommendations in the Declarations and Initialization (DCL) chapter of the CERT C Secure Coding Standard (2008).

Kotlin

737

Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) chapter of the CERT C Secure Coding Standard (2008).

Kotlin

738

Weaknesses in this category are related to the rules and recommendations in the Integers (INT) chapter of the CERT C Secure Coding Standard (2008).

Kotlin

739

Weaknesses in this category are related to the rules and recommendations in the Floating Point (FLP) chapter of the CERT C Secure Coding Standard (2008).

Kotlin

740

Weaknesses in this category are related to the rules and recommendations in the Arrays (ARR) chapter of the CERT C Secure Coding Standard (2008).

Kotlin

741

Weaknesses in this category are related to the rules and recommendations in the Characters and Strings (STR) chapter of the CERT C Secure Coding Standard (2008).

Kotlin

742

Weaknesses in this category are related to the rules and recommendations in the Memory Management (MEM) chapter of the CERT C Secure Coding Standard (2008).

Kotlin

743

Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) chapter of the CERT C Secure Coding Standard (2008).

Kotlin

744

Weaknesses in this category are related to the rules and recommendations in the Environment (ENV) chapter of the CERT C Secure Coding Standard (2008).

Kotlin

745

Weaknesses in this category are related to the rules and recommendations in the Signals (SIG) chapter of the CERT C Secure Coding Standard (2008).

Kotlin

746

Weaknesses in this category are related to the rules and recommendations in the Error Handling (ERR) chapter of the CERT C Secure Coding Standard (2008).

Kotlin

747

Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) chapter of the CERT C Secure Coding Standard (2008).

Kotlin

748

Weaknesses in this category are related to the rules and recommendations in the POSIX (POS) appendix of the CERT C Secure Coding Standard (2008).

Kotlin

750

CWE entries in this view (graph) are listed in the 2009 CWE/SANS Top 25 Programming Errors. This view is considered obsolete as a newer version of the Top 25 is available.

Kotlin

751

Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2009 CWE/SANS Top 25 Programming Errors.

Kotlin

752

Weaknesses in this category are listed in the "Risky Resource Management" section of the 2009 CWE/SANS Top 25 Programming Errors.

Kotlin

753

Weaknesses in this category are listed in the "Porous Defenses" section of the 2009 CWE/SANS Top 25 Programming Errors.

Kotlin

754

The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.

Kotlin

755

The product does not handle or incorrectly handles an exceptional condition.

Kotlin

759

The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product does not also use a salt as part of the input.

Kotlin

760

The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product uses a predictable salt as part of the input.

Kotlin

776

The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.

Kotlin

778

When a security-critical event occurs, the product either does not record the event or omits important details about the event when logging it.

Kotlin

783

The product uses an expression in which operator precedence causes incorrect logic to be used.

Kotlin

798

The product contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.

Kotlin

800

CWE entries in this view (graph) are listed in the 2010 CWE/SANS Top 25 Programming Errors. This view is considered obsolete as a newer version of the Top 25 is available.

Kotlin

801

Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2010 CWE/SANS Top 25 Programming Errors.

Kotlin

802

Weaknesses in this category are listed in the "Risky Resource Management" section of the 2010 CWE/SANS Top 25 Programming Errors.

Kotlin

803

Weaknesses in this category are listed in the "Porous Defenses" section of the 2010 CWE/SANS Top 25 Programming Errors.

Kotlin

808

Weaknesses in this category are not part of the general Top 25, but they were part of the original nominee list from which the Top 25 was drawn.

Kotlin

809

CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2010. This view is considered obsolete as a newer version of the OWASP Top 10 is available.

Kotlin

810

Weaknesses in this category are related to the A1 category in the OWASP Top 10 2010.

Kotlin

812

Weaknesses in this category are related to the A3 category in the OWASP Top 10 2010.

Kotlin

813

Weaknesses in this category are related to the A4 category in the OWASP Top 10 2010.

Kotlin

815

Weaknesses in this category are related to the A6 category in the OWASP Top 10 2010.

Kotlin

816

Weaknesses in this category are related to the A7 category in the OWASP Top 10 2010.

Kotlin

817

Weaknesses in this category are related to the A8 category in the OWASP Top 10 2010.

Kotlin

818

Weaknesses in this category are related to the A9 category in the OWASP Top 10 2010.

Kotlin

820

The product utilizes a shared resource in a concurrent manner but does not attempt to synchronize access to the resource.

Kotlin

827

The product does not restrict a reference to a Document Type Definition (DTD) to the intended control sphere. This might allow attackers to reference arbitrary DTDs, possibly causing the product to expose files, consume excessive system resources, or execute arbitrary http requests on behalf of the attacker.

Kotlin

829

The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.

Kotlin

833

The product contains multiple threads or executable segments that are waiting for each other to release a necessary lock, resulting in deadlock.

Kotlin

834

The product performs an iteration or loop without sufficiently limiting the number of times that the loop is executed.

Kotlin

835

The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.

Kotlin

840

Weaknesses in this category identify some of the underlying problems that commonly allow attackers to manipulate the business logic of an application. Errors in business logic can be devastating to an entire application. They can be difficult to find automatically, since they typically involve legitimate use of the application's functionality. However, many business logic errors can exhibit patterns that are similar to well-understood implementation and design weaknesses.

Kotlin

844

CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT Oracle Secure Coding Standard for Java" published in 2011. This view is considered obsolete as a newer version of the coding standard is available.

Kotlin

845

Weaknesses in this category are related to rules in the Input Validation and Data Sanitization (IDS) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

Kotlin

847

Weaknesses in this category are related to rules in the Expressions (EXP) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

Kotlin

848

Weaknesses in this category are related to rules in the Numeric Types and Operations (NUM) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

Kotlin

850

Weaknesses in this category are related to rules in the Methods (MET) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

Kotlin

851

Weaknesses in this category are related to rules in the Exceptional Behavior (ERR) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

Kotlin

852

Weaknesses in this category are related to rules in the Visibility and Atomicity (VNA) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

Kotlin

853

Weaknesses in this category are related to rules in the Locking (LCK) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

Kotlin

855

Weaknesses in this category are related to rules in the Thread Pools (TPS) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

Kotlin

857

Weaknesses in this category are related to rules in the Input Output (FIO) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

Kotlin

858

Weaknesses in this category are related to rules in the Serialization (SER) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

Kotlin

859

Weaknesses in this category are related to rules in the Platform Security (SEC) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

Kotlin

861

Weaknesses in this category are related to rules in the Miscellaneous (MSC) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

Kotlin

862

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Kotlin

864

Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.

Kotlin

865

Weaknesses in this category are listed in the "Risky Resource Management" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.

Kotlin

866

Weaknesses in this category are listed in the "Porous Defenses" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.

Kotlin

867

Weaknesses in this category are not part of the general Top 25, but they were part of the original nominee list from which the Top 25 was drawn.

Kotlin

868

CWE entries in this view (graph) are fully or partially eliminated by following the SEI CERT C++ Coding Standard, as published in 2016. This view is no longer being actively maintained, since it statically represents the coding rules as they were in 2016.

Kotlin

871

Weaknesses in this category are related to rules in the Expressions (EXP) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

Kotlin

872

Weaknesses in this category are related to rules in the Integers (INT) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

Kotlin

873

Weaknesses in this category are related to rules in the Floating Point Arithmetic (FLP) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

Kotlin

874

Weaknesses in this category are related to rules in the Arrays and the STL (ARR) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

Kotlin

875

Weaknesses in this category are related to rules in the Characters and Strings (STR) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

Kotlin

876

Weaknesses in this category are related to rules in the Memory Management (MEM) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

Kotlin

877

Weaknesses in this category are related to rules in the Input Output (FIO) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

Kotlin

878

Weaknesses in this category are related to rules in the Environment (ENV) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

Kotlin

879

Weaknesses in this category are related to rules in the Signals (SIG) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

Kotlin

880

Weaknesses in this category are related to rules in the Exceptions and Error Handling (ERR) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

Kotlin

881

Weaknesses in this category are related to rules in the Object Oriented Programming (OOP) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

Kotlin

882

Weaknesses in this category are related to rules in the Concurrency (CON) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

Kotlin

883

Weaknesses in this category are related to rules in the Miscellaneous (MSC) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

Kotlin

884

This view contains a selection of weaknesses that represent the variety of weaknesses that are captured in CWE, at a level of abstraction that is likely to be useful to most audiences. It can be used by researchers to determine how broad their theories, models, or tools are. It will also be used by the CWE content team in 2012 to focus quality improvement efforts for individual CWE entries.

Kotlin

885

This category identifies Software Fault Patterns (SFPs) within the Risky Values cluster (SFP1).

Kotlin

886

This category identifies Software Fault Patterns (SFPs) within the Unused entities cluster (SFP2).

Kotlin

887

This category identifies Software Fault Patterns (SFPs) within the API cluster (SFP3).

Kotlin

888

CWE identifiers in this view are associated with clusters of Software Fault Patterns (SFPs).

Kotlin

889

This category identifies Software Fault Patterns (SFPs) within the Exception Management cluster (SFP4, SFP5, SFP6).

Kotlin

890

This category identifies Software Fault Patterns (SFPs) within the Memory Access cluster (SFP7, SFP8).

Kotlin

892

This category identifies Software Fault Patterns (SFPs) within the Resource Management cluster (SFP37).

Kotlin

893

This category identifies Software Fault Patterns (SFPs) within the Path Resolution cluster (SFP16, SFP17, SFP18).

Kotlin

894

This category identifies Software Fault Patterns (SFPs) within the Synchronization cluster (SFP19, SFP20, SFP21, SFP22).

Kotlin

895

This category identifies Software Fault Patterns (SFPs) within the Information Leak cluster (SFP23).

Kotlin

896

This category identifies Software Fault Patterns (SFPs) within the Tainted Input cluster (SFP24, SFP25, SFP26, SFP27).

Kotlin

897

This category identifies Software Fault Patterns (SFPs) within the Entry Points cluster (SFP28).

Kotlin

898

This category identifies Software Fault Patterns (SFPs) within the Authentication cluster (SFP29, SFP30, SFP31, SFP32, SFP33, SFP34).

Kotlin

899

This category identifies Software Fault Patterns (SFPs) within the Access Control cluster (SFP35).

Kotlin

900

CWE entries in this view (graph) are listed in the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.

Kotlin

902

This category identifies Software Fault Patterns (SFPs) within the Channel cluster.

Kotlin

903

This category identifies Software Fault Patterns (SFPs) within the Cryptography cluster.

Kotlin

905

This category identifies Software Fault Patterns (SFPs) within the Predictability cluster.

Kotlin

906

This category identifies Software Fault Patterns (SFPs) within the UI cluster.

Kotlin

907

This category identifies Software Fault Patterns (SFPs) within the Other cluster.

Kotlin

913

The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements.

Kotlin

916

The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive.

Kotlin

918

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Kotlin

921

The product stores sensitive information in a file system or device that does not have built-in access control.

Kotlin

922

The product stores sensitive information without properly limiting read or write access by unauthorized actors.

Kotlin

923

The product establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that it is communicating with the correct endpoint.

Kotlin

925

The Android application uses a Broadcast Receiver that receives an Intent but does not properly verify that the Intent came from an authorized source.

Kotlin

926

The Android application exports a component for use by other applications, but does not properly restrict which applications can launch the component or access the data it contains.

Kotlin

927

The Android application uses an implicit intent for transmitting sensitive data to other applications.

Kotlin

928

CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2013. This view is considered obsolete as a newer version of the OWASP Top 10 is available.

Kotlin

929

Weaknesses in this category are related to the A1 category in the OWASP Top 10 2013.

Kotlin

930

Weaknesses in this category are related to the A2 category in the OWASP Top 10 2013.

Kotlin

932

Weaknesses in this category are related to the A4 category in the OWASP Top 10 2013.

Kotlin

933

Weaknesses in this category are related to the A5 category in the OWASP Top 10 2013.

Kotlin

934

Weaknesses in this category are related to the A6 category in the OWASP Top 10 2013.

Kotlin

935

Weaknesses in this category are related to the A7 category in the OWASP Top 10 2013.

Kotlin

943

The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query.

Kotlin

944

This category identifies Software Fault Patterns (SFPs) within the Access Management cluster.

Kotlin

945

This category identifies Software Fault Patterns (SFPs) within the Insecure Resource Access cluster (SFP35).

Kotlin

947

This category identifies Software Fault Patterns (SFPs) within the Authentication Bypass cluster.

Kotlin

948

This category identifies Software Fault Patterns (SFPs) within the Digital Certificate cluster.

Kotlin

949

This category identifies Software Fault Patterns (SFPs) within the Faulty Endpoint Authentication cluster (SFP29).

Kotlin

950

This category identifies Software Fault Patterns (SFPs) within the Hardcoded Sensitive Data cluster (SFP33).

Kotlin

956

This category identifies Software Fault Patterns (SFPs) within the Channel Attack cluster.

Kotlin

957

This category identifies Software Fault Patterns (SFPs) within the Protocol Error cluster.

Kotlin

958

This category identifies Software Fault Patterns (SFPs) within the Broken Cryptography cluster.

Kotlin

959

This category identifies Software Fault Patterns (SFPs) within the Weak Cryptography cluster.

Kotlin

961

This category identifies Software Fault Patterns (SFPs) within the Incorrect Exception Behavior cluster (SFP6).

Kotlin

962

This category identifies Software Fault Patterns (SFPs) within the Unchecked Status Condition cluster (SFP4).

Kotlin

963

This category identifies Software Fault Patterns (SFPs) within the Exposed Data cluster (SFP23).

Kotlin

965

This category identifies Software Fault Patterns (SFPs) within the Insecure Session Management cluster.

Kotlin

966

This category identifies Software Fault Patterns (SFPs) within the Other Exposures cluster.

Kotlin

970

This category identifies Software Fault Patterns (SFPs) within the Faulty Buffer Access cluster (SFP8).

Kotlin

971

This category identifies Software Fault Patterns (SFPs) within the Faulty Pointer Use cluster (SFP7).

Kotlin

975

This category identifies Software Fault Patterns (SFPs) within the Architecture cluster.

Kotlin

977

This category identifies Software Fault Patterns (SFPs) within the Design cluster.

Kotlin

978

This category identifies Software Fault Patterns (SFPs) within the Implementation cluster.

Kotlin

980

This category identifies Software Fault Patterns (SFPs) within the Link in Resource Name Resolution cluster (SFP18).

Kotlin

981

This category identifies Software Fault Patterns (SFPs) within the Path Traversal cluster (SFP16).

Kotlin

982

This category identifies Software Fault Patterns (SFPs) within the Failure to Release Resource cluster (SFP14).

Kotlin

984

This category identifies Software Fault Patterns (SFPs) within the Life Cycle cluster.

Kotlin

985

This category identifies Software Fault Patterns (SFPs) within the Unrestricted Consumption cluster (SFP13).

Kotlin

986

This category identifies Software Fault Patterns (SFPs) within the Missing Lock cluster (SFP19).

Kotlin

988

This category identifies Software Fault Patterns (SFPs) within the Race Condition Window cluster (SFP20).

Kotlin

990

This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Command cluster (SFP24).

Kotlin

991

This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Environment cluster (SFP27).

Kotlin

992

This category identifies Software Fault Patterns (SFPs) within the Faulty Input Transformation cluster.

Kotlin

994

This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Variable cluster (SFP25).

Kotlin

997

This category identifies Software Fault Patterns (SFPs) within the Information Loss cluster.

Kotlin

998

This category identifies Software Fault Patterns (SFPs) within the Glitch in Computation cluster (SFP1).

Kotlin

1000

This view is intended to facilitate research into weaknesses, including their inter-dependencies, and can be leveraged to systematically identify theoretical gaps within CWE. It is mainly organized according to abstractions of behaviors instead of how they can be detected, where they appear in code, or when they are introduced in the development life cycle. By design, this view is expected to include every weakness within CWE.

Kotlin

1001

This category identifies Software Fault Patterns (SFPs) within the Use of an Improper API cluster (SFP3).

Kotlin

1002

This category identifies Software Fault Patterns (SFPs) within the Unexpected Entry Points cluster.

Kotlin

1003

CWE entries in this view (graph) may be used to categorize potential weaknesses within sources that handle public, third-party vulnerability information, such as the National Vulnerability Database (NVD). By design, this view is incomplete; it is limited to a small number of the most commonly-seen weaknesses, so that it is easier for humans to use. This view uses a shallow hierarchy of two levels in order to simplify the complex, category-oriented navigation of the entire CWE corpus.

Kotlin

1005

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that exist when an application does not properly validate or represent input. According to the authors of the Seven Pernicious Kingdoms, "Input validation and representation problems are caused by metacharacters, alternate encodings and numeric representations. Security problems result from trusting input."

Kotlin

1006

Weaknesses in this category are related to coding practices that are deemed unsafe and increase the chances that an exploitable vulnerability will be present in the application. These weaknesses do not directly introduce a vulnerability, but indicate that the product has not been carefully developed or maintained. If a program is complex, difficult to maintain, not portable, or shows evidence of neglect, then there is a higher likelihood that weaknesses are buried in the code.

Kotlin

1008

This view organizes weaknesses according to common architectural security tactics. It is intended to assist architects in identifying potential mistakes that can be made when designing software.

Kotlin

1009

Weaknesses in this category are related to the design and architecture of audit-based components of the system. Frequently these deal with logging user activities in order to identify attackers and modifications to the system. The weaknesses in this category could lead to a degradation of the quality of the audit capability if they are not addressed when designing or implementing a secure architecture.

Kotlin

1010

Weaknesses in this category are related to the design and architecture of authentication components of the system. Frequently these deal with verifying the entity is indeed who it claims to be. The weaknesses in this category could lead to a degradation of the quality of authentication if they are not addressed when designing or implementing a secure architecture.

Kotlin

1011

Weaknesses in this category are related to the design and architecture of a system's authorization components. Frequently these deal with enforcing that agents have the required permissions before performing certain operations, such as modifying data. The weaknesses in this category could lead to a degradation of quality of the authorization capability if they are not addressed when designing or implementing a secure architecture.

Kotlin

1012

Weaknesses in this category are related to the design and architecture of multiple security tactics and how they affect a system. For example, information exposure can impact the Limit Access and Limit Exposure security tactics. The weaknesses in this category could lead to a degradation of the quality of many capabilities if they are not addressed when designing or implementing a secure architecture.

Kotlin

1013

Weaknesses in this category are related to the design and architecture of data confidentiality in a system. Frequently these deal with the use of encryption libraries. The weaknesses in this category could lead to a degradation of the quality data encryption if they are not addressed when designing or implementing a secure architecture.

Kotlin

1014

Weaknesses in this category are related to the design and architecture of a system's identification management components. Frequently these deal with verifying that external agents provide inputs into the system. The weaknesses in this category could lead to a degradation of the quality of identification management if they are not addressed when designing or implementing a secure architecture.

Kotlin

1015

Weaknesses in this category are related to the design and architecture of system resources. Frequently these deal with restricting the amount of resources that are accessed by actors, such as memory, network connections, CPU or access points. The weaknesses in this category could lead to a degradation of the quality of authentication if they are not addressed when designing or implementing a secure architecture.

Kotlin

1016

Weaknesses in this category are related to the design and architecture of the entry points to a system. Frequently these deal with minimizing the attack surface through designing the system with the least needed amount of entry points. The weaknesses in this category could lead to a degradation of a system's defenses if they are not addressed when designing or implementing a secure architecture.

Kotlin

1019

Weaknesses in this category are related to the design and architecture of a system's input validation components. Frequently these deal with sanitizing, neutralizing and validating any externally provided inputs to minimize malformed data from entering the system and preventing code injection in the input data. The weaknesses in this category could lead to a degradation of the quality of data flow in a system if they are not addressed when designing or implementing a secure architecture.

Kotlin

1020

Weaknesses in this category are related to the design and architecture of a system's data integrity components. Frequently these deal with ensuring integrity of data, such as messages, resource files, deployment files, and configuration files. The weaknesses in this category could lead to a degradation of data integrity quality if they are not addressed when designing or implementing a secure architecture.

Kotlin

1023

The product performs a comparison between entities that must consider multiple factors or characteristics of each entity, but the comparison does not include one or more of these factors.

Kotlin

1025

The code performs a comparison between two entities, but the comparison examines the wrong factors or characteristics of the entities, which can lead to incorrect results and resultant weaknesses.

Kotlin

1026

CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2017.

Kotlin

1027

Weaknesses in this category are related to the A1 category in the OWASP Top 10 2017.

Kotlin

1028

Weaknesses in this category are related to the A2 category in the OWASP Top 10 2017.

Kotlin

1029

Weaknesses in this category are related to the A3 category in the OWASP Top 10 2017.

Kotlin

1030

Weaknesses in this category are related to the A4 category in the OWASP Top 10 2017.

Kotlin

1031

Weaknesses in this category are related to the A5 category in the OWASP Top 10 2017.

Kotlin

1032

Weaknesses in this category are related to the A6 category in the OWASP Top 10 2017.

Kotlin

1034

Weaknesses in this category are related to the A8 category in the OWASP Top 10 2017.

Kotlin

1036

Weaknesses in this category are related to the A10 category in the OWASP Top 10 2017.

Kotlin

1041

The product has multiple functions, methods, procedures, macros, etc. that contain the same code.

Kotlin

1078

The source code does not follow desired style or formatting for indentation, white space, comments, etc.

Kotlin

1114

The source code contains whitespace that is inconsistent across the code or does not follow expected standards for the product.

Kotlin

1128

This view outlines the most important software quality issues as identified by the Consortium for Information & Software Quality (CISQ) Automated Quality Characteristic Measures, released in 2016. These measures are derived from Object Management Group (OMG) standards.

Kotlin

1129

Weaknesses in this category are related to the CISQ Quality Measures for Reliability, as documented in 2016 with the Automated Source Code CISQ Reliability Measure (ASCRM) Specification 1.0. Presence of these weaknesses could reduce the reliability of the software.

Kotlin

1130

Weaknesses in this category are related to the CISQ Quality Measures for Maintainability, as documented in 2016 with the Automated Source Code Maintainability Measure (ASCMM) Specification 1.0. Presence of these weaknesses could reduce the maintainability of the software.

Kotlin

1131

Weaknesses in this category are related to the CISQ Quality Measures for Security, as documented in 2016 with the Automated Source Code Security Measure (ASCSM) Specification 1.0. Presence of these weaknesses could reduce the security of the software.

Kotlin

1133

CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT Oracle Coding Standard for Java.

Kotlin

1134

Weaknesses in this category are related to the rules and recommendations in the Input Validation and Data Sanitization (IDS) section of the SEI CERT Oracle Secure Coding Standard for Java.

Kotlin

1136

Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) section of the SEI CERT Oracle Secure Coding Standard for Java.

Kotlin

1137

Weaknesses in this category are related to the rules and recommendations in the Numeric Types and Operations (NUM) section of the SEI CERT Oracle Secure Coding Standard for Java.

Kotlin

1140

Weaknesses in this category are related to the rules and recommendations in the Methods (MET) section of the SEI CERT Oracle Secure Coding Standard for Java.

Kotlin

1141

Weaknesses in this category are related to the rules and recommendations in the Exceptional Behavior (ERR) section of the SEI CERT Oracle Secure Coding Standard for Java.

Kotlin

1142

Weaknesses in this category are related to the rules and recommendations in the Visibility and Atomicity (VNA) section of the SEI CERT Oracle Secure Coding Standard for Java.

Kotlin

1143

Weaknesses in this category are related to the rules and recommendations in the Locking (LCK) section of the SEI CERT Oracle Secure Coding Standard for Java.

Kotlin

1145

Weaknesses in this category are related to the rules and recommendations in the Thread Pools (TPS) section of the SEI CERT Oracle Secure Coding Standard for Java.

Kotlin

1147

Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) section of the SEI CERT Oracle Secure Coding Standard for Java.

Kotlin

1148

Weaknesses in this category are related to the rules and recommendations in the Serialization (SER) section of the SEI CERT Oracle Secure Coding Standard for Java.

Kotlin

1152

Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT Oracle Secure Coding Standard for Java.

Kotlin

1154

CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT C Coding Standard.

Kotlin

1157

Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) section of the SEI CERT C Coding Standard.

Kotlin

1158

Weaknesses in this category are related to the rules and recommendations in the Integers (INT) section of the SEI CERT C Coding Standard.

Kotlin

1159

Weaknesses in this category are related to the rules and recommendations in the Floating Point (FLP) section of the SEI CERT C Coding Standard.

Kotlin

1160

Weaknesses in this category are related to the rules and recommendations in the Arrays (ARR) section of the SEI CERT C Coding Standard.

Kotlin

1161

Weaknesses in this category are related to the rules and recommendations in the Characters and Strings (STR) section of the SEI CERT C Coding Standard.

Kotlin

1162

Weaknesses in this category are related to the rules and recommendations in the Memory Management (MEM) section of the SEI CERT C Coding Standard.

Kotlin

1163

Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) section of the SEI CERT C Coding Standard.

Kotlin

1164

The product contains code that is not essential for execution, i.e. makes no state changes and has no side effects that alter data or control flow, such that removal of the code would have no impact to functionality or correctness.

Kotlin

1165

Weaknesses in this category are related to the rules and recommendations in the Environment (ENV) section of the SEI CERT C Coding Standard.

Kotlin

1166

Weaknesses in this category are related to the rules and recommendations in the Signals (SIG) section of the SEI CERT C Coding Standard.

Kotlin

1167

Weaknesses in this category are related to the rules and recommendations in the Error Handling (ERR) section of the SEI CERT C Coding Standard.

Kotlin

1169

Weaknesses in this category are related to the rules and recommendations in the Concurrency (CON) section of the SEI CERT C Coding Standard.

Kotlin

1170

Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT C Coding Standard.

Kotlin

1171

Weaknesses in this category are related to the rules and recommendations in the POSIX (POS) section of the SEI CERT C Coding Standard.

Kotlin

1172

Weaknesses in this category are related to the rules and recommendations in the Microsoft Windows (WIN) section of the SEI CERT C Coding Standard.

Kotlin

1178

CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT Perl Coding Standard.

Kotlin

1179

Weaknesses in this category are related to the rules and recommendations in the Input Validation and Data Sanitization (IDS) section of the SEI CERT Perl Coding Standard.

Kotlin

1180

Weaknesses in this category are related to the rules and recommendations in the Declarations and Initialization (DCL) section of the SEI CERT Perl Coding Standard.

Kotlin

1181

Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) section of the SEI CERT Perl Coding Standard.

Kotlin

1182

Weaknesses in this category are related to the rules and recommendations in the Integers (INT) section of the SEI CERT Perl Coding Standard.

Kotlin

1186

Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT Perl Coding Standard.

Kotlin

1194

This view organizes weaknesses around concepts that are frequently used or encountered in hardware design. Accordingly, this view can align closely with the perspectives of designers, manufacturers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping.

Kotlin

1198

Weaknesses in this category are related to features and mechanisms providing hardware-based isolation and access control (e.g., identity, policy, locking control) of sensitive shared hardware resources such as registers and fuses.

Kotlin

1200

CWE entries in this view are listed in the 2019 CWE Top 25 Most Dangerous Software Errors.

Kotlin

1202

Weaknesses in this category are typically associated with memory (e.g., DRAM, SRAM) and storage technologies (e.g., NAND Flash, OTP, EEPROM, and eMMC).

Kotlin

1207

Weaknesses in this category are related to hardware debug and test interfaces such as JTAG and scan chain.

Kotlin

1210

Weaknesses in this category are related to audit-based components of a software system. Frequently these deal with logging user activities in order to identify undesired access and modifications to the system. The weaknesses in this category could lead to a degradation of the quality of the audit capability if they are not addressed.

Kotlin

1211

Weaknesses in this category are related to authentication components of a system. Frequently these deal with the ability to verify that an entity is indeed who it claims to be. If not addressed when designing or implementing a software system, these weaknesses could lead to a degradation of the quality of the authentication capability.

Kotlin

1212

Weaknesses in this category are related to authorization components of a system. Frequently these deal with the ability to enforce that agents have the required permissions before performing certain operations, such as modifying data. If not addressed when designing or implementing a software system, these weaknesses could lead to a degradation of the quality of the authorization capability.

Kotlin

1213

Weaknesses in this category are related to a software system's random number generation.

Kotlin

1214

Weaknesses in this category are related to a software system's data integrity components. Frequently these deal with the ability to ensure the integrity of data, such as messages, resource files, deployment files, and configuration files. The weaknesses in this category could lead to a degradation of data integrity quality if they are not addressed.

Kotlin

1219

Weaknesses in this category are related to the handling of files within a software system. Files, directories, and folders are so central to information technology that many different weaknesses and variants have been discovered.

Kotlin

1228

Weaknesses in this category are related to the use of built-in functions or external APIs.

Kotlin

1305

This view outlines the most important software quality issues as identified by the Consortium for Information & Software Quality (CISQ) Automated Quality Characteristic Measures, released in 2020. These measures are derived from Object Management Group (OMG) standards.

Kotlin

1306

Weaknesses in this category are related to the CISQ Quality Measures for Reliability. Presence of these weaknesses could reduce the reliability of the software.

Kotlin

1307

Weaknesses in this category are related to the CISQ Quality Measures for Maintainability. Presence of these weaknesses could reduce the maintainability of the software.

Kotlin

1308

Weaknesses in this category are related to the CISQ Quality Measures for Security. Presence of these weaknesses could reduce the security of the software.

Kotlin

1309

Weaknesses in this category are related to the CISQ Quality Measures for Efficiency. Presence of these weaknesses could reduce the efficiency of the software.

Kotlin

1337

CWE entries in this view are listed in the 2021 CWE Top 25 Most Dangerous Software Weaknesses.

Kotlin

1340

This view outlines the SMM representation of the Automated Source Code Data Protection Measurement specifications, as identified by the Consortium for Information & Software Quality (CISQ) Working Group.

Kotlin

1344

CWE entries in this view (graph) are associated with the OWASP Top 10, as released in 2021.

Kotlin

1345

Weaknesses in this category are related to the A01 category "Broken Access Control" in the OWASP Top 10 2021.

Kotlin

1346

Weaknesses in this category are related to the A02 category "Cryptographic Failures" in the OWASP Top 10 2021.

Kotlin

1347

Weaknesses in this category are related to the A03 category "Injection" in the OWASP Top 10 2021.

Kotlin

1348

Weaknesses in this category are related to the A04 "Insecure Design" category in the OWASP Top 10 2021.

Kotlin

1349

Weaknesses in this category are related to the A05 category "Security Misconfiguration" in the OWASP Top 10 2021.

Kotlin

1350

CWE entries in this view are listed in the 2020 CWE Top 25 Most Dangerous Software Weaknesses.

Kotlin

1353

Weaknesses in this category are related to the A07 category "Identification and Authentication Failures" in the OWASP Top 10 2021.

Kotlin

1354

Weaknesses in this category are related to the A08 category "Software and Data Integrity Failures" in the OWASP Top 10 2021.

Kotlin

1355

Weaknesses in this category are related to the A09 category "Security Logging and Monitoring Failures" in the OWASP Top 10 2021.

Kotlin

1356

Weaknesses in this category are related to the A10 category "Server-Side Request Forgery (SSRF)" in the OWASP Top 10 2021.

Kotlin

1358

CWE entries in this view (graph) are associated with the Categories of Security Vulnerabilities in ICS, as published by the Securing Energy Infrastructure Executive Task Force (SEI ETF) in March 2022. Weaknesses and categories in this view are focused on issues that affect ICS (Industrial Control Systems) but have not been traditionally covered by CWE in the past due to its earlier emphasis on enterprise IT software. Note: weaknesses in this view are based on "Nearest IT Neighbor" recommendations and other suggestions by the CWE team. These relationships are likely to change in future CWE versions.

Kotlin

1359

Weaknesses in this category are related to the "ICS Communications" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.

Kotlin

1360

Weaknesses in this category are related to the "ICS Dependencies (& Architecture)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.

Kotlin

1361

Weaknesses in this category are related to the "ICS Supply Chain" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.

Kotlin

1362

Weaknesses in this category are related to the "ICS Engineering (Constructions/Deployment)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.

Kotlin

1363

Weaknesses in this category are related to the "ICS Operations (& Maintenance)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.

Kotlin

1364

Weaknesses in this category are related to the "Zone Boundary Failures" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Within an ICS system, for traffic that crosses through network zone boundaries, vulnerabilities arise when those boundaries were designed for safety or other purposes but are being repurposed for security." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

Kotlin

1366

Weaknesses in this category are related to the "Frail Security in Protocols" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Vulnerabilities arise as a result of mis-implementation or incomplete implementation of security in ICS implementations of communication protocols." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

Kotlin

1368

Weaknesses in this category are related to the "External Digital Systems" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Due to the highly interconnected technologies in use, an external dependency on another digital system could cause a confidentiality, integrity, or availability incident for the protected system." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

Kotlin

1369

Weaknesses in this category are related to the "IT/OT Convergence/Expansion" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "The increased penetration of DER devices and smart loads make emerging ICS networks more like IT networks and thus susceptible to vulnerabilities similar to those of IT networks." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

Kotlin

1370

Weaknesses in this category are related to the "Common Mode Frailties" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "At the component level, most ICS systems are assembled from common parts made by other companies. One or more of these common parts might contain a vulnerability that could result in a wide-spread incident." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

Kotlin

1371

Weaknesses in this category are related to the "Poorly Documented or Undocumented Features" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Undocumented capabilities and configurations pose a risk by not having a clear understanding of what the device is specifically supposed to do and only do. Therefore possibly opening up the attack surface and vulnerabilities." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

Kotlin

1372

Weaknesses in this category are related to the "OT Counterfeit and Malicious Corruption" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "In ICS, when this procurement process results in a vulnerability or component damage, it can have grid impacts or cause physical harm." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

Kotlin

1375

Weaknesses in this category are related to the "Gaps in Details/Data" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Highly complex systems are often operated by personnel who have years of experience in managing that particular facility or plant. Much of their knowledge is passed along through verbal or hands-on training but may not be fully documented in written practices and procedures." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

Kotlin

1376

Weaknesses in this category are related to the "Security Gaps in Commissioning" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "As a large system is brought online components of the system may remain vulnerable until the entire system is operating and functional and security controls are put in place. This creates a window of opportunity for an adversary during the commissioning process." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

Kotlin

1382

Weaknesses in this category are related to the "Emerging Energy Technologies" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "With the rapid evolution of the energy system accelerated by the emergence of new technologies such as DERs, electric vehicles, advanced communications (5G+), novel and diverse challenges arise for secure and resilient operation of the system." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

Kotlin

1383

Weaknesses in this category are related to the "Compliance/Conformance with Regulatory Requirements" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "The ICS environment faces overlapping regulatory regimes and authorities with multiple focus areas (e.g., operational resiliency, physical safety, interoperability, and security) which can result in cyber security vulnerabilities when implemented as written due to gaps in considerations, outdatedness, or conflicting requirements." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

Kotlin

1387

CWE entries in this view are listed in the 2022 CWE Top 25 Most Dangerous Software Weaknesses.

Kotlin

1396

Weaknesses in this category are related to access control.

Kotlin

1397

Weaknesses in this category are related to comparison.

Kotlin

1399

Weaknesses in this category are related to memory safety.

Kotlin

1400

This view organizes weaknesses around categories that are of interest to large-scale software assurance research to support the elimination of weaknesses using tactics such as secure language development. It is also intended to help tracking weakness trends in publicly disclosed vulnerability data. This view is comprehensive in that every weakness must be contained in it, unlike most other views that only use a subset of weaknesses. This view is structured with categories at the top level, with a second level of only weaknesses. Relationships among the weaknesses presented under the research view (CWE-1000) are not shown. Each weakness is added to only one category. All categories are mutually exclusive; that is, no weakness can be a member of more than one category. While weaknesses defy strict categorization along only one characteristic, the forced bucketing into a single category can simplify certain kinds of analysis. Note that the size of each category can vary widely because (1) CWE is not as well fleshed-out in some areas compared to others; (2) abstraction of the CWEs in the grouping might go down to Variant level for some buckets, versus others.

Kotlin

1401

Weaknesses in this category are related to concurrency.

Kotlin

1402

Weaknesses in this category are related to encryption.

Kotlin

1403

Weaknesses in this category are related to exposed resource.

Kotlin

1404

Weaknesses in this category are related to file handling.

Kotlin

1405

Weaknesses in this category are related to improper check or handling of exceptional conditions.

Kotlin

1406

Weaknesses in this category are related to improper input validation.

Kotlin

1407

Weaknesses in this category are related to improper neutralization.

Kotlin

1408

Weaknesses in this category are related to incorrect calculation.

Kotlin

1409

Weaknesses in this category are related to injection.

Kotlin

1410

Weaknesses in this category are related to insufficient control flow management.

Kotlin

1411

Weaknesses in this category are related to insufficient verification of data authenticity.

Kotlin

1412

Weaknesses in this category are related to poor coding practices.

Kotlin

1413

Weaknesses in this category are related to protection mechanism failure.

Kotlin

1414

Weaknesses in this category are related to randomness.

Kotlin

1415

Weaknesses in this category are related to resource control.

Kotlin

1416

Weaknesses in this category are related to resource lifecycle management.

Kotlin

1417

Weaknesses in this category are related to sensitive information exposure.

Kotlin

1418

Weaknesses in this category are related to violation of secure design principles.

PHP

2

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that are typically introduced during unexpected environmental conditions. According to the authors of the Seven Pernicious Kingdoms, "This section includes everything that is outside of the source code but is still critical to the security of the product that is being created. Because the issues covered by this kingdom are not directly related to source code, we separated it from the rest of the kingdoms."

PHP

17

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

PHP

18

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

PHP

19

Weaknesses in this category are typically found in functionality that processes data. Data processing is the manipulation of input to retrieve or save information.

PHP

20

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

PHP

21

This category has been deprecated. It was originally used for organizing weaknesses involving file names, which enabled access to files outside of a restricted directory (path traversal) or to perform operations on files that would otherwise be restricted (path equivalence). Consider using either the File Handling Issues category (CWE-1219) or the class Use of Incorrectly-Resolved Name or Reference (CWE-706).

PHP

22

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

PHP

74

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

PHP

77

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

PHP

78

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

PHP

89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.

PHP

94

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

PHP

95

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").

PHP

99

The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control.

PHP

115

The product misinterprets an input, whether from an attacker or another product, in a security-relevant fashion.

PHP

116

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

PHP

137

Weaknesses in this category are related to the creation or neutralization of data using an incorrect format.

PHP

171

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. Weaknesses in this category were related to improper handling of data within protection mechanisms that attempt to perform neutralization for untrusted data. These weaknesses can be found in other similar categories.

PHP

183

The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is too permissive - that is, it allows an input that is unsafe, leading to resultant weaknesses.

PHP

199

Weaknesses in this category are related to improper handling of sensitive information.

PHP

200

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

PHP

209

The product generates an error message that includes sensitive information about its environment, users, or associated data.

PHP

254

Software security is not security software. Here we're concerned with topics like authentication, access control, confidentiality, cryptography, and privilege management.

PHP

255

Weaknesses in this category are related to the management of credentials.

PHP

261

Obscuring a password with a trivial encoding does not protect the password.

PHP

264

Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control.

PHP

265

Weaknesses in this category occur with improper handling, assignment, or management of privileges. A privilege is a property of an agent, such as a user. It lets the agent do things that are not ordinarily allowed. For example, there are privileges which allow an agent to perform maintenance functions such as restart a computer.

PHP

275

Weaknesses in this category are related to improper assignment or handling of permissions.

PHP

284

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

PHP

285

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

PHP

287

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

PHP

295

The product does not validate, or incorrectly validates, a certificate.

PHP

306

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

PHP

310

Weaknesses in this category are related to the design and implementation of data confidentiality and integrity. Frequently these deal with the use of encoding techniques, encryption libraries, and hashing algorithms. The weaknesses in this category could lead to a degradation of the quality data if they are not addressed.

PHP

311

The product does not encrypt sensitive or critical information before storage or transmission.

PHP

319

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

PHP

320

Weaknesses in this category are related to errors in the management of cryptographic keys.

PHP

326

The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

PHP

327

The product uses a broken or risky cryptographic algorithm or protocol.

PHP

330

The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.

PHP

338

The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.

PHP

344

The product uses a constant value, name, or reference, but this value can (or should) vary across different environments.

PHP

345

The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

PHP

346

The product does not properly verify that the source of data or communication is valid.

PHP

353

The product uses a transmission protocol that does not include a mechanism for verifying the integrity of the data during transmission, such as a checksum.

PHP

355

Weaknesses in this category are related to or introduced in the User Interface (UI).

PHP

361

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses related to the improper management of time and state in an environment that supports simultaneous or near-simultaneous computation by multiple systems, processes, or threads. According to the authors of the Seven Pernicious Kingdoms, "Distributed computation is about time and state. That is, in order for more than one component to communicate, state must be shared, and all that takes time. Most programmers anthropomorphize their work. They think about one thread of control carrying out the entire program in the same way they would if they had to do the job themselves. Modern computers, however, switch between tasks very quickly, and in multi-core, multi-CPU, or distributed systems, two events may take place at exactly the same time. Defects rush to fill the gap between the programmer's model of how a program executes and what happens in reality. These defects are related to unexpected interactions between threads, processes, time, and information. These interactions happen through shared state: semaphores, variables, the file system, and, basically, anything that can store information."

PHP

384

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

PHP

388

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that occur when an application does not properly handle errors that occur during processing. According to the authors of the Seven Pernicious Kingdoms, "Errors and error handling represent a class of API. Errors related to error handling are so common that they deserve a special kingdom of their own. As with 'API Abuse,' there are two ways to introduce an error-related security vulnerability: the most common one is handling errors poorly (or not at all). The second is producing errors that either give out too much information (to possible attackers) or are difficult to handle."

PHP

389

This category includes weaknesses that occur if a function does not generate the correct return/status code, or if the application does not handle all possible return/status codes that could be generated by a function. This type of problem is most often found in conditions that are rarely encountered during the normal operation of the product. Presumably, most bugs related to common conditions are found and eliminated during development and testing. In some cases, the attacker can directly control or influence the environment to trigger the rare conditions.

PHP

398

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that do not directly introduce a weakness or vulnerability, but indicate that the product has not been carefully developed or maintained. According to the authors of the Seven Pernicious Kingdoms, "Poor code quality leads to unpredictable behavior. From a user's perspective that often manifests itself as poor usability. For an adversary it provides an opportunity to stress the system in unexpected ways."

PHP

399

Weaknesses in this category are related to improper management of system resources.

PHP

400

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

PHP

417

Weaknesses in this category are related to improper handling of communication channels and access paths. These weaknesses include problems in creating, managing, or removing alternate channels and alternate paths. Some of these can overlap virtual file problems and are commonly used in "bypass" attacks, such as those that exploit authentication errors.

PHP

435

An interaction error occurs when two entities have correct behavior when running independently of each other, but when they are integrated as components in a larger system or process, they introduce incorrect behaviors that may cause resultant weaknesses.

PHP

436

Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.

PHP

438

Weaknesses in this category are related to unexpected behaviors from code that an application uses.

PHP

441

The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor.

PHP

442

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

PHP

452

Weaknesses in this category occur in behaviors that are used for initialization and breakdown.

PHP

470

The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code.

PHP

485

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that occur when the product does not sufficiently encapsulate critical data or functionality. According to the authors of the Seven Pernicious Kingdoms, "Encapsulation is about drawing strong boundaries. In a web browser that might mean ensuring that your mobile code cannot be abused by other mobile code. On the server it might mean differentiation between validated data and unvalidated data, between one user's data and another's, or between data users are allowed to see and data that they are not."

PHP

489

The product is deployed to unauthorized actors with debugging code still enabled or active, which can create unintended entry points or expose sensitive information.

PHP

497

The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does.

PHP

505

This category has been deprecated as it was originally used for organizing the Development View (CWE-699), but it introduced unnecessary complexity and depth to the resulting tree.

PHP

521

The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts.

PHP

522

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

PHP

523

Login pages do not use adequate measures to protect the user name and password while they are in transit from the client to the server.

PHP

524

The code uses a cache that contains sensitive information, but the cache can be read by an actor outside of the intended control sphere.

PHP

525

The web application does not use an appropriate caching policy that specifies the extent to which each web page and associated form fields should be cached.

PHP

538

The product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the sensitive information.

PHP

539

The web application uses persistent cookies, but the cookies contain sensitive information.

PHP

610

The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.

PHP

613

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

PHP

614

The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session.

PHP

621

The product uses external input to determine the names of variables into which information is extracted, without verifying that the names of the specified variables are valid. This could cause the program to overwrite unintended variables.

PHP

629

CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2007. This view is considered obsolete as a newer version of the OWASP Top 10 is available.

PHP

632

This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE.

PHP

634

This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE.

PHP

635

CWE nodes in this view (slice) were used by NIST to categorize vulnerabilities within NVD, from 2008 to 2016. This original version has been used by many other projects.

PHP

657

The product violates well-established principles for secure design.

PHP

664

The product does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release.

PHP

665

The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.

PHP

666

The product performs an operation on a resource at the wrong phase of the resource's lifecycle, which can lead to unexpected behaviors.

PHP

668

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

PHP

669

The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource.

PHP

671

The product uses security features in a way that prevents the product's administrator from tailoring security settings to reflect the environment in which the product is being used. This introduces resultant weaknesses or prevents it from operating at a level of security that is desired by the administrator.

PHP

672

The product uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked.

PHP

691

The code does not sufficiently manage its control flow during execution, creating conditions in which the control flow can be modified in unexpected ways.

PHP

693

The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.

PHP

697

The product compares two entities in a security-relevant context, but the comparison is incorrect, which may lead to resultant weaknesses.

PHP

699

This view organizes weaknesses around concepts that are frequently used or encountered in software development. This includes all aspects of the software development lifecycle including both architecture and implementation. Accordingly, this view can align closely with the perspectives of architects, developers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping.

PHP

700

This view (graph) organizes weaknesses using a hierarchical structure that is similar to that used by Seven Pernicious Kingdoms.

PHP

703

The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product.

PHP

706

The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.

PHP

707

The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component.

PHP

710

The product does not follow certain coding rules for development, which can lead to resultant weaknesses or increase the severity of the associated vulnerabilities.

PHP

711

CWE entries in this view (graph) are associated with the OWASP Top 10, as released in 2004, and as required for compliance with PCI DSS version 1.1. This view is considered obsolete as a newer version of the OWASP Top 10 is available.

PHP

713

Weaknesses in this category are related to the A2 category in the OWASP Top 10 2007.

PHP

714

Weaknesses in this category are related to the A3 category in the OWASP Top 10 2007.

PHP

715

Weaknesses in this category are related to the A4 category in the OWASP Top 10 2007.

PHP

717

Weaknesses in this category are related to the A6 category in the OWASP Top 10 2007.

PHP

718

Weaknesses in this category are related to the A7 category in the OWASP Top 10 2007.

PHP

719

Weaknesses in this category are related to the A8 category in the OWASP Top 10 2007.

PHP

720

Weaknesses in this category are related to the A9 category in the OWASP Top 10 2007.

PHP

721

Weaknesses in this category are related to the A10 category in the OWASP Top 10 2007.

PHP

722

Weaknesses in this category are related to the A1 category in the OWASP Top 10 2004.

PHP

723

Weaknesses in this category are related to the A2 category in the OWASP Top 10 2004.

PHP

724

Weaknesses in this category are related to the A3 category in the OWASP Top 10 2004.

PHP

727

Weaknesses in this category are related to the A6 category in the OWASP Top 10 2004.

PHP

728

Weaknesses in this category are related to the A7 category in the OWASP Top 10 2004.

PHP

729

Weaknesses in this category are related to the A8 category in the OWASP Top 10 2004.

PHP

730

Weaknesses in this category are related to the A9 category in the OWASP Top 10 2004.

PHP

731

Weaknesses in this category are related to the A10 category in the OWASP Top 10 2004.

PHP

732

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

PHP

734

CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT C Secure Coding Standard" published in 2008. This view is considered obsolete, as a newer version of the coding standard is available. This view statically represents the coding rules as they were in 2008.

PHP

738

Weaknesses in this category are related to the rules and recommendations in the Integers (INT) chapter of the CERT C Secure Coding Standard (2008).

PHP

740

Weaknesses in this category are related to the rules and recommendations in the Arrays (ARR) chapter of the CERT C Secure Coding Standard (2008).

PHP

741

Weaknesses in this category are related to the rules and recommendations in the Characters and Strings (STR) chapter of the CERT C Secure Coding Standard (2008).

PHP

742

Weaknesses in this category are related to the rules and recommendations in the Memory Management (MEM) chapter of the CERT C Secure Coding Standard (2008).

PHP

743

Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) chapter of the CERT C Secure Coding Standard (2008).

PHP

744

Weaknesses in this category are related to the rules and recommendations in the Environment (ENV) chapter of the CERT C Secure Coding Standard (2008).

PHP

746

Weaknesses in this category are related to the rules and recommendations in the Error Handling (ERR) chapter of the CERT C Secure Coding Standard (2008).

PHP

747

Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) chapter of the CERT C Secure Coding Standard (2008).

PHP

750

CWE entries in this view (graph) are listed in the 2009 CWE/SANS Top 25 Programming Errors. This view is considered obsolete as a newer version of the Top 25 is available.

PHP

751

Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2009 CWE/SANS Top 25 Programming Errors.

PHP

752

Weaknesses in this category are listed in the "Risky Resource Management" section of the 2009 CWE/SANS Top 25 Programming Errors.

PHP

753

Weaknesses in this category are listed in the "Porous Defenses" section of the 2009 CWE/SANS Top 25 Programming Errors.

PHP

755

The product does not handle or incorrectly handles an exceptional condition.

PHP

770

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

PHP

779

The product logs too much information, making log files hard to process and possibly hindering recovery efforts or forensic analysis after an attack.

PHP

780

The product uses the RSA algorithm but does not incorporate Optimal Asymmetric Encryption Padding (OAEP), which might weaken the encryption.

PHP

789

The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated.

PHP

798

The product contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.

PHP

800

CWE entries in this view (graph) are listed in the 2010 CWE/SANS Top 25 Programming Errors. This view is considered obsolete as a newer version of the Top 25 is available.

PHP

801

Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2010 CWE/SANS Top 25 Programming Errors.

PHP

802

Weaknesses in this category are listed in the "Risky Resource Management" section of the 2010 CWE/SANS Top 25 Programming Errors.

PHP

803

Weaknesses in this category are listed in the "Porous Defenses" section of the 2010 CWE/SANS Top 25 Programming Errors.

PHP

808

Weaknesses in this category are not part of the general Top 25, but they were part of the original nominee list from which the Top 25 was drawn.

PHP

809

CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2010. This view is considered obsolete as a newer version of the OWASP Top 10 is available.

PHP

810

Weaknesses in this category are related to the A1 category in the OWASP Top 10 2010.

PHP

812

Weaknesses in this category are related to the A3 category in the OWASP Top 10 2010.

PHP

813

Weaknesses in this category are related to the A4 category in the OWASP Top 10 2010.

PHP

815

Weaknesses in this category are related to the A6 category in the OWASP Top 10 2010.

PHP

816

Weaknesses in this category are related to the A7 category in the OWASP Top 10 2010.

PHP

817

Weaknesses in this category are related to the A8 category in the OWASP Top 10 2010.

PHP

818

Weaknesses in this category are related to the A9 category in the OWASP Top 10 2010.

PHP

829

The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.

PHP

840

Weaknesses in this category identify some of the underlying problems that commonly allow attackers to manipulate the business logic of an application. Errors in business logic can be devastating to an entire application. They can be difficult to find automatically, since they typically involve legitimate use of the application's functionality. However, many business logic errors can exhibit patterns that are similar to well-understood implementation and design weaknesses.

PHP

844

CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT Oracle Secure Coding Standard for Java" published in 2011. This view is considered obsolete as a newer version of the coding standard is available.

PHP

845

Weaknesses in this category are related to rules in the Input Validation and Data Sanitization (IDS) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

PHP

846

Weaknesses in this category are related to rules in the Declarations and Initialization (DCL) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

PHP

851

Weaknesses in this category are related to rules in the Exceptional Behavior (ERR) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

PHP

857

Weaknesses in this category are related to rules in the Input Output (FIO) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

PHP

858

Weaknesses in this category are related to rules in the Serialization (SER) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

PHP

859

Weaknesses in this category are related to rules in the Platform Security (SEC) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

PHP

860

Weaknesses in this category are related to rules in the Runtime Environment (ENV) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

PHP

861

Weaknesses in this category are related to rules in the Miscellaneous (MSC) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

PHP

862

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

PHP

864

Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.

PHP

865

Weaknesses in this category are listed in the "Risky Resource Management" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.

PHP

866

Weaknesses in this category are listed in the "Porous Defenses" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.

PHP

867

Weaknesses in this category are not part of the general Top 25, but they were part of the original nominee list from which the Top 25 was drawn.

PHP

868

CWE entries in this view (graph) are fully or partially eliminated by following the SEI CERT C++ Coding Standard, as published in 2016. This view is no longer being actively maintained, since it statically represents the coding rules as they were in 2016.

PHP

872

Weaknesses in this category are related to rules in the Integers (INT) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

PHP

874

Weaknesses in this category are related to rules in the Arrays and the STL (ARR) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

PHP

875

Weaknesses in this category are related to rules in the Characters and Strings (STR) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

PHP

876

Weaknesses in this category are related to rules in the Memory Management (MEM) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

PHP

877

Weaknesses in this category are related to rules in the Input Output (FIO) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

PHP

878

Weaknesses in this category are related to rules in the Environment (ENV) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

PHP

880

Weaknesses in this category are related to rules in the Exceptions and Error Handling (ERR) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

PHP

881

Weaknesses in this category are related to rules in the Object Oriented Programming (OOP) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

PHP

883

Weaknesses in this category are related to rules in the Miscellaneous (MSC) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

PHP

884

This view contains a selection of weaknesses that represent the variety of weaknesses that are captured in CWE, at a level of abstraction that is likely to be useful to most audiences. It can be used by researchers to determine how broad their theories, models, or tools are. It will also be used by the CWE content team in 2012 to focus quality improvement efforts for individual CWE entries.

PHP

888

CWE identifiers in this view are associated with clusters of Software Fault Patterns (SFPs).

PHP

889

This category identifies Software Fault Patterns (SFPs) within the Exception Management cluster (SFP4, SFP5, SFP6).

PHP

892

This category identifies Software Fault Patterns (SFPs) within the Resource Management cluster (SFP37).

PHP

893

This category identifies Software Fault Patterns (SFPs) within the Path Resolution cluster (SFP16, SFP17, SFP18).

PHP

895

This category identifies Software Fault Patterns (SFPs) within the Information Leak cluster (SFP23).

PHP

896

This category identifies Software Fault Patterns (SFPs) within the Tainted Input cluster (SFP24, SFP25, SFP26, SFP27).

PHP

897

This category identifies Software Fault Patterns (SFPs) within the Entry Points cluster (SFP28).

PHP

898

This category identifies Software Fault Patterns (SFPs) within the Authentication cluster (SFP29, SFP30, SFP31, SFP32, SFP33, SFP34).

PHP

899

This category identifies Software Fault Patterns (SFPs) within the Access Control cluster (SFP35).

PHP

900

CWE entries in this view (graph) are listed in the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.

PHP

902

This category identifies Software Fault Patterns (SFPs) within the Channel cluster.

PHP

903

This category identifies Software Fault Patterns (SFPs) within the Cryptography cluster.

PHP

905

This category identifies Software Fault Patterns (SFPs) within the Predictability cluster.

PHP

907

This category identifies Software Fault Patterns (SFPs) within the Other cluster.

PHP

913

The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements.

PHP

914

The product does not properly restrict reading from or writing to dynamically-identified variables.

PHP

916

The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive.

PHP

917

The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.

PHP

918

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

PHP

928

CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2013. This view is considered obsolete as a newer version of the OWASP Top 10 is available.

PHP

929

Weaknesses in this category are related to the A1 category in the OWASP Top 10 2013.

PHP

930

Weaknesses in this category are related to the A2 category in the OWASP Top 10 2013.

PHP

932

Weaknesses in this category are related to the A4 category in the OWASP Top 10 2013.

PHP

933

Weaknesses in this category are related to the A5 category in the OWASP Top 10 2013.

PHP

934

Weaknesses in this category are related to the A6 category in the OWASP Top 10 2013.

PHP

935

Weaknesses in this category are related to the A7 category in the OWASP Top 10 2013.

PHP

942

The product uses a cross-domain policy file that includes domains that should not be trusted.

PHP

943

The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query.

PHP

944

This category identifies Software Fault Patterns (SFPs) within the Access Management cluster.

PHP

945

This category identifies Software Fault Patterns (SFPs) within the Insecure Resource Access cluster (SFP35).

PHP

946

This category identifies Software Fault Patterns (SFPs) within the Insecure Resource Permissions cluster.

PHP

947

This category identifies Software Fault Patterns (SFPs) within the Authentication Bypass cluster.

PHP

949

This category identifies Software Fault Patterns (SFPs) within the Faulty Endpoint Authentication cluster (SFP29).

PHP

951

This category identifies Software Fault Patterns (SFPs) within the Insecure Authentication Policy cluster.

PHP

952

This category identifies Software Fault Patterns (SFPs) within the Missing Authentication cluster.

PHP

956

This category identifies Software Fault Patterns (SFPs) within the Channel Attack cluster.

PHP

957

This category identifies Software Fault Patterns (SFPs) within the Protocol Error cluster.

PHP

958

This category identifies Software Fault Patterns (SFPs) within the Broken Cryptography cluster.

PHP

959

This category identifies Software Fault Patterns (SFPs) within the Weak Cryptography cluster.

PHP

961

This category identifies Software Fault Patterns (SFPs) within the Incorrect Exception Behavior cluster (SFP6).

PHP

962

This category identifies Software Fault Patterns (SFPs) within the Unchecked Status Condition cluster (SFP4).

PHP

963

This category identifies Software Fault Patterns (SFPs) within the Exposed Data cluster (SFP23).

PHP

965

This category identifies Software Fault Patterns (SFPs) within the Insecure Session Management cluster.

PHP

966

This category identifies Software Fault Patterns (SFPs) within the Other Exposures cluster.

PHP

975

This category identifies Software Fault Patterns (SFPs) within the Architecture cluster.

PHP

977

This category identifies Software Fault Patterns (SFPs) within the Design cluster.

PHP

978

This category identifies Software Fault Patterns (SFPs) within the Implementation cluster.

PHP

980

This category identifies Software Fault Patterns (SFPs) within the Link in Resource Name Resolution cluster (SFP18).

PHP

981

This category identifies Software Fault Patterns (SFPs) within the Path Traversal cluster (SFP16).

PHP

983

This category identifies Software Fault Patterns (SFPs) within the Faulty Resource Use cluster (SFP15).

PHP

984

This category identifies Software Fault Patterns (SFPs) within the Life Cycle cluster.

PHP

985

This category identifies Software Fault Patterns (SFPs) within the Unrestricted Consumption cluster (SFP13).

PHP

990

This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Command cluster (SFP24).

PHP

991

This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Environment cluster (SFP27).

PHP

992

This category identifies Software Fault Patterns (SFPs) within the Faulty Input Transformation cluster.

PHP

994

This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Variable cluster (SFP25).

PHP

1000

This view is intended to facilitate research into weaknesses, including their inter-dependencies, and can be leveraged to systematically identify theoretical gaps within CWE. It is mainly organized according to abstractions of behaviors instead of how they can be detected, where they appear in code, or when they are introduced in the development life cycle. By design, this view is expected to include every weakness within CWE.

PHP

1002

This category identifies Software Fault Patterns (SFPs) within the Unexpected Entry Points cluster.

PHP

1003

CWE entries in this view (graph) may be used to categorize potential weaknesses within sources that handle public, third-party vulnerability information, such as the National Vulnerability Database (NVD). By design, this view is incomplete; it is limited to a small number of the most commonly-seen weaknesses, so that it is easier for humans to use. This view uses a shallow hierarchy of two levels in order to simplify the complex, category-oriented navigation of the entire CWE corpus.

PHP

1004

The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag.

PHP

1005

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that exist when an application does not properly validate or represent input. According to the authors of the Seven Pernicious Kingdoms, "Input validation and representation problems are caused by metacharacters, alternate encodings and numeric representations. Security problems result from trusting input."

PHP

1006

Weaknesses in this category are related to coding practices that are deemed unsafe and increase the chances that an exploitable vulnerability will be present in the application. These weaknesses do not directly introduce a vulnerability, but indicate that the product has not been carefully developed or maintained. If a program is complex, difficult to maintain, not portable, or shows evidence of neglect, then there is a higher likelihood that weaknesses are buried in the code.

PHP

1008

This view organizes weaknesses according to common architectural security tactics. It is intended to assist architects in identifying potential mistakes that can be made when designing software.

PHP

1009

Weaknesses in this category are related to the design and architecture of audit-based components of the system. Frequently these deal with logging user activities in order to identify attackers and modifications to the system. The weaknesses in this category could lead to a degradation of the quality of the audit capability if they are not addressed when designing or implementing a secure architecture.

PHP

1010

Weaknesses in this category are related to the design and architecture of authentication components of the system. Frequently these deal with verifying the entity is indeed who it claims to be. The weaknesses in this category could lead to a degradation of the quality of authentication if they are not addressed when designing or implementing a secure architecture.

PHP

1011

Weaknesses in this category are related to the design and architecture of a system's authorization components. Frequently these deal with enforcing that agents have the required permissions before performing certain operations, such as modifying data. The weaknesses in this category could lead to a degradation of quality of the authorization capability if they are not addressed when designing or implementing a secure architecture.

PHP

1012

Weaknesses in this category are related to the design and architecture of multiple security tactics and how they affect a system. For example, information exposure can impact the Limit Access and Limit Exposure security tactics. The weaknesses in this category could lead to a degradation of the quality of many capabilities if they are not addressed when designing or implementing a secure architecture.

PHP

1013

Weaknesses in this category are related to the design and architecture of data confidentiality in a system. Frequently these deal with the use of encryption libraries. The weaknesses in this category could lead to a degradation of the quality data encryption if they are not addressed when designing or implementing a secure architecture.

PHP

1014

Weaknesses in this category are related to the design and architecture of a system's identification management components. Frequently these deal with verifying that external agents provide inputs into the system. The weaknesses in this category could lead to a degradation of the quality of identification management if they are not addressed when designing or implementing a secure architecture.

PHP

1015

Weaknesses in this category are related to the design and architecture of system resources. Frequently these deal with restricting the amount of resources that are accessed by actors, such as memory, network connections, CPU or access points. The weaknesses in this category could lead to a degradation of the quality of authentication if they are not addressed when designing or implementing a secure architecture.

PHP

1016

Weaknesses in this category are related to the design and architecture of the entry points to a system. Frequently these deal with minimizing the attack surface through designing the system with the least needed amount of entry points. The weaknesses in this category could lead to a degradation of a system's defenses if they are not addressed when designing or implementing a secure architecture.

PHP

1018

Weaknesses in this category are related to the design and architecture of session management. Frequently these deal with the information or status about each user and their access rights for the duration of multiple requests. The weaknesses in this category could lead to a degradation of the quality of session management if they are not addressed when designing or implementing a secure architecture.

PHP

1019

Weaknesses in this category are related to the design and architecture of a system's input validation components. Frequently these deal with sanitizing, neutralizing and validating any externally provided inputs to minimize malformed data from entering the system and preventing code injection in the input data. The weaknesses in this category could lead to a degradation of the quality of data flow in a system if they are not addressed when designing or implementing a secure architecture.

PHP

1020

Weaknesses in this category are related to the design and architecture of a system's data integrity components. Frequently these deal with ensuring integrity of data, such as messages, resource files, deployment files, and configuration files. The weaknesses in this category could lead to a degradation of data integrity quality if they are not addressed when designing or implementing a secure architecture.

PHP

1021

The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with.

PHP

1026

CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2017.

PHP

1027

Weaknesses in this category are related to the A1 category in the OWASP Top 10 2017.

PHP

1028

Weaknesses in this category are related to the A2 category in the OWASP Top 10 2017.

PHP

1029

Weaknesses in this category are related to the A3 category in the OWASP Top 10 2017.

PHP

1031

Weaknesses in this category are related to the A5 category in the OWASP Top 10 2017.

PHP

1032

Weaknesses in this category are related to the A6 category in the OWASP Top 10 2017.

PHP

1104

The product relies on third-party components that are not actively supported or maintained by the original developer or a trusted proxy for the original developer.

PHP

1128

This view outlines the most important software quality issues as identified by the Consortium for Information & Software Quality (CISQ) Automated Quality Characteristic Measures, released in 2016. These measures are derived from Object Management Group (OMG) standards.

PHP

1131

Weaknesses in this category are related to the CISQ Quality Measures for Security, as documented in 2016 with the Automated Source Code Security Measure (ASCSM) Specification 1.0. Presence of these weaknesses could reduce the security of the software.

PHP

1133

CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT Oracle Coding Standard for Java.

PHP

1134

Weaknesses in this category are related to the rules and recommendations in the Input Validation and Data Sanitization (IDS) section of the SEI CERT Oracle Secure Coding Standard for Java.

PHP

1135

Weaknesses in this category are related to the rules and recommendations in the Declarations and Initialization (DCL) section of the SEI CERT Oracle Secure Coding Standard for Java.

PHP

1140

Weaknesses in this category are related to the rules and recommendations in the Methods (MET) section of the SEI CERT Oracle Secure Coding Standard for Java.

PHP

1141

Weaknesses in this category are related to the rules and recommendations in the Exceptional Behavior (ERR) section of the SEI CERT Oracle Secure Coding Standard for Java.

PHP

1147

Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) section of the SEI CERT Oracle Secure Coding Standard for Java.

PHP

1148

Weaknesses in this category are related to the rules and recommendations in the Serialization (SER) section of the SEI CERT Oracle Secure Coding Standard for Java.

PHP

1149

Weaknesses in this category are related to the rules and recommendations in the Platform Security (SEC) section of the SEI CERT Oracle Secure Coding Standard for Java.

PHP

1150

Weaknesses in this category are related to the rules and recommendations in the Runtime Environment (ENV) section of the SEI CERT Oracle Secure Coding Standard for Java.

PHP

1152

Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT Oracle Secure Coding Standard for Java.

PHP

1154

CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT C Coding Standard.

PHP

1162

Weaknesses in this category are related to the rules and recommendations in the Memory Management (MEM) section of the SEI CERT C Coding Standard.

PHP

1163

Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) section of the SEI CERT C Coding Standard.

PHP

1165

Weaknesses in this category are related to the rules and recommendations in the Environment (ENV) section of the SEI CERT C Coding Standard.

PHP

1169

Weaknesses in this category are related to the rules and recommendations in the Concurrency (CON) section of the SEI CERT C Coding Standard.

PHP

1170

Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT C Coding Standard.

PHP

1178

CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT Perl Coding Standard.

PHP

1179

Weaknesses in this category are related to the rules and recommendations in the Input Validation and Data Sanitization (IDS) section of the SEI CERT Perl Coding Standard.

PHP

1194

This view organizes weaknesses around concepts that are frequently used or encountered in hardware design. Accordingly, this view can align closely with the perspectives of designers, manufacturers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping.

PHP

1198

Weaknesses in this category are related to features and mechanisms providing hardware-based isolation and access control (e.g., identity, policy, locking control) of sensitive shared hardware resources such as registers and fuses.

PHP

1200

CWE entries in this view are listed in the 2019 CWE Top 25 Most Dangerous Software Errors.

PHP

1204

The product uses a cryptographic primitive that uses an Initialization Vector (IV), but the product does not generate IVs that are sufficiently unpredictable or unique according to the expected cryptographic requirements for that primitive.

PHP

1207

Weaknesses in this category are related to hardware debug and test interfaces such as JTAG and scan chain.

PHP

1210

Weaknesses in this category are related to audit-based components of a software system. Frequently these deal with logging user activities in order to identify undesired access and modifications to the system. The weaknesses in this category could lead to a degradation of the quality of the audit capability if they are not addressed.

PHP

1211

Weaknesses in this category are related to authentication components of a system. Frequently these deal with the ability to verify that an entity is indeed who it claims to be. If not addressed when designing or implementing a software system, these weaknesses could lead to a degradation of the quality of the authentication capability.

PHP

1213

Weaknesses in this category are related to a software system's random number generation.

PHP

1214

Weaknesses in this category are related to a software system's data integrity components. Frequently these deal with the ability to ensure the integrity of data, such as messages, resource files, deployment files, and configuration files. The weaknesses in this category could lead to a degradation of data integrity quality if they are not addressed.

PHP

1215

Weaknesses in this category are related to a software system's components for input validation, output validation, or other kinds of validation. Validation is a frequently-used technique for ensuring that data conforms to expectations before it is further processed as input or output. There are many varieties of validation (see CWE-20, which is just for input validation). Validation is distinct from other techniques that attempt to modify data before processing it, although developers may consider all attempts to product "safe" inputs or outputs as some kind of validation. Regardless, validation is a powerful tool that is often used to minimize malformed data from entering the system, or indirectly avoid code injection or other potentially-malicious patterns when generating output. The weaknesses in this category could lead to a degradation of the quality of data flow in a system if they are not addressed.

PHP

1217

Weaknesses in this category are related to session management. Frequently these deal with the information or status about each user and their access rights for the duration of multiple requests. The weaknesses in this category could lead to a degradation of the quality of session management if they are not addressed.

PHP

1219

Weaknesses in this category are related to the handling of files within a software system. Files, directories, and folders are so central to information technology that many different weaknesses and variants have been discovered.

PHP

1275

The SameSite attribute for sensitive cookies is not set, or an insecure value is used.

PHP

1305

This view outlines the most important software quality issues as identified by the Consortium for Information & Software Quality (CISQ) Automated Quality Characteristic Measures, released in 2020. These measures are derived from Object Management Group (OMG) standards.

PHP

1306

Weaknesses in this category are related to the CISQ Quality Measures for Reliability. Presence of these weaknesses could reduce the reliability of the software.

PHP

1308

Weaknesses in this category are related to the CISQ Quality Measures for Security. Presence of these weaknesses could reduce the security of the software.

PHP

1337

CWE entries in this view are listed in the 2021 CWE Top 25 Most Dangerous Software Weaknesses.

PHP

1340

This view outlines the SMM representation of the Automated Source Code Data Protection Measurement specifications, as identified by the Consortium for Information & Software Quality (CISQ) Working Group.

PHP

1344

CWE entries in this view (graph) are associated with the OWASP Top 10, as released in 2021.

PHP

1345

Weaknesses in this category are related to the A01 category "Broken Access Control" in the OWASP Top 10 2021.

PHP

1346

Weaknesses in this category are related to the A02 category "Cryptographic Failures" in the OWASP Top 10 2021.

PHP

1347

Weaknesses in this category are related to the A03 category "Injection" in the OWASP Top 10 2021.

PHP

1348

Weaknesses in this category are related to the A04 "Insecure Design" category in the OWASP Top 10 2021.

PHP

1349

Weaknesses in this category are related to the A05 category "Security Misconfiguration" in the OWASP Top 10 2021.

PHP

1350

CWE entries in this view are listed in the 2020 CWE Top 25 Most Dangerous Software Weaknesses.

PHP

1352

Weaknesses in this category are related to the A06 category "Vulnerable and Outdated Components" in the OWASP Top 10 2021.

PHP

1353

Weaknesses in this category are related to the A07 category "Identification and Authentication Failures" in the OWASP Top 10 2021.

PHP

1354

Weaknesses in this category are related to the A08 category "Software and Data Integrity Failures" in the OWASP Top 10 2021.

PHP

1356

Weaknesses in this category are related to the A10 category "Server-Side Request Forgery (SSRF)" in the OWASP Top 10 2021.

PHP

1358

CWE entries in this view (graph) are associated with the Categories of Security Vulnerabilities in ICS, as published by the Securing Energy Infrastructure Executive Task Force (SEI ETF) in March 2022. Weaknesses and categories in this view are focused on issues that affect ICS (Industrial Control Systems) but have not been traditionally covered by CWE in the past due to its earlier emphasis on enterprise IT software. Note: weaknesses in this view are based on "Nearest IT Neighbor" recommendations and other suggestions by the CWE team. These relationships are likely to change in future CWE versions.

PHP

1359

Weaknesses in this category are related to the "ICS Communications" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.

PHP

1360

Weaknesses in this category are related to the "ICS Dependencies (& Architecture)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.

PHP

1361

Weaknesses in this category are related to the "ICS Supply Chain" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.

PHP

1362

Weaknesses in this category are related to the "ICS Engineering (Constructions/Deployment)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.

PHP

1363

Weaknesses in this category are related to the "ICS Operations (& Maintenance)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.

PHP

1364

Weaknesses in this category are related to the "Zone Boundary Failures" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Within an ICS system, for traffic that crosses through network zone boundaries, vulnerabilities arise when those boundaries were designed for safety or other purposes but are being repurposed for security." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

PHP

1366

Weaknesses in this category are related to the "Frail Security in Protocols" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Vulnerabilities arise as a result of mis-implementation or incomplete implementation of security in ICS implementations of communication protocols." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

PHP

1368

Weaknesses in this category are related to the "External Digital Systems" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Due to the highly interconnected technologies in use, an external dependency on another digital system could cause a confidentiality, integrity, or availability incident for the protected system." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

PHP

1369

Weaknesses in this category are related to the "IT/OT Convergence/Expansion" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "The increased penetration of DER devices and smart loads make emerging ICS networks more like IT networks and thus susceptible to vulnerabilities similar to those of IT networks." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

PHP

1370

Weaknesses in this category are related to the "Common Mode Frailties" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "At the component level, most ICS systems are assembled from common parts made by other companies. One or more of these common parts might contain a vulnerability that could result in a wide-spread incident." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

PHP

1371

Weaknesses in this category are related to the "Poorly Documented or Undocumented Features" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Undocumented capabilities and configurations pose a risk by not having a clear understanding of what the device is specifically supposed to do and only do. Therefore possibly opening up the attack surface and vulnerabilities." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

PHP

1372

Weaknesses in this category are related to the "OT Counterfeit and Malicious Corruption" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "In ICS, when this procurement process results in a vulnerability or component damage, it can have grid impacts or cause physical harm." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

PHP

1375

Weaknesses in this category are related to the "Gaps in Details/Data" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Highly complex systems are often operated by personnel who have years of experience in managing that particular facility or plant. Much of their knowledge is passed along through verbal or hands-on training but may not be fully documented in written practices and procedures." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

PHP

1382

Weaknesses in this category are related to the "Emerging Energy Technologies" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "With the rapid evolution of the energy system accelerated by the emergence of new technologies such as DERs, electric vehicles, advanced communications (5G+), novel and diverse challenges arise for secure and resilient operation of the system." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

PHP

1383

Weaknesses in this category are related to the "Compliance/Conformance with Regulatory Requirements" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "The ICS environment faces overlapping regulatory regimes and authorities with multiple focus areas (e.g., operational resiliency, physical safety, interoperability, and security) which can result in cyber security vulnerabilities when implemented as written due to gaps in considerations, outdatedness, or conflicting requirements." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

PHP

1387

CWE entries in this view are listed in the 2022 CWE Top 25 Most Dangerous Software Weaknesses.

PHP

1396

Weaknesses in this category are related to access control.

PHP

1397

Weaknesses in this category are related to comparison.

PHP

1398

Weaknesses in this category are related to component interaction.

PHP

1399

Weaknesses in this category are related to memory safety.

PHP

1400

This view organizes weaknesses around categories that are of interest to large-scale software assurance research to support the elimination of weaknesses using tactics such as secure language development. It is also intended to help tracking weakness trends in publicly disclosed vulnerability data. This view is comprehensive in that every weakness must be contained in it, unlike most other views that only use a subset of weaknesses. This view is structured with categories at the top level, with a second level of only weaknesses. Relationships among the weaknesses presented under the research view (CWE-1000) are not shown. Each weakness is added to only one category. All categories are mutually exclusive; that is, no weakness can be a member of more than one category. While weaknesses defy strict categorization along only one characteristic, the forced bucketing into a single category can simplify certain kinds of analysis. Note that the size of each category can vary widely because (1) CWE is not as well fleshed-out in some areas compared to others; (2) abstraction of the CWEs in the grouping might go down to Variant level for some buckets, versus others.

PHP

1402

Weaknesses in this category are related to encryption.

PHP

1403

Weaknesses in this category are related to exposed resource.

PHP

1404

Weaknesses in this category are related to file handling.

PHP

1405

Weaknesses in this category are related to improper check or handling of exceptional conditions.

PHP

1406

Weaknesses in this category are related to improper input validation.

PHP

1407

Weaknesses in this category are related to improper neutralization.

PHP

1409

Weaknesses in this category are related to injection.

PHP

1410

Weaknesses in this category are related to insufficient control flow management.

PHP

1411

Weaknesses in this category are related to insufficient verification of data authenticity.

PHP

1412

Weaknesses in this category are related to poor coding practices.

PHP

1413

Weaknesses in this category are related to protection mechanism failure.

PHP

1414

Weaknesses in this category are related to randomness.

PHP

1415

Weaknesses in this category are related to resource control.

PHP

1416

Weaknesses in this category are related to resource lifecycle management.

PHP

1417

Weaknesses in this category are related to sensitive information exposure.

PHP

1418

Weaknesses in this category are related to violation of secure design principles.

Python

2

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that are typically introduced during unexpected environmental conditions. According to the authors of the Seven Pernicious Kingdoms, "This section includes everything that is outside of the source code but is still critical to the security of the product that is being created. Because the issues covered by this kingdom are not directly related to source code, we separated it from the rest of the kingdoms."

Python

4

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

Python

5

Information sent over a network can be compromised while in transit. An attacker may be able to read or modify the contents if the data are sent in plaintext or are weakly encrypted.

Python

16

Weaknesses in this category are typically introduced during the configuration of the software.

Python

17

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

Python

18

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

Python

19

Weaknesses in this category are typically found in functionality that processes data. Data processing is the manipulation of input to retrieve or save information.

Python

20

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Python

21

This category has been deprecated. It was originally used for organizing weaknesses involving file names, which enabled access to files outside of a restricted directory (path traversal) or to perform operations on files that would otherwise be restricted (path equivalence). Consider using either the File Handling Issues category (CWE-1219) or the class Use of Incorrectly-Resolved Name or Reference (CWE-706).

Python

22

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Python

23

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.

Python

36

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as "/abs/path" that can resolve to a location that is outside of that directory.

Python

74

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Python

77

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

Python

78

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Python

79

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Python

80

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.

Python

82

The web application does not neutralize or incorrectly neutralizes scripting elements within attributes of HTML IMG tags, such as the src attribute.

Python

83

The product does not neutralize or incorrectly neutralizes "javascript:" or other URIs from dangerous attributes within tags, such as onmouseover, onload, onerror, or style.

Python

85

The web application does not filter user-controlled input for executable script disguised using doubling of the involved characters.

Python

86

The product does not neutralize or incorrectly neutralizes invalid characters or byte sequences in the middle of tag names, URI schemes, and other identifiers.

Python

87

The product does not neutralize or incorrectly neutralizes user-controlled input for alternate script syntax.

Python

88

The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.

Python

89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.

Python

91

The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.

Python

94

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Python

95

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").

Python

115

The product misinterprets an input, whether from an attacker or another product, in a security-relevant fashion.

Python

116

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

Python

117

The product does not neutralize or incorrectly neutralizes output that is written to logs.

Python

133

Weaknesses in this category are related to the creation and modification of strings.

Python

137

Weaknesses in this category are related to the creation or neutralization of data using an incorrect format.

Python

138

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as control elements or syntactic markers when they are sent to a downstream component.

Python

140

The product does not neutralize or incorrectly neutralizes delimiters.

Python

141

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as parameter or argument delimiters when they are sent to a downstream component.

Python

142

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as value delimiters when they are sent to a downstream component.

Python

143

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as record delimiters when they are sent to a downstream component.

Python

146

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as expression or command delimiters when they are sent to a downstream component.

Python

149

Quotes injected into a product can be used to compromise a system. As data are parsed, an injected/absent/duplicate/malformed use of quotes may cause the process to take unexpected actions.

Python

150

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component.

Python

157

The product does not properly handle the characters that are used to mark the beginning and ending of a group of entities, such as parentheses, brackets, and braces.

Python

171

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. Weaknesses in this category were related to improper handling of data within protection mechanisms that attempt to perform neutralization for untrusted data. These weaknesses can be found in other similar categories.

Python

183

The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is too permissive - that is, it allows an input that is unsafe, leading to resultant weaknesses.

Python

185

The product specifies a regular expression in a way that causes data to be improperly matched or compared.

Python

187

The product performs a comparison that only examines a portion of a factor before determining whether there is a match, such as a substring, leading to resultant weaknesses.

Python

199

Weaknesses in this category are related to improper handling of sensitive information.

Python

200

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Python

201

The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.

Python

209

The product generates an error message that includes sensitive information about its environment, users, or associated data.

Python

210

The product identifies an error condition and creates its own diagnostic or error messages that contain sensitive information.

Python

211

The product performs an operation that triggers an external diagnostic or error message that is not directly generated or controlled by the product, such as an error generated by the programming language interpreter that a software application uses. The error can contain sensitive system information.

Python

221

The product does not record, or improperly records, security-relevant information that leads to an incorrect decision or hampers later analysis.

Python

223

The product does not record or display information that would be important for identifying the source or nature of an attack, or determining if an action is safe.

Python

226

The product releases a resource such as memory or a file so that it can be made available for reuse, but it does not clear or "zeroize" the information contained in the resource before the product performs a critical state transition or makes the resource available for reuse by other entities.

Python

227

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that involve the software using an API in a manner contrary to its intended use. According to the authors of the Seven Pernicious Kingdoms, "An API is a contract between a caller and a callee. The most common forms of API misuse occurs when the caller does not honor its end of this contract. For example, if a program does not call chdir() after calling chroot(), it violates the contract that specifies how to change the active root directory in a secure fashion. Another good example of library abuse is expecting the callee to return trustworthy DNS information to the caller. In this case, the caller misuses the callee API by making certain assumptions about its behavior (that the return value can be used for authentication purposes). One can also violate the caller-callee contract from the other side. For example, if a coder subclasses SecureRandom and returns a non-random value, the contract is violated."

Python

249

This entry has been deprecated because of name confusion and an accidental combination of multiple weaknesses. Most of its content has been transferred to CWE-785.

Python

254

Software security is not security software. Here we're concerned with topics like authentication, access control, confidentiality, cryptography, and privilege management.

Python

255

Weaknesses in this category are related to the management of credentials.

Python

256

Storing a password in plaintext may result in a system compromise.

Python

257

The storage of passwords in a recoverable format makes them subject to password reuse attacks by malicious users. In fact, it should be noted that recoverable encrypted passwords provide no significant benefit over plaintext passwords since they are subject not only to reuse by malicious attackers but also by malicious insiders. If a system administrator can recover a password directly, or use a brute force search on the available information, the administrator can use the password on other accounts.

Python

258

Using an empty string as a password is insecure.

Python

260

The product stores a password in a configuration file that might be accessible to actors who do not know the password.

Python

261

Obscuring a password with a trivial encoding does not protect the password.

Python

264

Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control.

Python

265

Weaknesses in this category occur with improper handling, assignment, or management of privileges. A privilege is a property of an agent, such as a user. It lets the agent do things that are not ordinarily allowed. For example, there are privileges which allow an agent to perform maintenance functions such as restart a computer.

Python

275

Weaknesses in this category are related to improper assignment or handling of permissions.

Python

284

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Python

285

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

Python

287

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Python

290

This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.

Python

295

The product does not validate, or incorrectly validates, a certificate.

Python

300

The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint.

Python

304

The product implements an authentication technique, but it skips a step that weakens the technique.

Python

306

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Python

310

Weaknesses in this category are related to the design and implementation of data confidentiality and integrity. Frequently these deal with the use of encoding techniques, encryption libraries, and hashing algorithms. The weaknesses in this category could lead to a degradation of the quality data if they are not addressed.

Python

311

The product does not encrypt sensitive or critical information before storage or transmission.

Python

312

The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

Python

313

The product stores sensitive information in cleartext in a file, or on disk.

Python

314

The product stores sensitive information in cleartext in the registry.

Python

315

The product stores sensitive information in cleartext in a cookie.

Python

317

The product stores sensitive information in cleartext within the GUI.

Python

319

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

Python

320

Weaknesses in this category are related to errors in the management of cryptographic keys.

Python

326

The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

Python

327

The product uses a broken or risky cryptographic algorithm or protocol.

Python

330

The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.

Python

338

The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.

Python

344

The product uses a constant value, name, or reference, but this value can (or should) vary across different environments.

Python

345

The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

Python

346

The product does not properly verify that the source of data or communication is valid.

Python

352

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

Python

353

The product uses a transmission protocol that does not include a mechanism for verifying the integrity of the data during transmission, such as a checksum.

Python

355

Weaknesses in this category are related to or introduced in the User Interface (UI).

Python

359

The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.

Python

361

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses related to the improper management of time and state in an environment that supports simultaneous or near-simultaneous computation by multiple systems, processes, or threads. According to the authors of the Seven Pernicious Kingdoms, "Distributed computation is about time and state. That is, in order for more than one component to communicate, state must be shared, and all that takes time. Most programmers anthropomorphize their work. They think about one thread of control carrying out the entire program in the same way they would if they had to do the job themselves. Modern computers, however, switch between tasks very quickly, and in multi-core, multi-CPU, or distributed systems, two events may take place at exactly the same time. Defects rush to fill the gap between the programmer's model of how a program executes and what happens in reality. These defects are related to unexpected interactions between threads, processes, time, and information. These interactions happen through shared state: semaphores, variables, the file system, and, basically, anything that can store information."

Python

376

This category has been deprecated. It was originally used for organizing the Development View (CWE-699), but it introduced unnecessary complexity and depth to the resulting tree. Consider using the File Handling Issues category (CWE-1219).

Python

377

Creating and using insecure temporary files can leave application and system data vulnerable to attack.

Python

388

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that occur when an application does not properly handle errors that occur during processing. According to the authors of the Seven Pernicious Kingdoms, "Errors and error handling represent a class of API. Errors related to error handling are so common that they deserve a special kingdom of their own. As with 'API Abuse,' there are two ways to introduce an error-related security vulnerability: the most common one is handling errors poorly (or not at all). The second is producing errors that either give out too much information (to possible attackers) or are difficult to handle."

Python

389

This category includes weaknesses that occur if a function does not generate the correct return/status code, or if the application does not handle all possible return/status codes that could be generated by a function. This type of problem is most often found in conditions that are rarely encountered during the normal operation of the product. Presumably, most bugs related to common conditions are found and eliminated during development and testing. In some cases, the attacker can directly control or influence the environment to trigger the rare conditions.

Python

398

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that do not directly introduce a weakness or vulnerability, but indicate that the product has not been carefully developed or maintained. According to the authors of the Seven Pernicious Kingdoms, "Poor code quality leads to unpredictable behavior. From a user's perspective that often manifests itself as poor usability. For an adversary it provides an opportunity to stress the system in unexpected ways."

Python

399

Weaknesses in this category are related to improper management of system resources.

Python

400

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

Python

404

The product does not release or incorrectly releases a resource before it is made available for re-use.

Python

417

Weaknesses in this category are related to improper handling of communication channels and access paths. These weaknesses include problems in creating, managing, or removing alternate channels and alternate paths. Some of these can overlap virtual file problems and are commonly used in "bypass" attacks, such as those that exploit authentication errors.

Python

435

An interaction error occurs when two entities have correct behavior when running independently of each other, but when they are integrated as components in a larger system or process, they introduce incorrect behaviors that may cause resultant weaknesses.

Python

436

Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.

Python

438

Weaknesses in this category are related to unexpected behaviors from code that an application uses.

Python

441

The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor.

Python

442

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

Python

452

Weaknesses in this category occur in behaviors that are used for initialization and breakdown.

Python

459

The product does not properly "clean up" and remove temporary or supporting resources after they have been used.

Python

465

Weaknesses in this category are related to improper handling of pointers.

Python

476

A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.

Python

480

The product accidentally uses the wrong operator, which changes the logic in security-relevant ways.

Python

485

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that occur when the product does not sufficiently encapsulate critical data or functionality. According to the authors of the Seven Pernicious Kingdoms, "Encapsulation is about drawing strong boundaries. In a web browser that might mean ensuring that your mobile code cannot be abused by other mobile code. On the server it might mean differentiation between validated data and unvalidated data, between one user's data and another's, or between data users are allowed to see and data that they are not."

Python

489

The product is deployed to unauthorized actors with debugging code still enabled or active, which can create unintended entry points or expose sensitive information.

Python

497

The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does.

Python

502

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

Python

505

This category has been deprecated as it was originally used for organizing the Development View (CWE-699), but it introduced unnecessary complexity and depth to the resulting tree.

Python

521

The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts.

Python

522

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

Python

523

Login pages do not use adequate measures to protect the user name and password while they are in transit from the client to the server.

Python

526

The product uses an environment variable to store unencrypted sensitive information.

Python

532

Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.

Python

536

A servlet error message indicates that there exists an unhandled exception in your web application code and may provide useful information to an attacker.

Python

538

The product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the sensitive information.

Python

539

The web application uses persistent cookies, but the cookies contain sensitive information.

Python

550

Certain conditions, such as network failure, will cause a server error message to be displayed.

Python

552

The product makes files or directories accessible to unauthorized actors, even though they should not be.

Python

559

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

Python

561

The product contains dead code, which can never be executed.

Python

566

The product uses a database table that includes records that should not be accessible to an actor, but it executes a SQL statement with a primary key that can be controlled by that actor.

Python

569

Weaknesses in this category are related to incorrectly written expressions within code.

Python

573

The product does not follow or incorrectly follows the specifications as required by the implementation language, environment, framework, protocol, or platform.

Python

592

This weakness has been deprecated because it covered redundant concepts already described in CWE-287.

Python

601

A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.

Python

610

The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.

Python

611

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

Python

614

The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session.

Python

624

The product uses a regular expression that either (1) contains an executable component with user-controlled inputs, or (2) allows a user to enable execution by inserting pattern modifiers.

Python

625

The product uses a regular expression that does not sufficiently restrict the set of allowed values.

Python

628

The product calls a function, procedure, or routine with arguments that are not correctly specified, leading to always-incorrect behavior and resultant weaknesses.

Python

629

CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2007. This view is considered obsolete as a newer version of the OWASP Top 10 is available.

Python

632

This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE.

Python

633

This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE.

Python

634

This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE.

Python

635

CWE nodes in this view (slice) were used by NIST to categorize vulnerabilities within NVD, from 2008 to 2016. This original version has been used by many other projects.

Python

639

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Python

644

The product does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers, such as Flash.

Python

657

The product violates well-established principles for secure design.

Python

664

The product does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release.

Python

668

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

Python

670

The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated.

Python

671

The product uses security features in a way that prevents the product's administrator from tailoring security settings to reflect the environment in which the product is being used. This introduces resultant weaknesses or prevents it from operating at a level of security that is desired by the administrator.

Python

676

The product invokes a potentially dangerous function that could introduce a vulnerability if it is used incorrectly, but the function can also be used safely.

Python

688

The product calls a function, procedure, or routine, but the caller specifies the wrong variable or reference as one of the arguments, which may lead to undefined behavior and resultant weaknesses.

Python

691

The code does not sufficiently manage its control flow during execution, creating conditions in which the control flow can be modified in unexpected ways.

Python

692

The product uses a denylist-based protection mechanism to defend against XSS attacks, but the denylist is incomplete, allowing XSS variants to succeed.

Python

693

The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.

Python

697

The product compares two entities in a security-relevant context, but the comparison is incorrect, which may lead to resultant weaknesses.

Python

699

This view organizes weaknesses around concepts that are frequently used or encountered in software development. This includes all aspects of the software development lifecycle including both architecture and implementation. Accordingly, this view can align closely with the perspectives of architects, developers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping.

Python

700

This view (graph) organizes weaknesses using a hierarchical structure that is similar to that used by Seven Pernicious Kingdoms.

Python

703

The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product.

Python

706

The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.

Python

707

The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component.

Python

710

The product does not follow certain coding rules for development, which can lead to resultant weaknesses or increase the severity of the associated vulnerabilities.

Python

711

CWE entries in this view (graph) are associated with the OWASP Top 10, as released in 2004, and as required for compliance with PCI DSS version 1.1. This view is considered obsolete as a newer version of the OWASP Top 10 is available.

Python

712

Weaknesses in this category are related to the A1 category in the OWASP Top 10 2007.

Python

713

Weaknesses in this category are related to the A2 category in the OWASP Top 10 2007.

Python

714

Weaknesses in this category are related to the A3 category in the OWASP Top 10 2007.

Python

715

Weaknesses in this category are related to the A4 category in the OWASP Top 10 2007.

Python

716

Weaknesses in this category are related to the A5 category in the OWASP Top 10 2007.

Python

717

Weaknesses in this category are related to the A6 category in the OWASP Top 10 2007.

Python

718

Weaknesses in this category are related to the A7 category in the OWASP Top 10 2007.

Python

719

Weaknesses in this category are related to the A8 category in the OWASP Top 10 2007.

Python

720

Weaknesses in this category are related to the A9 category in the OWASP Top 10 2007.

Python

721

Weaknesses in this category are related to the A10 category in the OWASP Top 10 2007.

Python

722

Weaknesses in this category are related to the A1 category in the OWASP Top 10 2004.

Python

723

Weaknesses in this category are related to the A2 category in the OWASP Top 10 2004.

Python

724

Weaknesses in this category are related to the A3 category in the OWASP Top 10 2004.

Python

725

Weaknesses in this category are related to the A4 category in the OWASP Top 10 2004.

Python

727

Weaknesses in this category are related to the A6 category in the OWASP Top 10 2004.

Python

728

Weaknesses in this category are related to the A7 category in the OWASP Top 10 2004.

Python

729

Weaknesses in this category are related to the A8 category in the OWASP Top 10 2004.

Python

730

Weaknesses in this category are related to the A9 category in the OWASP Top 10 2004.

Python

731

Weaknesses in this category are related to the A10 category in the OWASP Top 10 2004.

Python

732

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

Python

734

CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT C Secure Coding Standard" published in 2008. This view is considered obsolete, as a newer version of the coding standard is available. This view statically represents the coding rules as they were in 2008.

Python

736

Weaknesses in this category are related to the rules and recommendations in the Declarations and Initialization (DCL) chapter of the CERT C Secure Coding Standard (2008).

Python

737

Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) chapter of the CERT C Secure Coding Standard (2008).

Python

738

Weaknesses in this category are related to the rules and recommendations in the Integers (INT) chapter of the CERT C Secure Coding Standard (2008).

Python

741

Weaknesses in this category are related to the rules and recommendations in the Characters and Strings (STR) chapter of the CERT C Secure Coding Standard (2008).

Python

742

Weaknesses in this category are related to the rules and recommendations in the Memory Management (MEM) chapter of the CERT C Secure Coding Standard (2008).

Python

743

Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) chapter of the CERT C Secure Coding Standard (2008).

Python

744

Weaknesses in this category are related to the rules and recommendations in the Environment (ENV) chapter of the CERT C Secure Coding Standard (2008).

Python

746

Weaknesses in this category are related to the rules and recommendations in the Error Handling (ERR) chapter of the CERT C Secure Coding Standard (2008).

Python

747

Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) chapter of the CERT C Secure Coding Standard (2008).

Python

750

CWE entries in this view (graph) are listed in the 2009 CWE/SANS Top 25 Programming Errors. This view is considered obsolete as a newer version of the Top 25 is available.

Python

751

Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2009 CWE/SANS Top 25 Programming Errors.

Python

752

Weaknesses in this category are listed in the "Risky Resource Management" section of the 2009 CWE/SANS Top 25 Programming Errors.

Python

753

Weaknesses in this category are listed in the "Porous Defenses" section of the 2009 CWE/SANS Top 25 Programming Errors.

Python

755

The product does not handle or incorrectly handles an exceptional condition.

Python

760

The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product uses a predictable salt as part of the input.

Python

778

When a security-critical event occurs, the product either does not record the event or omits important details about the event when logging it.

Python

779

The product logs too much information, making log files hard to process and possibly hindering recovery efforts or forensic analysis after an attack.

Python

783

The product uses an expression in which operator precedence causes incorrect logic to be used.

Python

798

The product contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.

Python

800

CWE entries in this view (graph) are listed in the 2010 CWE/SANS Top 25 Programming Errors. This view is considered obsolete as a newer version of the Top 25 is available.

Python

801

Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2010 CWE/SANS Top 25 Programming Errors.

Python

802

Weaknesses in this category are listed in the "Risky Resource Management" section of the 2010 CWE/SANS Top 25 Programming Errors.

Python

803

Weaknesses in this category are listed in the "Porous Defenses" section of the 2010 CWE/SANS Top 25 Programming Errors.

Python

807

The product uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism.

Python

808

Weaknesses in this category are not part of the general Top 25, but they were part of the original nominee list from which the Top 25 was drawn.

Python

809

CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2010. This view is considered obsolete as a newer version of the OWASP Top 10 is available.

Python

810

Weaknesses in this category are related to the A1 category in the OWASP Top 10 2010.

Python

811

Weaknesses in this category are related to the A2 category in the OWASP Top 10 2010.

Python

812

Weaknesses in this category are related to the A3 category in the OWASP Top 10 2010.

Python

813

Weaknesses in this category are related to the A4 category in the OWASP Top 10 2010.

Python

814

Weaknesses in this category are related to the A5 category in the OWASP Top 10 2010.

Python

815

Weaknesses in this category are related to the A6 category in the OWASP Top 10 2010.

Python

816

Weaknesses in this category are related to the A7 category in the OWASP Top 10 2010.

Python

817

Weaknesses in this category are related to the A8 category in the OWASP Top 10 2010.

Python

818

Weaknesses in this category are related to the A9 category in the OWASP Top 10 2010.

Python

819

Weaknesses in this category are related to the A10 category in the OWASP Top 10 2010.

Python

840

Weaknesses in this category identify some of the underlying problems that commonly allow attackers to manipulate the business logic of an application. Errors in business logic can be devastating to an entire application. They can be difficult to find automatically, since they typically involve legitimate use of the application's functionality. However, many business logic errors can exhibit patterns that are similar to well-understood implementation and design weaknesses.

Python

844

CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT Oracle Secure Coding Standard for Java" published in 2011. This view is considered obsolete as a newer version of the coding standard is available.

Python

845

Weaknesses in this category are related to rules in the Input Validation and Data Sanitization (IDS) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

Python

850

Weaknesses in this category are related to rules in the Methods (MET) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

Python

851

Weaknesses in this category are related to rules in the Exceptional Behavior (ERR) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

Python

857

Weaknesses in this category are related to rules in the Input Output (FIO) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

Python

858

Weaknesses in this category are related to rules in the Serialization (SER) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

Python

859

Weaknesses in this category are related to rules in the Platform Security (SEC) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

Python

860

Weaknesses in this category are related to rules in the Runtime Environment (ENV) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

Python

861

Weaknesses in this category are related to rules in the Miscellaneous (MSC) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

Python

862

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Python

864

Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.

Python

865

Weaknesses in this category are listed in the "Risky Resource Management" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.

Python

866

Weaknesses in this category are listed in the "Porous Defenses" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.

Python

867

Weaknesses in this category are not part of the general Top 25, but they were part of the original nominee list from which the Top 25 was drawn.

Python

868

CWE entries in this view (graph) are fully or partially eliminated by following the SEI CERT C++ Coding Standard, as published in 2016. This view is no longer being actively maintained, since it statically represents the coding rules as they were in 2016.

Python

871

Weaknesses in this category are related to rules in the Expressions (EXP) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

Python

872

Weaknesses in this category are related to rules in the Integers (INT) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

Python

875

Weaknesses in this category are related to rules in the Characters and Strings (STR) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

Python

876

Weaknesses in this category are related to rules in the Memory Management (MEM) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

Python

877

Weaknesses in this category are related to rules in the Input Output (FIO) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

Python

878

Weaknesses in this category are related to rules in the Environment (ENV) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

Python

880

Weaknesses in this category are related to rules in the Exceptions and Error Handling (ERR) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

Python

881

Weaknesses in this category are related to rules in the Object Oriented Programming (OOP) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

Python

882

Weaknesses in this category are related to rules in the Concurrency (CON) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

Python

883

Weaknesses in this category are related to rules in the Miscellaneous (MSC) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

Python

884

This view contains a selection of weaknesses that represent the variety of weaknesses that are captured in CWE, at a level of abstraction that is likely to be useful to most audiences. It can be used by researchers to determine how broad their theories, models, or tools are. It will also be used by the CWE content team in 2012 to focus quality improvement efforts for individual CWE entries.

Python

885

This category identifies Software Fault Patterns (SFPs) within the Risky Values cluster (SFP1).

Python

886

This category identifies Software Fault Patterns (SFPs) within the Unused entities cluster (SFP2).

Python

887

This category identifies Software Fault Patterns (SFPs) within the API cluster (SFP3).

Python

888

CWE identifiers in this view are associated with clusters of Software Fault Patterns (SFPs).

Python

889

This category identifies Software Fault Patterns (SFPs) within the Exception Management cluster (SFP4, SFP5, SFP6).

Python

890

This category identifies Software Fault Patterns (SFPs) within the Memory Access cluster (SFP7, SFP8).

Python

892

This category identifies Software Fault Patterns (SFPs) within the Resource Management cluster (SFP37).

Python

893

This category identifies Software Fault Patterns (SFPs) within the Path Resolution cluster (SFP16, SFP17, SFP18).

Python

895

This category identifies Software Fault Patterns (SFPs) within the Information Leak cluster (SFP23).

Python

896

This category identifies Software Fault Patterns (SFPs) within the Tainted Input cluster (SFP24, SFP25, SFP26, SFP27).

Python

897

This category identifies Software Fault Patterns (SFPs) within the Entry Points cluster (SFP28).

Python

898

This category identifies Software Fault Patterns (SFPs) within the Authentication cluster (SFP29, SFP30, SFP31, SFP32, SFP33, SFP34).

Python

899

This category identifies Software Fault Patterns (SFPs) within the Access Control cluster (SFP35).

Python

900

CWE entries in this view (graph) are listed in the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.

Python

902

This category identifies Software Fault Patterns (SFPs) within the Channel cluster.

Python

903

This category identifies Software Fault Patterns (SFPs) within the Cryptography cluster.

Python

905

This category identifies Software Fault Patterns (SFPs) within the Predictability cluster.

Python

906

This category identifies Software Fault Patterns (SFPs) within the UI cluster.

Python

907

This category identifies Software Fault Patterns (SFPs) within the Other cluster.

Python

913

The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements.

Python

916

The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive.

Python

918

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Python

922

The product stores sensitive information without properly limiting read or write access by unauthorized actors.

Python

923

The product establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that it is communicating with the correct endpoint.

Python

928

CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2013. This view is considered obsolete as a newer version of the OWASP Top 10 is available.

Python

929

Weaknesses in this category are related to the A1 category in the OWASP Top 10 2013.

Python

930

Weaknesses in this category are related to the A2 category in the OWASP Top 10 2013.

Python

931

Weaknesses in this category are related to the A3 category in the OWASP Top 10 2013.

Python

932

Weaknesses in this category are related to the A4 category in the OWASP Top 10 2013.

Python

933

Weaknesses in this category are related to the A5 category in the OWASP Top 10 2013.

Python

934

Weaknesses in this category are related to the A6 category in the OWASP Top 10 2013.

Python

935

Weaknesses in this category are related to the A7 category in the OWASP Top 10 2013.

Python

936

Weaknesses in this category are related to the A8 category in the OWASP Top 10 2013.

Python

938

Weaknesses in this category are related to the A10 category in the OWASP Top 10 2013.

Python

942

The product uses a cross-domain policy file that includes domains that should not be trusted.

Python

943

The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query.

Python

944

This category identifies Software Fault Patterns (SFPs) within the Access Management cluster.

Python

945

This category identifies Software Fault Patterns (SFPs) within the Insecure Resource Access cluster (SFP35).

Python

946

This category identifies Software Fault Patterns (SFPs) within the Insecure Resource Permissions cluster.

Python

947

This category identifies Software Fault Patterns (SFPs) within the Authentication Bypass cluster.

Python

949

This category identifies Software Fault Patterns (SFPs) within the Faulty Endpoint Authentication cluster (SFP29).

Python

950

This category identifies Software Fault Patterns (SFPs) within the Hardcoded Sensitive Data cluster (SFP33).

Python

951

This category identifies Software Fault Patterns (SFPs) within the Insecure Authentication Policy cluster.

Python

952

This category identifies Software Fault Patterns (SFPs) within the Missing Authentication cluster.

Python

956

This category identifies Software Fault Patterns (SFPs) within the Channel Attack cluster.

Python

957

This category identifies Software Fault Patterns (SFPs) within the Protocol Error cluster.

Python

958

This category identifies Software Fault Patterns (SFPs) within the Broken Cryptography cluster.

Python

959

This category identifies Software Fault Patterns (SFPs) within the Weak Cryptography cluster.

Python

961

This category identifies Software Fault Patterns (SFPs) within the Incorrect Exception Behavior cluster (SFP6).

Python

962

This category identifies Software Fault Patterns (SFPs) within the Unchecked Status Condition cluster (SFP4).

Python

963

This category identifies Software Fault Patterns (SFPs) within the Exposed Data cluster (SFP23).

Python

964

This category identifies Software Fault Patterns (SFPs) within the Exposure Temporary File cluster.

Python

966

This category identifies Software Fault Patterns (SFPs) within the Other Exposures cluster.

Python

971

This category identifies Software Fault Patterns (SFPs) within the Faulty Pointer Use cluster (SFP7).

Python

975

This category identifies Software Fault Patterns (SFPs) within the Architecture cluster.

Python

977

This category identifies Software Fault Patterns (SFPs) within the Design cluster.

Python

978

This category identifies Software Fault Patterns (SFPs) within the Implementation cluster.

Python

980

This category identifies Software Fault Patterns (SFPs) within the Link in Resource Name Resolution cluster (SFP18).

Python

981

This category identifies Software Fault Patterns (SFPs) within the Path Traversal cluster (SFP16).

Python

982

This category identifies Software Fault Patterns (SFPs) within the Failure to Release Resource cluster (SFP14).

Python

984

This category identifies Software Fault Patterns (SFPs) within the Life Cycle cluster.

Python

985

This category identifies Software Fault Patterns (SFPs) within the Unrestricted Consumption cluster (SFP13).

Python

990

This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Command cluster (SFP24).

Python

991

This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Environment cluster (SFP27).

Python

992

This category identifies Software Fault Patterns (SFPs) within the Faulty Input Transformation cluster.

Python

994

This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Variable cluster (SFP25).

Python

997

This category identifies Software Fault Patterns (SFPs) within the Information Loss cluster.

Python

998

This category identifies Software Fault Patterns (SFPs) within the Glitch in Computation cluster (SFP1).

Python

1000

This view is intended to facilitate research into weaknesses, including their inter-dependencies, and can be leveraged to systematically identify theoretical gaps within CWE. It is mainly organized according to abstractions of behaviors instead of how they can be detected, where they appear in code, or when they are introduced in the development life cycle. By design, this view is expected to include every weakness within CWE.

Python

1001

This category identifies Software Fault Patterns (SFPs) within the Use of an Improper API cluster (SFP3).

Python

1002

This category identifies Software Fault Patterns (SFPs) within the Unexpected Entry Points cluster.

Python

1003

CWE entries in this view (graph) may be used to categorize potential weaknesses within sources that handle public, third-party vulnerability information, such as the National Vulnerability Database (NVD). By design, this view is incomplete; it is limited to a small number of the most commonly-seen weaknesses, so that it is easier for humans to use. This view uses a shallow hierarchy of two levels in order to simplify the complex, category-oriented navigation of the entire CWE corpus.

Python

1004

The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag.

Python

1005

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that exist when an application does not properly validate or represent input. According to the authors of the Seven Pernicious Kingdoms, "Input validation and representation problems are caused by metacharacters, alternate encodings and numeric representations. Security problems result from trusting input."

Python

1006

Weaknesses in this category are related to coding practices that are deemed unsafe and increase the chances that an exploitable vulnerability will be present in the application. These weaknesses do not directly introduce a vulnerability, but indicate that the product has not been carefully developed or maintained. If a program is complex, difficult to maintain, not portable, or shows evidence of neglect, then there is a higher likelihood that weaknesses are buried in the code.

Python

1008

This view organizes weaknesses according to common architectural security tactics. It is intended to assist architects in identifying potential mistakes that can be made when designing software.

Python

1009

Weaknesses in this category are related to the design and architecture of audit-based components of the system. Frequently these deal with logging user activities in order to identify attackers and modifications to the system. The weaknesses in this category could lead to a degradation of the quality of the audit capability if they are not addressed when designing or implementing a secure architecture.

Python

1010

Weaknesses in this category are related to the design and architecture of authentication components of the system. Frequently these deal with verifying the entity is indeed who it claims to be. The weaknesses in this category could lead to a degradation of the quality of authentication if they are not addressed when designing or implementing a secure architecture.

Python

1011

Weaknesses in this category are related to the design and architecture of a system's authorization components. Frequently these deal with enforcing that agents have the required permissions before performing certain operations, such as modifying data. The weaknesses in this category could lead to a degradation of quality of the authorization capability if they are not addressed when designing or implementing a secure architecture.

Python

1012

Weaknesses in this category are related to the design and architecture of multiple security tactics and how they affect a system. For example, information exposure can impact the Limit Access and Limit Exposure security tactics. The weaknesses in this category could lead to a degradation of the quality of many capabilities if they are not addressed when designing or implementing a secure architecture.

Python

1013

Weaknesses in this category are related to the design and architecture of data confidentiality in a system. Frequently these deal with the use of encryption libraries. The weaknesses in this category could lead to a degradation of the quality data encryption if they are not addressed when designing or implementing a secure architecture.

Python

1014

Weaknesses in this category are related to the design and architecture of a system's identification management components. Frequently these deal with verifying that external agents provide inputs into the system. The weaknesses in this category could lead to a degradation of the quality of identification management if they are not addressed when designing or implementing a secure architecture.

Python

1015

Weaknesses in this category are related to the design and architecture of system resources. Frequently these deal with restricting the amount of resources that are accessed by actors, such as memory, network connections, CPU or access points. The weaknesses in this category could lead to a degradation of the quality of authentication if they are not addressed when designing or implementing a secure architecture.

Python

1016

Weaknesses in this category are related to the design and architecture of the entry points to a system. Frequently these deal with minimizing the attack surface through designing the system with the least needed amount of entry points. The weaknesses in this category could lead to a degradation of a system's defenses if they are not addressed when designing or implementing a secure architecture.

Python

1019

Weaknesses in this category are related to the design and architecture of a system's input validation components. Frequently these deal with sanitizing, neutralizing and validating any externally provided inputs to minimize malformed data from entering the system and preventing code injection in the input data. The weaknesses in this category could lead to a degradation of the quality of data flow in a system if they are not addressed when designing or implementing a secure architecture.

Python

1020

Weaknesses in this category are related to the design and architecture of a system's data integrity components. Frequently these deal with ensuring integrity of data, such as messages, resource files, deployment files, and configuration files. The weaknesses in this category could lead to a degradation of data integrity quality if they are not addressed when designing or implementing a secure architecture.

Python

1025

The code performs a comparison between two entities, but the comparison examines the wrong factors or characteristics of the entities, which can lead to incorrect results and resultant weaknesses.

Python

1026

CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2017.

Python

1027

Weaknesses in this category are related to the A1 category in the OWASP Top 10 2017.

Python

1028

Weaknesses in this category are related to the A2 category in the OWASP Top 10 2017.

Python

1029

Weaknesses in this category are related to the A3 category in the OWASP Top 10 2017.

Python

1030

Weaknesses in this category are related to the A4 category in the OWASP Top 10 2017.

Python

1031

Weaknesses in this category are related to the A5 category in the OWASP Top 10 2017.

Python

1032

Weaknesses in this category are related to the A6 category in the OWASP Top 10 2017.

Python

1033

Weaknesses in this category are related to the A7 category in the OWASP Top 10 2017.

Python

1034

Weaknesses in this category are related to the A8 category in the OWASP Top 10 2017.

Python

1036

Weaknesses in this category are related to the A10 category in the OWASP Top 10 2017.

Python

1041

The product has multiple functions, methods, procedures, macros, etc. that contain the same code.

Python

1104

The product relies on third-party components that are not actively supported or maintained by the original developer or a trusted proxy for the original developer.

Python

1128

This view outlines the most important software quality issues as identified by the Consortium for Information & Software Quality (CISQ) Automated Quality Characteristic Measures, released in 2016. These measures are derived from Object Management Group (OMG) standards.

Python

1130

Weaknesses in this category are related to the CISQ Quality Measures for Maintainability, as documented in 2016 with the Automated Source Code Maintainability Measure (ASCMM) Specification 1.0. Presence of these weaknesses could reduce the maintainability of the software.

Python

1131

Weaknesses in this category are related to the CISQ Quality Measures for Security, as documented in 2016 with the Automated Source Code Security Measure (ASCSM) Specification 1.0. Presence of these weaknesses could reduce the security of the software.

Python

1133

CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT Oracle Coding Standard for Java.

Python

1134

Weaknesses in this category are related to the rules and recommendations in the Input Validation and Data Sanitization (IDS) section of the SEI CERT Oracle Secure Coding Standard for Java.

Python

1136

Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) section of the SEI CERT Oracle Secure Coding Standard for Java.

Python

1140

Weaknesses in this category are related to the rules and recommendations in the Methods (MET) section of the SEI CERT Oracle Secure Coding Standard for Java.

Python

1141

Weaknesses in this category are related to the rules and recommendations in the Exceptional Behavior (ERR) section of the SEI CERT Oracle Secure Coding Standard for Java.

Python

1147

Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) section of the SEI CERT Oracle Secure Coding Standard for Java.

Python

1148

Weaknesses in this category are related to the rules and recommendations in the Serialization (SER) section of the SEI CERT Oracle Secure Coding Standard for Java.

Python

1149

Weaknesses in this category are related to the rules and recommendations in the Platform Security (SEC) section of the SEI CERT Oracle Secure Coding Standard for Java.

Python

1150

Weaknesses in this category are related to the rules and recommendations in the Runtime Environment (ENV) section of the SEI CERT Oracle Secure Coding Standard for Java.

Python

1152

Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT Oracle Secure Coding Standard for Java.

Python

1154

CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT C Coding Standard.

Python

1157

Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) section of the SEI CERT C Coding Standard.

Python

1161

Weaknesses in this category are related to the rules and recommendations in the Characters and Strings (STR) section of the SEI CERT C Coding Standard.

Python

1162

Weaknesses in this category are related to the rules and recommendations in the Memory Management (MEM) section of the SEI CERT C Coding Standard.

Python

1163

Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) section of the SEI CERT C Coding Standard.

Python

1164

The product contains code that is not essential for execution, i.e. makes no state changes and has no side effects that alter data or control flow, such that removal of the code would have no impact to functionality or correctness.

Python

1165

Weaknesses in this category are related to the rules and recommendations in the Environment (ENV) section of the SEI CERT C Coding Standard.

Python

1167

Weaknesses in this category are related to the rules and recommendations in the Error Handling (ERR) section of the SEI CERT C Coding Standard.

Python

1169

Weaknesses in this category are related to the rules and recommendations in the Concurrency (CON) section of the SEI CERT C Coding Standard.

Python

1170

Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT C Coding Standard.

Python

1172

Weaknesses in this category are related to the rules and recommendations in the Microsoft Windows (WIN) section of the SEI CERT C Coding Standard.

Python

1178

CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT Perl Coding Standard.

Python

1179

Weaknesses in this category are related to the rules and recommendations in the Input Validation and Data Sanitization (IDS) section of the SEI CERT Perl Coding Standard.

Python

1180

Weaknesses in this category are related to the rules and recommendations in the Declarations and Initialization (DCL) section of the SEI CERT Perl Coding Standard.

Python

1181

Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) section of the SEI CERT Perl Coding Standard.

Python

1186

Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT Perl Coding Standard.

Python

1194

This view organizes weaknesses around concepts that are frequently used or encountered in hardware design. Accordingly, this view can align closely with the perspectives of designers, manufacturers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping.

Python

1198

Weaknesses in this category are related to features and mechanisms providing hardware-based isolation and access control (e.g., identity, policy, locking control) of sensitive shared hardware resources such as registers and fuses.

Python

1200

CWE entries in this view are listed in the 2019 CWE Top 25 Most Dangerous Software Errors.

Python

1202

Weaknesses in this category are typically associated with memory (e.g., DRAM, SRAM) and storage technologies (e.g., NAND Flash, OTP, EEPROM, and eMMC).

Python

1207

Weaknesses in this category are related to hardware debug and test interfaces such as JTAG and scan chain.

Python

1210

Weaknesses in this category are related to audit-based components of a software system. Frequently these deal with logging user activities in order to identify undesired access and modifications to the system. The weaknesses in this category could lead to a degradation of the quality of the audit capability if they are not addressed.

Python

1211

Weaknesses in this category are related to authentication components of a system. Frequently these deal with the ability to verify that an entity is indeed who it claims to be. If not addressed when designing or implementing a software system, these weaknesses could lead to a degradation of the quality of the authentication capability.

Python

1212

Weaknesses in this category are related to authorization components of a system. Frequently these deal with the ability to enforce that agents have the required permissions before performing certain operations, such as modifying data. If not addressed when designing or implementing a software system, these weaknesses could lead to a degradation of the quality of the authorization capability.

Python

1213

Weaknesses in this category are related to a software system's random number generation.

Python

1214

Weaknesses in this category are related to a software system's data integrity components. Frequently these deal with the ability to ensure the integrity of data, such as messages, resource files, deployment files, and configuration files. The weaknesses in this category could lead to a degradation of data integrity quality if they are not addressed.

Python

1215

Weaknesses in this category are related to a software system's components for input validation, output validation, or other kinds of validation. Validation is a frequently-used technique for ensuring that data conforms to expectations before it is further processed as input or output. There are many varieties of validation (see CWE-20, which is just for input validation). Validation is distinct from other techniques that attempt to modify data before processing it, although developers may consider all attempts to product "safe" inputs or outputs as some kind of validation. Regardless, validation is a powerful tool that is often used to minimize malformed data from entering the system, or indirectly avoid code injection or other potentially-malicious patterns when generating output. The weaknesses in this category could lead to a degradation of the quality of data flow in a system if they are not addressed.

Python

1219

Weaknesses in this category are related to the handling of files within a software system. Files, directories, and folders are so central to information technology that many different weaknesses and variants have been discovered.

Python

1228

Weaknesses in this category are related to the use of built-in functions or external APIs.

Python

1275

The SameSite attribute for sensitive cookies is not set, or an insecure value is used.

Python

1305

This view outlines the most important software quality issues as identified by the Consortium for Information & Software Quality (CISQ) Automated Quality Characteristic Measures, released in 2020. These measures are derived from Object Management Group (OMG) standards.

Python

1306

Weaknesses in this category are related to the CISQ Quality Measures for Reliability. Presence of these weaknesses could reduce the reliability of the software.

Python

1307

Weaknesses in this category are related to the CISQ Quality Measures for Maintainability. Presence of these weaknesses could reduce the maintainability of the software.

Python

1308

Weaknesses in this category are related to the CISQ Quality Measures for Security. Presence of these weaknesses could reduce the security of the software.

Python

1309

Weaknesses in this category are related to the CISQ Quality Measures for Efficiency. Presence of these weaknesses could reduce the efficiency of the software.

Python

1327

The product assigns the address 0.0.0.0 for a database server, a cloud service/instance, or any computing resource that communicates remotely.

Python

1337

CWE entries in this view are listed in the 2021 CWE Top 25 Most Dangerous Software Weaknesses.

Python

1340

This view outlines the SMM representation of the Automated Source Code Data Protection Measurement specifications, as identified by the Consortium for Information & Software Quality (CISQ) Working Group.

Python

1344

CWE entries in this view (graph) are associated with the OWASP Top 10, as released in 2021.

Python

1345

Weaknesses in this category are related to the A01 category "Broken Access Control" in the OWASP Top 10 2021.

Python

1346

Weaknesses in this category are related to the A02 category "Cryptographic Failures" in the OWASP Top 10 2021.

Python

1347

Weaknesses in this category are related to the A03 category "Injection" in the OWASP Top 10 2021.

Python

1348

Weaknesses in this category are related to the A04 "Insecure Design" category in the OWASP Top 10 2021.

Python

1349

Weaknesses in this category are related to the A05 category "Security Misconfiguration" in the OWASP Top 10 2021.

Python

1350

CWE entries in this view are listed in the 2020 CWE Top 25 Most Dangerous Software Weaknesses.

Python

1352

Weaknesses in this category are related to the A06 category "Vulnerable and Outdated Components" in the OWASP Top 10 2021.

Python

1353

Weaknesses in this category are related to the A07 category "Identification and Authentication Failures" in the OWASP Top 10 2021.

Python

1354

Weaknesses in this category are related to the A08 category "Software and Data Integrity Failures" in the OWASP Top 10 2021.

Python

1355

Weaknesses in this category are related to the A09 category "Security Logging and Monitoring Failures" in the OWASP Top 10 2021.

Python

1356

Weaknesses in this category are related to the A10 category "Server-Side Request Forgery (SSRF)" in the OWASP Top 10 2021.

Python

1358

CWE entries in this view (graph) are associated with the Categories of Security Vulnerabilities in ICS, as published by the Securing Energy Infrastructure Executive Task Force (SEI ETF) in March 2022. Weaknesses and categories in this view are focused on issues that affect ICS (Industrial Control Systems) but have not been traditionally covered by CWE in the past due to its earlier emphasis on enterprise IT software. Note: weaknesses in this view are based on "Nearest IT Neighbor" recommendations and other suggestions by the CWE team. These relationships are likely to change in future CWE versions.

Python

1359

Weaknesses in this category are related to the "ICS Communications" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.

Python

1360

Weaknesses in this category are related to the "ICS Dependencies (& Architecture)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.

Python

1361

Weaknesses in this category are related to the "ICS Supply Chain" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.

Python

1362

Weaknesses in this category are related to the "ICS Engineering (Constructions/Deployment)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.

Python

1363

Weaknesses in this category are related to the "ICS Operations (& Maintenance)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.

Python

1364

Weaknesses in this category are related to the "Zone Boundary Failures" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Within an ICS system, for traffic that crosses through network zone boundaries, vulnerabilities arise when those boundaries were designed for safety or other purposes but are being repurposed for security." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

Python

1366

Weaknesses in this category are related to the "Frail Security in Protocols" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Vulnerabilities arise as a result of mis-implementation or incomplete implementation of security in ICS implementations of communication protocols." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

Python

1368

Weaknesses in this category are related to the "External Digital Systems" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Due to the highly interconnected technologies in use, an external dependency on another digital system could cause a confidentiality, integrity, or availability incident for the protected system." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

Python

1369

Weaknesses in this category are related to the "IT/OT Convergence/Expansion" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "The increased penetration of DER devices and smart loads make emerging ICS networks more like IT networks and thus susceptible to vulnerabilities similar to those of IT networks." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

Python

1370

Weaknesses in this category are related to the "Common Mode Frailties" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "At the component level, most ICS systems are assembled from common parts made by other companies. One or more of these common parts might contain a vulnerability that could result in a wide-spread incident." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

Python

1371

Weaknesses in this category are related to the "Poorly Documented or Undocumented Features" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Undocumented capabilities and configurations pose a risk by not having a clear understanding of what the device is specifically supposed to do and only do. Therefore possibly opening up the attack surface and vulnerabilities." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

Python

1372

Weaknesses in this category are related to the "OT Counterfeit and Malicious Corruption" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "In ICS, when this procurement process results in a vulnerability or component damage, it can have grid impacts or cause physical harm." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

Python

1373

Weaknesses in this category are related to the "Trust Model Problems" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Assumptions made about the user during the design or construction phase may result in vulnerabilities after the system is installed if the user operates it using a different security approach or process than what was designed or built." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

Python

1375

Weaknesses in this category are related to the "Gaps in Details/Data" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Highly complex systems are often operated by personnel who have years of experience in managing that particular facility or plant. Much of their knowledge is passed along through verbal or hands-on training but may not be fully documented in written practices and procedures." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

Python

1382

Weaknesses in this category are related to the "Emerging Energy Technologies" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "With the rapid evolution of the energy system accelerated by the emergence of new technologies such as DERs, electric vehicles, advanced communications (5G+), novel and diverse challenges arise for secure and resilient operation of the system." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

Python

1383

Weaknesses in this category are related to the "Compliance/Conformance with Regulatory Requirements" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "The ICS environment faces overlapping regulatory regimes and authorities with multiple focus areas (e.g., operational resiliency, physical safety, interoperability, and security) which can result in cyber security vulnerabilities when implemented as written due to gaps in considerations, outdatedness, or conflicting requirements." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

Python

1387

CWE entries in this view are listed in the 2022 CWE Top 25 Most Dangerous Software Weaknesses.

Python

1396

Weaknesses in this category are related to access control.

Python

1397

Weaknesses in this category are related to comparison.

Python

1398

Weaknesses in this category are related to component interaction.

Python

1400

This view organizes weaknesses around categories that are of interest to large-scale software assurance research to support the elimination of weaknesses using tactics such as secure language development. It is also intended to help tracking weakness trends in publicly disclosed vulnerability data. This view is comprehensive in that every weakness must be contained in it, unlike most other views that only use a subset of weaknesses. This view is structured with categories at the top level, with a second level of only weaknesses. Relationships among the weaknesses presented under the research view (CWE-1000) are not shown. Each weakness is added to only one category. All categories are mutually exclusive; that is, no weakness can be a member of more than one category. While weaknesses defy strict categorization along only one characteristic, the forced bucketing into a single category can simplify certain kinds of analysis. Note that the size of each category can vary widely because (1) CWE is not as well fleshed-out in some areas compared to others; (2) abstraction of the CWEs in the grouping might go down to Variant level for some buckets, versus others.

Python

1402

Weaknesses in this category are related to encryption.

Python

1403

Weaknesses in this category are related to exposed resource.

Python

1404

Weaknesses in this category are related to file handling.

Python

1405

Weaknesses in this category are related to improper check or handling of exceptional conditions.

Python

1406

Weaknesses in this category are related to improper input validation.

Python

1407

Weaknesses in this category are related to improper neutralization.

Python

1409

Weaknesses in this category are related to injection.

Python

1410

Weaknesses in this category are related to insufficient control flow management.

Python

1411

Weaknesses in this category are related to insufficient verification of data authenticity.

Python

1412

Weaknesses in this category are related to poor coding practices.

Python

1413

Weaknesses in this category are related to protection mechanism failure.

Python

1414

Weaknesses in this category are related to randomness.

Python

1415

Weaknesses in this category are related to resource control.

Python

1416

Weaknesses in this category are related to resource lifecycle management.

Python

1417

Weaknesses in this category are related to sensitive information exposure.

Python

1418

Weaknesses in this category are related to violation of secure design principles.

Ruby

2

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that are typically introduced during unexpected environmental conditions. According to the authors of the Seven Pernicious Kingdoms, "This section includes everything that is outside of the source code but is still critical to the security of the product that is being created. Because the issues covered by this kingdom are not directly related to source code, we separated it from the rest of the kingdoms."

Ruby

17

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

Ruby

18

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

Ruby

19

Weaknesses in this category are typically found in functionality that processes data. Data processing is the manipulation of input to retrieve or save information.

Ruby

20

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Ruby

21

This category has been deprecated. It was originally used for organizing weaknesses involving file names, which enabled access to files outside of a restricted directory (path traversal) or to perform operations on files that would otherwise be restricted (path equivalence). Consider using either the File Handling Issues category (CWE-1219) or the class Use of Incorrectly-Resolved Name or Reference (CWE-706).

Ruby

22

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Ruby

23

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.

Ruby

36

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as "/abs/path" that can resolve to a location that is outside of that directory.

Ruby

74

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Ruby

77

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

Ruby

78

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Ruby

79

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Ruby

80

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.

Ruby

82

The web application does not neutralize or incorrectly neutralizes scripting elements within attributes of HTML IMG tags, such as the src attribute.

Ruby

83

The product does not neutralize or incorrectly neutralizes "javascript:" or other URIs from dangerous attributes within tags, such as onmouseover, onload, onerror, or style.

Ruby

85

The web application does not filter user-controlled input for executable script disguised using doubling of the involved characters.

Ruby

86

The product does not neutralize or incorrectly neutralizes invalid characters or byte sequences in the middle of tag names, URI schemes, and other identifiers.

Ruby

87

The product does not neutralize or incorrectly neutralizes user-controlled input for alternate script syntax.

Ruby

88

The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.

Ruby

89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.

Ruby

93

The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.

Ruby

94

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Ruby

95

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").

Ruby

113

The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.

Ruby

116

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

Ruby

137

Weaknesses in this category are related to the creation or neutralization of data using an incorrect format.

Ruby

138

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as control elements or syntactic markers when they are sent to a downstream component.

Ruby

140

The product does not neutralize or incorrectly neutralizes delimiters.

Ruby

141

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as parameter or argument delimiters when they are sent to a downstream component.

Ruby

142

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as value delimiters when they are sent to a downstream component.

Ruby

146

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as expression or command delimiters when they are sent to a downstream component.

Ruby

149

Quotes injected into a product can be used to compromise a system. As data are parsed, an injected/absent/duplicate/malformed use of quotes may cause the process to take unexpected actions.

Ruby

150

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component.

Ruby

157

The product does not properly handle the characters that are used to mark the beginning and ending of a group of entities, such as parentheses, brackets, and braces.

Ruby

171

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. Weaknesses in this category were related to improper handling of data within protection mechanisms that attempt to perform neutralization for untrusted data. These weaknesses can be found in other similar categories.

Ruby

184

The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete, leading to resultant weaknesses.

Ruby

185

The product specifies a regular expression in a way that causes data to be improperly matched or compared.

Ruby

189

Weaknesses in this category are related to improper calculation or conversion of numbers.

Ruby

199

Weaknesses in this category are related to improper handling of sensitive information.

Ruby

200

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Ruby

249

This entry has been deprecated because of name confusion and an accidental combination of multiple weaknesses. Most of its content has been transferred to CWE-785.

Ruby

254

Software security is not security software. Here we're concerned with topics like authentication, access control, confidentiality, cryptography, and privilege management.

Ruby

255

Weaknesses in this category are related to the management of credentials.

Ruby

264

Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control.

Ruby

265

Weaknesses in this category occur with improper handling, assignment, or management of privileges. A privilege is a property of an agent, such as a user. It lets the agent do things that are not ordinarily allowed. For example, there are privileges which allow an agent to perform maintenance functions such as restart a computer.

Ruby

284

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Ruby

285

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

Ruby

287

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Ruby

295

The product does not validate, or incorrectly validates, a certificate.

Ruby

300

The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint.

Ruby

307

The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it more susceptible to brute force attacks.

Ruby

310

Weaknesses in this category are related to the design and implementation of data confidentiality and integrity. Frequently these deal with the use of encoding techniques, encryption libraries, and hashing algorithms. The weaknesses in this category could lead to a degradation of the quality data if they are not addressed.

Ruby

311

The product does not encrypt sensitive or critical information before storage or transmission.

Ruby

319

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

Ruby

320

Weaknesses in this category are related to errors in the management of cryptographic keys.

Ruby

327

The product uses a broken or risky cryptographic algorithm or protocol.

Ruby

330

The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.

Ruby

344

The product uses a constant value, name, or reference, but this value can (or should) vary across different environments.

Ruby

345

The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

Ruby

352

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

Ruby

353

The product uses a transmission protocol that does not include a mechanism for verifying the integrity of the data during transmission, such as a checksum.

Ruby

359

The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.

Ruby

361

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses related to the improper management of time and state in an environment that supports simultaneous or near-simultaneous computation by multiple systems, processes, or threads. According to the authors of the Seven Pernicious Kingdoms, "Distributed computation is about time and state. That is, in order for more than one component to communicate, state must be shared, and all that takes time. Most programmers anthropomorphize their work. They think about one thread of control carrying out the entire program in the same way they would if they had to do the job themselves. Modern computers, however, switch between tasks very quickly, and in multi-core, multi-CPU, or distributed systems, two events may take place at exactly the same time. Defects rush to fill the gap between the programmer's model of how a program executes and what happens in reality. These defects are related to unexpected interactions between threads, processes, time, and information. These interactions happen through shared state: semaphores, variables, the file system, and, basically, anything that can store information."

Ruby

369

The product divides a value by zero.

Ruby

371

Weaknesses in this category are related to improper management of system state.

Ruby

398

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that do not directly introduce a weakness or vulnerability, but indicate that the product has not been carefully developed or maintained. According to the authors of the Seven Pernicious Kingdoms, "Poor code quality leads to unpredictable behavior. From a user's perspective that often manifests itself as poor usability. For an adversary it provides an opportunity to stress the system in unexpected ways."

Ruby

399

Weaknesses in this category are related to improper management of system resources.

Ruby

404

The product does not release or incorrectly releases a resource before it is made available for re-use.

Ruby

435

An interaction error occurs when two entities have correct behavior when running independently of each other, but when they are integrated as components in a larger system or process, they introduce incorrect behaviors that may cause resultant weaknesses.

Ruby

436

Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.

Ruby

438

Weaknesses in this category are related to unexpected behaviors from code that an application uses.

Ruby

442

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

Ruby

470

The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code.

Ruby

502

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

Ruby

505

This category has been deprecated as it was originally used for organizing the Development View (CWE-699), but it introduced unnecessary complexity and depth to the resulting tree.

Ruby

521

The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts.

Ruby

522

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

Ruby

523

Login pages do not use adequate measures to protect the user name and password while they are in transit from the client to the server.

Ruby

601

A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.

Ruby

610

The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.

Ruby

624

The product uses a regular expression that either (1) contains an executable component with user-controlled inputs, or (2) allows a user to enable execution by inserting pattern modifiers.

Ruby

625

The product uses a regular expression that does not sufficiently restrict the set of allowed values.

Ruby

629

CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2007. This view is considered obsolete as a newer version of the OWASP Top 10 is available.

Ruby

632

This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE.

Ruby

634

This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE.

Ruby

635

CWE nodes in this view (slice) were used by NIST to categorize vulnerabilities within NVD, from 2008 to 2016. This original version has been used by many other projects.

Ruby

639

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Ruby

642

The product stores security-critical state information about its users, or the product itself, in a location that is accessible to unauthorized actors.

Ruby

657

The product violates well-established principles for secure design.

Ruby

664

The product does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release.

Ruby

668

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

Ruby

671

The product uses security features in a way that prevents the product's administrator from tailoring security settings to reflect the environment in which the product is being used. This introduces resultant weaknesses or prevents it from operating at a level of security that is desired by the administrator.

Ruby

682

The product performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management.

Ruby

691

The code does not sufficiently manage its control flow during execution, creating conditions in which the control flow can be modified in unexpected ways.

Ruby

692

The product uses a denylist-based protection mechanism to defend against XSS attacks, but the denylist is incomplete, allowing XSS variants to succeed.

Ruby

693

The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.

Ruby

697

The product compares two entities in a security-relevant context, but the comparison is incorrect, which may lead to resultant weaknesses.

Ruby

699

This view organizes weaknesses around concepts that are frequently used or encountered in software development. This includes all aspects of the software development lifecycle including both architecture and implementation. Accordingly, this view can align closely with the perspectives of architects, developers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping.

Ruby

700

This view (graph) organizes weaknesses using a hierarchical structure that is similar to that used by Seven Pernicious Kingdoms.

Ruby

706

The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.

Ruby

707

The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component.

Ruby

710

The product does not follow certain coding rules for development, which can lead to resultant weaknesses or increase the severity of the associated vulnerabilities.

Ruby

711

CWE entries in this view (graph) are associated with the OWASP Top 10, as released in 2004, and as required for compliance with PCI DSS version 1.1. This view is considered obsolete as a newer version of the OWASP Top 10 is available.

Ruby

712

Weaknesses in this category are related to the A1 category in the OWASP Top 10 2007.

Ruby

713

Weaknesses in this category are related to the A2 category in the OWASP Top 10 2007.

Ruby

714

Weaknesses in this category are related to the A3 category in the OWASP Top 10 2007.

Ruby

715

Weaknesses in this category are related to the A4 category in the OWASP Top 10 2007.

Ruby

716

Weaknesses in this category are related to the A5 category in the OWASP Top 10 2007.

Ruby

717

Weaknesses in this category are related to the A6 category in the OWASP Top 10 2007.

Ruby

718

Weaknesses in this category are related to the A7 category in the OWASP Top 10 2007.

Ruby

719

Weaknesses in this category are related to the A8 category in the OWASP Top 10 2007.

Ruby

720

Weaknesses in this category are related to the A9 category in the OWASP Top 10 2007.

Ruby

721

Weaknesses in this category are related to the A10 category in the OWASP Top 10 2007.

Ruby

722

Weaknesses in this category are related to the A1 category in the OWASP Top 10 2004.

Ruby

723

Weaknesses in this category are related to the A2 category in the OWASP Top 10 2004.

Ruby

724

Weaknesses in this category are related to the A3 category in the OWASP Top 10 2004.

Ruby

725

Weaknesses in this category are related to the A4 category in the OWASP Top 10 2004.

Ruby

727

Weaknesses in this category are related to the A6 category in the OWASP Top 10 2004.

Ruby

729

Weaknesses in this category are related to the A8 category in the OWASP Top 10 2004.

Ruby

730

Weaknesses in this category are related to the A9 category in the OWASP Top 10 2004.

Ruby

731

Weaknesses in this category are related to the A10 category in the OWASP Top 10 2004.

Ruby

734

CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT C Secure Coding Standard" published in 2008. This view is considered obsolete, as a newer version of the coding standard is available. This view statically represents the coding rules as they were in 2008.

Ruby

738

Weaknesses in this category are related to the rules and recommendations in the Integers (INT) chapter of the CERT C Secure Coding Standard (2008).

Ruby

739

Weaknesses in this category are related to the rules and recommendations in the Floating Point (FLP) chapter of the CERT C Secure Coding Standard (2008).

Ruby

741

Weaknesses in this category are related to the rules and recommendations in the Characters and Strings (STR) chapter of the CERT C Secure Coding Standard (2008).

Ruby

742

Weaknesses in this category are related to the rules and recommendations in the Memory Management (MEM) chapter of the CERT C Secure Coding Standard (2008).

Ruby

743

Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) chapter of the CERT C Secure Coding Standard (2008).

Ruby

744

Weaknesses in this category are related to the rules and recommendations in the Environment (ENV) chapter of the CERT C Secure Coding Standard (2008).

Ruby

746

Weaknesses in this category are related to the rules and recommendations in the Error Handling (ERR) chapter of the CERT C Secure Coding Standard (2008).

Ruby

747

Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) chapter of the CERT C Secure Coding Standard (2008).

Ruby

750

CWE entries in this view (graph) are listed in the 2009 CWE/SANS Top 25 Programming Errors. This view is considered obsolete as a newer version of the Top 25 is available.

Ruby

751

Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2009 CWE/SANS Top 25 Programming Errors.

Ruby

752

Weaknesses in this category are listed in the "Risky Resource Management" section of the 2009 CWE/SANS Top 25 Programming Errors.

Ruby

753

Weaknesses in this category are listed in the "Porous Defenses" section of the 2009 CWE/SANS Top 25 Programming Errors.

Ruby

777

The product uses a regular expression to perform neutralization, but the regular expression is not anchored and may allow malicious or malformed data to slip through.

Ruby

798

The product contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.

Ruby

799

The product does not properly limit the number or frequency of interactions that it has with an actor, such as the number of incoming requests.

Ruby

800

CWE entries in this view (graph) are listed in the 2010 CWE/SANS Top 25 Programming Errors. This view is considered obsolete as a newer version of the Top 25 is available.

Ruby

801

Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2010 CWE/SANS Top 25 Programming Errors.

Ruby

802

Weaknesses in this category are listed in the "Risky Resource Management" section of the 2010 CWE/SANS Top 25 Programming Errors.

Ruby

803

Weaknesses in this category are listed in the "Porous Defenses" section of the 2010 CWE/SANS Top 25 Programming Errors.

Ruby

808

Weaknesses in this category are not part of the general Top 25, but they were part of the original nominee list from which the Top 25 was drawn.

Ruby

809

CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2010. This view is considered obsolete as a newer version of the OWASP Top 10 is available.

Ruby

810

Weaknesses in this category are related to the A1 category in the OWASP Top 10 2010.

Ruby

811

Weaknesses in this category are related to the A2 category in the OWASP Top 10 2010.

Ruby

812

Weaknesses in this category are related to the A3 category in the OWASP Top 10 2010.

Ruby

813

Weaknesses in this category are related to the A4 category in the OWASP Top 10 2010.

Ruby

814

Weaknesses in this category are related to the A5 category in the OWASP Top 10 2010.

Ruby

816

Weaknesses in this category are related to the A7 category in the OWASP Top 10 2010.

Ruby

817

Weaknesses in this category are related to the A8 category in the OWASP Top 10 2010.

Ruby

818

Weaknesses in this category are related to the A9 category in the OWASP Top 10 2010.

Ruby

819

Weaknesses in this category are related to the A10 category in the OWASP Top 10 2010.

Ruby

840

Weaknesses in this category identify some of the underlying problems that commonly allow attackers to manipulate the business logic of an application. Errors in business logic can be devastating to an entire application. They can be difficult to find automatically, since they typically involve legitimate use of the application's functionality. However, many business logic errors can exhibit patterns that are similar to well-understood implementation and design weaknesses.

Ruby

844

CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT Oracle Secure Coding Standard for Java" published in 2011. This view is considered obsolete as a newer version of the coding standard is available.

Ruby

845

Weaknesses in this category are related to rules in the Input Validation and Data Sanitization (IDS) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

Ruby

848

Weaknesses in this category are related to rules in the Numeric Types and Operations (NUM) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

Ruby

857

Weaknesses in this category are related to rules in the Input Output (FIO) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

Ruby

858

Weaknesses in this category are related to rules in the Serialization (SER) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

Ruby

859

Weaknesses in this category are related to rules in the Platform Security (SEC) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

Ruby

861

Weaknesses in this category are related to rules in the Miscellaneous (MSC) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

Ruby

862

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Ruby

864

Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.

Ruby

865

Weaknesses in this category are listed in the "Risky Resource Management" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.

Ruby

866

Weaknesses in this category are listed in the "Porous Defenses" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.

Ruby

867

Weaknesses in this category are not part of the general Top 25, but they were part of the original nominee list from which the Top 25 was drawn.

Ruby

868

CWE entries in this view (graph) are fully or partially eliminated by following the SEI CERT C++ Coding Standard, as published in 2016. This view is no longer being actively maintained, since it statically represents the coding rules as they were in 2016.

Ruby

872

Weaknesses in this category are related to rules in the Integers (INT) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

Ruby

873

Weaknesses in this category are related to rules in the Floating Point Arithmetic (FLP) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

Ruby

875

Weaknesses in this category are related to rules in the Characters and Strings (STR) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

Ruby

876

Weaknesses in this category are related to rules in the Memory Management (MEM) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

Ruby

877

Weaknesses in this category are related to rules in the Input Output (FIO) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

Ruby

878

Weaknesses in this category are related to rules in the Environment (ENV) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

Ruby

882

Weaknesses in this category are related to rules in the Concurrency (CON) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

Ruby

883

Weaknesses in this category are related to rules in the Miscellaneous (MSC) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

Ruby

884

This view contains a selection of weaknesses that represent the variety of weaknesses that are captured in CWE, at a level of abstraction that is likely to be useful to most audiences. It can be used by researchers to determine how broad their theories, models, or tools are. It will also be used by the CWE content team in 2012 to focus quality improvement efforts for individual CWE entries.

Ruby

885

This category identifies Software Fault Patterns (SFPs) within the Risky Values cluster (SFP1).

Ruby

888

CWE identifiers in this view are associated with clusters of Software Fault Patterns (SFPs).

Ruby

892

This category identifies Software Fault Patterns (SFPs) within the Resource Management cluster (SFP37).

Ruby

893

This category identifies Software Fault Patterns (SFPs) within the Path Resolution cluster (SFP16, SFP17, SFP18).

Ruby

895

This category identifies Software Fault Patterns (SFPs) within the Information Leak cluster (SFP23).

Ruby

896

This category identifies Software Fault Patterns (SFPs) within the Tainted Input cluster (SFP24, SFP25, SFP26, SFP27).

Ruby

898

This category identifies Software Fault Patterns (SFPs) within the Authentication cluster (SFP29, SFP30, SFP31, SFP32, SFP33, SFP34).

Ruby

899

This category identifies Software Fault Patterns (SFPs) within the Access Control cluster (SFP35).

Ruby

900

CWE entries in this view (graph) are listed in the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.

Ruby

902

This category identifies Software Fault Patterns (SFPs) within the Channel cluster.

Ruby

903

This category identifies Software Fault Patterns (SFPs) within the Cryptography cluster.

Ruby

905

This category identifies Software Fault Patterns (SFPs) within the Predictability cluster.

Ruby

907

This category identifies Software Fault Patterns (SFPs) within the Other cluster.

Ruby

913

The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements.

Ruby

915

The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.

Ruby

916

The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive.

Ruby

923

The product establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that it is communicating with the correct endpoint.

Ruby

928

CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2013. This view is considered obsolete as a newer version of the OWASP Top 10 is available.

Ruby

929

Weaknesses in this category are related to the A1 category in the OWASP Top 10 2013.

Ruby

930

Weaknesses in this category are related to the A2 category in the OWASP Top 10 2013.

Ruby

931

Weaknesses in this category are related to the A3 category in the OWASP Top 10 2013.

Ruby

932

Weaknesses in this category are related to the A4 category in the OWASP Top 10 2013.

Ruby

933

Weaknesses in this category are related to the A5 category in the OWASP Top 10 2013.

Ruby

934

Weaknesses in this category are related to the A6 category in the OWASP Top 10 2013.

Ruby

935

Weaknesses in this category are related to the A7 category in the OWASP Top 10 2013.

Ruby

936

Weaknesses in this category are related to the A8 category in the OWASP Top 10 2013.

Ruby

937

Weaknesses in this category are related to the A9 category in the OWASP Top 10 2013.

Ruby

938

Weaknesses in this category are related to the A10 category in the OWASP Top 10 2013.

Ruby

943

The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query.

Ruby

944

This category identifies Software Fault Patterns (SFPs) within the Access Management cluster.

Ruby

945

This category identifies Software Fault Patterns (SFPs) within the Insecure Resource Access cluster (SFP35).

Ruby

947

This category identifies Software Fault Patterns (SFPs) within the Authentication Bypass cluster.

Ruby

949

This category identifies Software Fault Patterns (SFPs) within the Faulty Endpoint Authentication cluster (SFP29).

Ruby

951

This category identifies Software Fault Patterns (SFPs) within the Insecure Authentication Policy cluster.

Ruby

955

This category identifies Software Fault Patterns (SFPs) within the Unrestricted Authentication cluster (SFP34).

Ruby

956

This category identifies Software Fault Patterns (SFPs) within the Channel Attack cluster.

Ruby

957

This category identifies Software Fault Patterns (SFPs) within the Protocol Error cluster.

Ruby

958

This category identifies Software Fault Patterns (SFPs) within the Broken Cryptography cluster.

Ruby

963

This category identifies Software Fault Patterns (SFPs) within the Exposed Data cluster (SFP23).

Ruby

975

This category identifies Software Fault Patterns (SFPs) within the Architecture cluster.

Ruby

977

This category identifies Software Fault Patterns (SFPs) within the Design cluster.

Ruby

978

This category identifies Software Fault Patterns (SFPs) within the Implementation cluster.

Ruby

980

This category identifies Software Fault Patterns (SFPs) within the Link in Resource Name Resolution cluster (SFP18).

Ruby

981

This category identifies Software Fault Patterns (SFPs) within the Path Traversal cluster (SFP16).

Ruby

982

This category identifies Software Fault Patterns (SFPs) within the Failure to Release Resource cluster (SFP14).

Ruby

984

This category identifies Software Fault Patterns (SFPs) within the Life Cycle cluster.

Ruby

990

This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Command cluster (SFP24).

Ruby

991

This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Environment cluster (SFP27).

Ruby

992

This category identifies Software Fault Patterns (SFPs) within the Faulty Input Transformation cluster.

Ruby

994

This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Variable cluster (SFP25).

Ruby

998

This category identifies Software Fault Patterns (SFPs) within the Glitch in Computation cluster (SFP1).

Ruby

1000

This view is intended to facilitate research into weaknesses, including their inter-dependencies, and can be leveraged to systematically identify theoretical gaps within CWE. It is mainly organized according to abstractions of behaviors instead of how they can be detected, where they appear in code, or when they are introduced in the development life cycle. By design, this view is expected to include every weakness within CWE.

Ruby

1003

CWE entries in this view (graph) may be used to categorize potential weaknesses within sources that handle public, third-party vulnerability information, such as the National Vulnerability Database (NVD). By design, this view is incomplete; it is limited to a small number of the most commonly-seen weaknesses, so that it is easier for humans to use. This view uses a shallow hierarchy of two levels in order to simplify the complex, category-oriented navigation of the entire CWE corpus.

Ruby

1005

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that exist when an application does not properly validate or represent input. According to the authors of the Seven Pernicious Kingdoms, "Input validation and representation problems are caused by metacharacters, alternate encodings and numeric representations. Security problems result from trusting input."

Ruby

1006

Weaknesses in this category are related to coding practices that are deemed unsafe and increase the chances that an exploitable vulnerability will be present in the application. These weaknesses do not directly introduce a vulnerability, but indicate that the product has not been carefully developed or maintained. If a program is complex, difficult to maintain, not portable, or shows evidence of neglect, then there is a higher likelihood that weaknesses are buried in the code.

Ruby

1008

This view organizes weaknesses according to common architectural security tactics. It is intended to assist architects in identifying potential mistakes that can be made when designing software.

Ruby

1010

Weaknesses in this category are related to the design and architecture of authentication components of the system. Frequently these deal with verifying the entity is indeed who it claims to be. The weaknesses in this category could lead to a degradation of the quality of authentication if they are not addressed when designing or implementing a secure architecture.

Ruby

1011

Weaknesses in this category are related to the design and architecture of a system's authorization components. Frequently these deal with enforcing that agents have the required permissions before performing certain operations, such as modifying data. The weaknesses in this category could lead to a degradation of quality of the authorization capability if they are not addressed when designing or implementing a secure architecture.

Ruby

1013

Weaknesses in this category are related to the design and architecture of data confidentiality in a system. Frequently these deal with the use of encryption libraries. The weaknesses in this category could lead to a degradation of the quality data encryption if they are not addressed when designing or implementing a secure architecture.

Ruby

1014

Weaknesses in this category are related to the design and architecture of a system's identification management components. Frequently these deal with verifying that external agents provide inputs into the system. The weaknesses in this category could lead to a degradation of the quality of identification management if they are not addressed when designing or implementing a secure architecture.

Ruby

1015

Weaknesses in this category are related to the design and architecture of system resources. Frequently these deal with restricting the amount of resources that are accessed by actors, such as memory, network connections, CPU or access points. The weaknesses in this category could lead to a degradation of the quality of authentication if they are not addressed when designing or implementing a secure architecture.

Ruby

1019

Weaknesses in this category are related to the design and architecture of a system's input validation components. Frequently these deal with sanitizing, neutralizing and validating any externally provided inputs to minimize malformed data from entering the system and preventing code injection in the input data. The weaknesses in this category could lead to a degradation of the quality of data flow in a system if they are not addressed when designing or implementing a secure architecture.

Ruby

1020

Weaknesses in this category are related to the design and architecture of a system's data integrity components. Frequently these deal with ensuring integrity of data, such as messages, resource files, deployment files, and configuration files. The weaknesses in this category could lead to a degradation of data integrity quality if they are not addressed when designing or implementing a secure architecture.

Ruby

1026

CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2017.

Ruby

1027

Weaknesses in this category are related to the A1 category in the OWASP Top 10 2017.

Ruby

1028

Weaknesses in this category are related to the A2 category in the OWASP Top 10 2017.

Ruby

1029

Weaknesses in this category are related to the A3 category in the OWASP Top 10 2017.

Ruby

1031

Weaknesses in this category are related to the A5 category in the OWASP Top 10 2017.

Ruby

1033

Weaknesses in this category are related to the A7 category in the OWASP Top 10 2017.

Ruby

1034

Weaknesses in this category are related to the A8 category in the OWASP Top 10 2017.

Ruby

1035

Weaknesses in this category are related to the A9 category in the OWASP Top 10 2017.

Ruby

1104

The product relies on third-party components that are not actively supported or maintained by the original developer or a trusted proxy for the original developer.

Ruby

1128

This view outlines the most important software quality issues as identified by the Consortium for Information & Software Quality (CISQ) Automated Quality Characteristic Measures, released in 2016. These measures are derived from Object Management Group (OMG) standards.

Ruby

1131

Weaknesses in this category are related to the CISQ Quality Measures for Security, as documented in 2016 with the Automated Source Code Security Measure (ASCSM) Specification 1.0. Presence of these weaknesses could reduce the security of the software.

Ruby

1133

CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT Oracle Coding Standard for Java.

Ruby

1134

Weaknesses in this category are related to the rules and recommendations in the Input Validation and Data Sanitization (IDS) section of the SEI CERT Oracle Secure Coding Standard for Java.

Ruby

1137

Weaknesses in this category are related to the rules and recommendations in the Numeric Types and Operations (NUM) section of the SEI CERT Oracle Secure Coding Standard for Java.

Ruby

1140

Weaknesses in this category are related to the rules and recommendations in the Methods (MET) section of the SEI CERT Oracle Secure Coding Standard for Java.

Ruby

1147

Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) section of the SEI CERT Oracle Secure Coding Standard for Java.

Ruby

1148

Weaknesses in this category are related to the rules and recommendations in the Serialization (SER) section of the SEI CERT Oracle Secure Coding Standard for Java.

Ruby

1152

Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT Oracle Secure Coding Standard for Java.

Ruby

1154

CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT C Coding Standard.

Ruby

1158

Weaknesses in this category are related to the rules and recommendations in the Integers (INT) section of the SEI CERT C Coding Standard.

Ruby

1159

Weaknesses in this category are related to the rules and recommendations in the Floating Point (FLP) section of the SEI CERT C Coding Standard.

Ruby

1162

Weaknesses in this category are related to the rules and recommendations in the Memory Management (MEM) section of the SEI CERT C Coding Standard.

Ruby

1163

Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) section of the SEI CERT C Coding Standard.

Ruby

1165

Weaknesses in this category are related to the rules and recommendations in the Environment (ENV) section of the SEI CERT C Coding Standard.

Ruby

1169

Weaknesses in this category are related to the rules and recommendations in the Concurrency (CON) section of the SEI CERT C Coding Standard.

Ruby

1170

Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT C Coding Standard.

Ruby

1178

CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT Perl Coding Standard.

Ruby

1179

Weaknesses in this category are related to the rules and recommendations in the Input Validation and Data Sanitization (IDS) section of the SEI CERT Perl Coding Standard.

Ruby

1182

Weaknesses in this category are related to the rules and recommendations in the Integers (INT) section of the SEI CERT Perl Coding Standard.

Ruby

1194

This view organizes weaknesses around concepts that are frequently used or encountered in hardware design. Accordingly, this view can align closely with the perspectives of designers, manufacturers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping.

Ruby

1200

CWE entries in this view are listed in the 2019 CWE Top 25 Most Dangerous Software Errors.

Ruby

1207

Weaknesses in this category are related to hardware debug and test interfaces such as JTAG and scan chain.

Ruby

1211

Weaknesses in this category are related to authentication components of a system. Frequently these deal with the ability to verify that an entity is indeed who it claims to be. If not addressed when designing or implementing a software system, these weaknesses could lead to a degradation of the quality of the authentication capability.

Ruby

1212

Weaknesses in this category are related to authorization components of a system. Frequently these deal with the ability to enforce that agents have the required permissions before performing certain operations, such as modifying data. If not addressed when designing or implementing a software system, these weaknesses could lead to a degradation of the quality of the authorization capability.

Ruby

1213

Weaknesses in this category are related to a software system's random number generation.

Ruby

1214

Weaknesses in this category are related to a software system's data integrity components. Frequently these deal with the ability to ensure the integrity of data, such as messages, resource files, deployment files, and configuration files. The weaknesses in this category could lead to a degradation of data integrity quality if they are not addressed.

Ruby

1215

Weaknesses in this category are related to a software system's components for input validation, output validation, or other kinds of validation. Validation is a frequently-used technique for ensuring that data conforms to expectations before it is further processed as input or output. There are many varieties of validation (see CWE-20, which is just for input validation). Validation is distinct from other techniques that attempt to modify data before processing it, although developers may consider all attempts to product "safe" inputs or outputs as some kind of validation. Regardless, validation is a powerful tool that is often used to minimize malformed data from entering the system, or indirectly avoid code injection or other potentially-malicious patterns when generating output. The weaknesses in this category could lead to a degradation of the quality of data flow in a system if they are not addressed.

Ruby

1219

Weaknesses in this category are related to the handling of files within a software system. Files, directories, and folders are so central to information technology that many different weaknesses and variants have been discovered.

Ruby

1305

This view outlines the most important software quality issues as identified by the Consortium for Information & Software Quality (CISQ) Automated Quality Characteristic Measures, released in 2020. These measures are derived from Object Management Group (OMG) standards.

Ruby

1306

Weaknesses in this category are related to the CISQ Quality Measures for Reliability. Presence of these weaknesses could reduce the reliability of the software.

Ruby

1308

Weaknesses in this category are related to the CISQ Quality Measures for Security. Presence of these weaknesses could reduce the security of the software.

Ruby

1309

Weaknesses in this category are related to the CISQ Quality Measures for Efficiency. Presence of these weaknesses could reduce the efficiency of the software.

Ruby

1337

CWE entries in this view are listed in the 2021 CWE Top 25 Most Dangerous Software Weaknesses.

Ruby

1340

This view outlines the SMM representation of the Automated Source Code Data Protection Measurement specifications, as identified by the Consortium for Information & Software Quality (CISQ) Working Group.

Ruby

1344

CWE entries in this view (graph) are associated with the OWASP Top 10, as released in 2021.

Ruby

1345

Weaknesses in this category are related to the A01 category "Broken Access Control" in the OWASP Top 10 2021.

Ruby

1346

Weaknesses in this category are related to the A02 category "Cryptographic Failures" in the OWASP Top 10 2021.

Ruby

1347

Weaknesses in this category are related to the A03 category "Injection" in the OWASP Top 10 2021.

Ruby

1348

Weaknesses in this category are related to the A04 "Insecure Design" category in the OWASP Top 10 2021.

Ruby

1349

Weaknesses in this category are related to the A05 category "Security Misconfiguration" in the OWASP Top 10 2021.

Ruby

1350

CWE entries in this view are listed in the 2020 CWE Top 25 Most Dangerous Software Weaknesses.

Ruby

1352

Weaknesses in this category are related to the A06 category "Vulnerable and Outdated Components" in the OWASP Top 10 2021.

Ruby

1353

Weaknesses in this category are related to the A07 category "Identification and Authentication Failures" in the OWASP Top 10 2021.

Ruby

1354

Weaknesses in this category are related to the A08 category "Software and Data Integrity Failures" in the OWASP Top 10 2021.

Ruby

1358

CWE entries in this view (graph) are associated with the Categories of Security Vulnerabilities in ICS, as published by the Securing Energy Infrastructure Executive Task Force (SEI ETF) in March 2022. Weaknesses and categories in this view are focused on issues that affect ICS (Industrial Control Systems) but have not been traditionally covered by CWE in the past due to its earlier emphasis on enterprise IT software. Note: weaknesses in this view are based on "Nearest IT Neighbor" recommendations and other suggestions by the CWE team. These relationships are likely to change in future CWE versions.

Ruby

1359

Weaknesses in this category are related to the "ICS Communications" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.

Ruby

1360

Weaknesses in this category are related to the "ICS Dependencies (& Architecture)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.

Ruby

1361

Weaknesses in this category are related to the "ICS Supply Chain" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.

Ruby

1362

Weaknesses in this category are related to the "ICS Engineering (Constructions/Deployment)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.

Ruby

1363

Weaknesses in this category are related to the "ICS Operations (& Maintenance)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.

Ruby

1364

Weaknesses in this category are related to the "Zone Boundary Failures" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Within an ICS system, for traffic that crosses through network zone boundaries, vulnerabilities arise when those boundaries were designed for safety or other purposes but are being repurposed for security." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

Ruby

1366

Weaknesses in this category are related to the "Frail Security in Protocols" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Vulnerabilities arise as a result of mis-implementation or incomplete implementation of security in ICS implementations of communication protocols." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

Ruby

1368

Weaknesses in this category are related to the "External Digital Systems" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Due to the highly interconnected technologies in use, an external dependency on another digital system could cause a confidentiality, integrity, or availability incident for the protected system." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

Ruby

1369

Weaknesses in this category are related to the "IT/OT Convergence/Expansion" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "The increased penetration of DER devices and smart loads make emerging ICS networks more like IT networks and thus susceptible to vulnerabilities similar to those of IT networks." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

Ruby

1370

Weaknesses in this category are related to the "Common Mode Frailties" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "At the component level, most ICS systems are assembled from common parts made by other companies. One or more of these common parts might contain a vulnerability that could result in a wide-spread incident." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

Ruby

1372

Weaknesses in this category are related to the "OT Counterfeit and Malicious Corruption" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "In ICS, when this procurement process results in a vulnerability or component damage, it can have grid impacts or cause physical harm." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

Ruby

1375

Weaknesses in this category are related to the "Gaps in Details/Data" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Highly complex systems are often operated by personnel who have years of experience in managing that particular facility or plant. Much of their knowledge is passed along through verbal or hands-on training but may not be fully documented in written practices and procedures." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

Ruby

1382

Weaknesses in this category are related to the "Emerging Energy Technologies" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "With the rapid evolution of the energy system accelerated by the emergence of new technologies such as DERs, electric vehicles, advanced communications (5G+), novel and diverse challenges arise for secure and resilient operation of the system." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

Ruby

1383

Weaknesses in this category are related to the "Compliance/Conformance with Regulatory Requirements" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "The ICS environment faces overlapping regulatory regimes and authorities with multiple focus areas (e.g., operational resiliency, physical safety, interoperability, and security) which can result in cyber security vulnerabilities when implemented as written due to gaps in considerations, outdatedness, or conflicting requirements." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

Ruby

1387

CWE entries in this view are listed in the 2022 CWE Top 25 Most Dangerous Software Weaknesses.

Ruby

1396

Weaknesses in this category are related to access control.

Ruby

1397

Weaknesses in this category are related to comparison.

Ruby

1398

Weaknesses in this category are related to component interaction.

Ruby

1400

This view organizes weaknesses around categories that are of interest to large-scale software assurance research to support the elimination of weaknesses using tactics such as secure language development. It is also intended to help tracking weakness trends in publicly disclosed vulnerability data. This view is comprehensive in that every weakness must be contained in it, unlike most other views that only use a subset of weaknesses. This view is structured with categories at the top level, with a second level of only weaknesses. Relationships among the weaknesses presented under the research view (CWE-1000) are not shown. Each weakness is added to only one category. All categories are mutually exclusive; that is, no weakness can be a member of more than one category. While weaknesses defy strict categorization along only one characteristic, the forced bucketing into a single category can simplify certain kinds of analysis. Note that the size of each category can vary widely because (1) CWE is not as well fleshed-out in some areas compared to others; (2) abstraction of the CWEs in the grouping might go down to Variant level for some buckets, versus others.

Ruby

1402

Weaknesses in this category are related to encryption.

Ruby

1403

Weaknesses in this category are related to exposed resource.

Ruby

1404

Weaknesses in this category are related to file handling.

Ruby

1406

Weaknesses in this category are related to improper input validation.

Ruby

1407

Weaknesses in this category are related to improper neutralization.

Ruby

1408

Weaknesses in this category are related to incorrect calculation.

Ruby

1409

Weaknesses in this category are related to injection.

Ruby

1410

Weaknesses in this category are related to insufficient control flow management.

Ruby

1411

Weaknesses in this category are related to insufficient verification of data authenticity.

Ruby

1412

Weaknesses in this category are related to poor coding practices.

Ruby

1413

Weaknesses in this category are related to protection mechanism failure.

Ruby

1414

Weaknesses in this category are related to randomness.

Ruby

1415

Weaknesses in this category are related to resource control.

Ruby

1416

Weaknesses in this category are related to resource lifecycle management.

Ruby

1417

Weaknesses in this category are related to sensitive information exposure.

Ruby

1418

Weaknesses in this category are related to violation of secure design principles.

Scala

17

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

Scala

18

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

Scala

19

Weaknesses in this category are typically found in functionality that processes data. Data processing is the manipulation of input to retrieve or save information.

Scala

20

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Scala

74

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Scala

94

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Scala

116

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

Scala

133

Weaknesses in this category are related to the creation and modification of strings.

Scala

137

Weaknesses in this category are related to the creation or neutralization of data using an incorrect format.

Scala

171

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. Weaknesses in this category were related to improper handling of data within protection mechanisms that attempt to perform neutralization for untrusted data. These weaknesses can be found in other similar categories.

Scala

189

Weaknesses in this category are related to improper calculation or conversion of numbers.

Scala

190

The product performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control.

Scala

254

Software security is not security software. Here we're concerned with topics like authentication, access control, confidentiality, cryptography, and privilege management.

Scala

361

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses related to the improper management of time and state in an environment that supports simultaneous or near-simultaneous computation by multiple systems, processes, or threads. According to the authors of the Seven Pernicious Kingdoms, "Distributed computation is about time and state. That is, in order for more than one component to communicate, state must be shared, and all that takes time. Most programmers anthropomorphize their work. They think about one thread of control carrying out the entire program in the same way they would if they had to do the job themselves. Modern computers, however, switch between tasks very quickly, and in multi-core, multi-CPU, or distributed systems, two events may take place at exactly the same time. Defects rush to fill the gap between the programmer's model of how a program executes and what happens in reality. These defects are related to unexpected interactions between threads, processes, time, and information. These interactions happen through shared state: semaphores, variables, the file system, and, basically, anything that can store information."

Scala

398

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that do not directly introduce a weakness or vulnerability, but indicate that the product has not been carefully developed or maintained. According to the authors of the Seven Pernicious Kingdoms, "Poor code quality leads to unpredictable behavior. From a user's perspective that often manifests itself as poor usability. For an adversary it provides an opportunity to stress the system in unexpected ways."

Scala

399

Weaknesses in this category are related to improper management of system resources.

Scala

438

Weaknesses in this category are related to unexpected behaviors from code that an application uses.

Scala

452

Weaknesses in this category occur in behaviors that are used for initialization and breakdown.

Scala

465

Weaknesses in this category are related to improper handling of pointers.

Scala

476

A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.

Scala

480

The product accidentally uses the wrong operator, which changes the logic in security-relevant ways.

Scala

483

The code does not explicitly delimit a block that is intended to contain 2 or more statements, creating a logic error.

Scala

505

This category has been deprecated as it was originally used for organizing the Development View (CWE-699), but it introduced unnecessary complexity and depth to the resulting tree.

Scala

561

The product contains dead code, which can never be executed.

Scala

569

Weaknesses in this category are related to incorrectly written expressions within code.

Scala

635

CWE nodes in this view (slice) were used by NIST to categorize vulnerabilities within NVD, from 2008 to 2016. This original version has been used by many other projects.

Scala

664

The product does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release.

Scala

665

The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.

Scala

670

The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated.

Scala

682

The product performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management.

Scala

691

The code does not sufficiently manage its control flow during execution, creating conditions in which the control flow can be modified in unexpected ways.

Scala

693

The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.

Scala

699

This view organizes weaknesses around concepts that are frequently used or encountered in software development. This includes all aspects of the software development lifecycle including both architecture and implementation. Accordingly, this view can align closely with the perspectives of architects, developers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping.

Scala

700

This view (graph) organizes weaknesses using a hierarchical structure that is similar to that used by Seven Pernicious Kingdoms.

Scala

707

The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component.

Scala

710

The product does not follow certain coding rules for development, which can lead to resultant weaknesses or increase the severity of the associated vulnerabilities.

Scala

711

CWE entries in this view (graph) are associated with the OWASP Top 10, as released in 2004, and as required for compliance with PCI DSS version 1.1. This view is considered obsolete as a newer version of the OWASP Top 10 is available.

Scala

722

Weaknesses in this category are related to the A1 category in the OWASP Top 10 2004.

Scala

727

Weaknesses in this category are related to the A6 category in the OWASP Top 10 2004.

Scala

730

Weaknesses in this category are related to the A9 category in the OWASP Top 10 2004.

Scala

734

CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT C Secure Coding Standard" published in 2008. This view is considered obsolete, as a newer version of the coding standard is available. This view statically represents the coding rules as they were in 2008.

Scala

737

Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) chapter of the CERT C Secure Coding Standard (2008).

Scala

738

Weaknesses in this category are related to the rules and recommendations in the Integers (INT) chapter of the CERT C Secure Coding Standard (2008).

Scala

739

Weaknesses in this category are related to the rules and recommendations in the Floating Point (FLP) chapter of the CERT C Secure Coding Standard (2008).

Scala

740

Weaknesses in this category are related to the rules and recommendations in the Arrays (ARR) chapter of the CERT C Secure Coding Standard (2008).

Scala

742

Weaknesses in this category are related to the rules and recommendations in the Memory Management (MEM) chapter of the CERT C Secure Coding Standard (2008).

Scala

746

Weaknesses in this category are related to the rules and recommendations in the Error Handling (ERR) chapter of the CERT C Secure Coding Standard (2008).

Scala

747

Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) chapter of the CERT C Secure Coding Standard (2008).

Scala

750

CWE entries in this view (graph) are listed in the 2009 CWE/SANS Top 25 Programming Errors. This view is considered obsolete as a newer version of the Top 25 is available.

Scala

751

Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2009 CWE/SANS Top 25 Programming Errors.

Scala

752

Weaknesses in this category are listed in the "Risky Resource Management" section of the 2009 CWE/SANS Top 25 Programming Errors.

Scala

783

The product uses an expression in which operator precedence causes incorrect logic to be used.

Scala

800

CWE entries in this view (graph) are listed in the 2010 CWE/SANS Top 25 Programming Errors. This view is considered obsolete as a newer version of the Top 25 is available.

Scala

802

Weaknesses in this category are listed in the "Risky Resource Management" section of the 2010 CWE/SANS Top 25 Programming Errors.

Scala

808

Weaknesses in this category are not part of the general Top 25, but they were part of the original nominee list from which the Top 25 was drawn.

Scala

844

CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT Oracle Secure Coding Standard for Java" published in 2011. This view is considered obsolete as a newer version of the coding standard is available.

Scala

845

Weaknesses in this category are related to rules in the Input Validation and Data Sanitization (IDS) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

Scala

846

Weaknesses in this category are related to rules in the Declarations and Initialization (DCL) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

Scala

865

Weaknesses in this category are listed in the "Risky Resource Management" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.

Scala

867

Weaknesses in this category are not part of the general Top 25, but they were part of the original nominee list from which the Top 25 was drawn.

Scala

868

CWE entries in this view (graph) are fully or partially eliminated by following the SEI CERT C++ Coding Standard, as published in 2016. This view is no longer being actively maintained, since it statically represents the coding rules as they were in 2016.

Scala

871

Weaknesses in this category are related to rules in the Expressions (EXP) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

Scala

872

Weaknesses in this category are related to rules in the Integers (INT) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

Scala

873

Weaknesses in this category are related to rules in the Floating Point Arithmetic (FLP) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

Scala

874

Weaknesses in this category are related to rules in the Arrays and the STL (ARR) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

Scala

876

Weaknesses in this category are related to rules in the Memory Management (MEM) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

Scala

883

Weaknesses in this category are related to rules in the Miscellaneous (MSC) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

Scala

884

This view contains a selection of weaknesses that represent the variety of weaknesses that are captured in CWE, at a level of abstraction that is likely to be useful to most audiences. It can be used by researchers to determine how broad their theories, models, or tools are. It will also be used by the CWE content team in 2012 to focus quality improvement efforts for individual CWE entries.

Scala

885

This category identifies Software Fault Patterns (SFPs) within the Risky Values cluster (SFP1).

Scala

886

This category identifies Software Fault Patterns (SFPs) within the Unused entities cluster (SFP2).

Scala

888

CWE identifiers in this view are associated with clusters of Software Fault Patterns (SFPs).

Scala

889

This category identifies Software Fault Patterns (SFPs) within the Exception Management cluster (SFP4, SFP5, SFP6).

Scala

890

This category identifies Software Fault Patterns (SFPs) within the Memory Access cluster (SFP7, SFP8).

Scala

892

This category identifies Software Fault Patterns (SFPs) within the Resource Management cluster (SFP37).

Scala

896

This category identifies Software Fault Patterns (SFPs) within the Tainted Input cluster (SFP24, SFP25, SFP26, SFP27).

Scala

900

CWE entries in this view (graph) are listed in the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.

Scala

907

This category identifies Software Fault Patterns (SFPs) within the Other cluster.

Scala

913

The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements.

Scala

928

CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2013. This view is considered obsolete as a newer version of the OWASP Top 10 is available.

Scala

929

Weaknesses in this category are related to the A1 category in the OWASP Top 10 2013.

Scala

962

This category identifies Software Fault Patterns (SFPs) within the Unchecked Status Condition cluster (SFP4).

Scala

971

This category identifies Software Fault Patterns (SFPs) within the Faulty Pointer Use cluster (SFP7).

Scala

975

This category identifies Software Fault Patterns (SFPs) within the Architecture cluster.

Scala

977

This category identifies Software Fault Patterns (SFPs) within the Design cluster.

Scala

978

This category identifies Software Fault Patterns (SFPs) within the Implementation cluster.

Scala

984

This category identifies Software Fault Patterns (SFPs) within the Life Cycle cluster.

Scala

990

This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Command cluster (SFP24).

Scala

991

This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Environment cluster (SFP27).

Scala

992

This category identifies Software Fault Patterns (SFPs) within the Faulty Input Transformation cluster.

Scala

994

This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Variable cluster (SFP25).

Scala

998

This category identifies Software Fault Patterns (SFPs) within the Glitch in Computation cluster (SFP1).

Scala

1000

This view is intended to facilitate research into weaknesses, including their inter-dependencies, and can be leveraged to systematically identify theoretical gaps within CWE. It is mainly organized according to abstractions of behaviors instead of how they can be detected, where they appear in code, or when they are introduced in the development life cycle. By design, this view is expected to include every weakness within CWE.

Scala

1003

CWE entries in this view (graph) may be used to categorize potential weaknesses within sources that handle public, third-party vulnerability information, such as the National Vulnerability Database (NVD). By design, this view is incomplete; it is limited to a small number of the most commonly-seen weaknesses, so that it is easier for humans to use. This view uses a shallow hierarchy of two levels in order to simplify the complex, category-oriented navigation of the entire CWE corpus.

Scala

1005

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that exist when an application does not properly validate or represent input. According to the authors of the Seven Pernicious Kingdoms, "Input validation and representation problems are caused by metacharacters, alternate encodings and numeric representations. Security problems result from trusting input."

Scala

1006

Weaknesses in this category are related to coding practices that are deemed unsafe and increase the chances that an exploitable vulnerability will be present in the application. These weaknesses do not directly introduce a vulnerability, but indicate that the product has not been carefully developed or maintained. If a program is complex, difficult to maintain, not portable, or shows evidence of neglect, then there is a higher likelihood that weaknesses are buried in the code.

Scala

1008

This view organizes weaknesses according to common architectural security tactics. It is intended to assist architects in identifying potential mistakes that can be made when designing software.

Scala

1019

Weaknesses in this category are related to the design and architecture of a system's input validation components. Frequently these deal with sanitizing, neutralizing and validating any externally provided inputs to minimize malformed data from entering the system and preventing code injection in the input data. The weaknesses in this category could lead to a degradation of the quality of data flow in a system if they are not addressed when designing or implementing a secure architecture.

Scala

1020

Weaknesses in this category are related to the design and architecture of a system's data integrity components. Frequently these deal with ensuring integrity of data, such as messages, resource files, deployment files, and configuration files. The weaknesses in this category could lead to a degradation of data integrity quality if they are not addressed when designing or implementing a secure architecture.

Scala

1025

The code performs a comparison between two entities, but the comparison examines the wrong factors or characteristics of the entities, which can lead to incorrect results and resultant weaknesses.

Scala

1041

The product has multiple functions, methods, procedures, macros, etc. that contain the same code.

Scala

1078

The source code does not follow desired style or formatting for indentation, white space, comments, etc.

Scala

1114

The source code contains whitespace that is inconsistent across the code or does not follow expected standards for the product.

Scala

1128

This view outlines the most important software quality issues as identified by the Consortium for Information & Software Quality (CISQ) Automated Quality Characteristic Measures, released in 2016. These measures are derived from Object Management Group (OMG) standards.

Scala

1130

Weaknesses in this category are related to the CISQ Quality Measures for Maintainability, as documented in 2016 with the Automated Source Code Maintainability Measure (ASCMM) Specification 1.0. Presence of these weaknesses could reduce the maintainability of the software.

Scala

1133

CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT Oracle Coding Standard for Java.

Scala

1134

Weaknesses in this category are related to the rules and recommendations in the Input Validation and Data Sanitization (IDS) section of the SEI CERT Oracle Secure Coding Standard for Java.

Scala

1135

Weaknesses in this category are related to the rules and recommendations in the Declarations and Initialization (DCL) section of the SEI CERT Oracle Secure Coding Standard for Java.

Scala

1136

Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) section of the SEI CERT Oracle Secure Coding Standard for Java.

Scala

1137

Weaknesses in this category are related to the rules and recommendations in the Numeric Types and Operations (NUM) section of the SEI CERT Oracle Secure Coding Standard for Java.

Scala

1147

Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) section of the SEI CERT Oracle Secure Coding Standard for Java.

Scala

1154

CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT C Coding Standard.

Scala

1157

Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) section of the SEI CERT C Coding Standard.

Scala

1158

Weaknesses in this category are related to the rules and recommendations in the Integers (INT) section of the SEI CERT C Coding Standard.

Scala

1159

Weaknesses in this category are related to the rules and recommendations in the Floating Point (FLP) section of the SEI CERT C Coding Standard.

Scala

1162

Weaknesses in this category are related to the rules and recommendations in the Memory Management (MEM) section of the SEI CERT C Coding Standard.

Scala

1163

Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) section of the SEI CERT C Coding Standard.

Scala

1164

The product contains code that is not essential for execution, i.e. makes no state changes and has no side effects that alter data or control flow, such that removal of the code would have no impact to functionality or correctness.

Scala

1178

CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT Perl Coding Standard.

Scala

1179

Weaknesses in this category are related to the rules and recommendations in the Input Validation and Data Sanitization (IDS) section of the SEI CERT Perl Coding Standard.

Scala

1181

Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) section of the SEI CERT Perl Coding Standard.

Scala

1182

Weaknesses in this category are related to the rules and recommendations in the Integers (INT) section of the SEI CERT Perl Coding Standard.

Scala

1186

Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT Perl Coding Standard.

Scala

1200

CWE entries in this view are listed in the 2019 CWE Top 25 Most Dangerous Software Errors.

Scala

1305

This view outlines the most important software quality issues as identified by the Consortium for Information & Software Quality (CISQ) Automated Quality Characteristic Measures, released in 2020. These measures are derived from Object Management Group (OMG) standards.

Scala

1306

Weaknesses in this category are related to the CISQ Quality Measures for Reliability. Presence of these weaknesses could reduce the reliability of the software.

Scala

1307

Weaknesses in this category are related to the CISQ Quality Measures for Maintainability. Presence of these weaknesses could reduce the maintainability of the software.

Scala

1308

Weaknesses in this category are related to the CISQ Quality Measures for Security. Presence of these weaknesses could reduce the security of the software.

Scala

1337

CWE entries in this view are listed in the 2021 CWE Top 25 Most Dangerous Software Weaknesses.

Scala

1340

This view outlines the SMM representation of the Automated Source Code Data Protection Measurement specifications, as identified by the Consortium for Information & Software Quality (CISQ) Working Group.

Scala

1344

CWE entries in this view (graph) are associated with the OWASP Top 10, as released in 2021.

Scala

1345

Weaknesses in this category are related to the A01 category "Broken Access Control" in the OWASP Top 10 2021.

Scala

1347

Weaknesses in this category are related to the A03 category "Injection" in the OWASP Top 10 2021.

Scala

1350

CWE entries in this view are listed in the 2020 CWE Top 25 Most Dangerous Software Weaknesses.

Scala

1358

CWE entries in this view (graph) are associated with the Categories of Security Vulnerabilities in ICS, as published by the Securing Energy Infrastructure Executive Task Force (SEI ETF) in March 2022. Weaknesses and categories in this view are focused on issues that affect ICS (Industrial Control Systems) but have not been traditionally covered by CWE in the past due to its earlier emphasis on enterprise IT software. Note: weaknesses in this view are based on "Nearest IT Neighbor" recommendations and other suggestions by the CWE team. These relationships are likely to change in future CWE versions.

Scala

1361

Weaknesses in this category are related to the "ICS Supply Chain" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.

Scala

1362

Weaknesses in this category are related to the "ICS Engineering (Constructions/Deployment)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.

Scala

1363

Weaknesses in this category are related to the "ICS Operations (& Maintenance)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.

Scala

1370

Weaknesses in this category are related to the "Common Mode Frailties" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "At the component level, most ICS systems are assembled from common parts made by other companies. One or more of these common parts might contain a vulnerability that could result in a wide-spread incident." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

Scala

1375

Weaknesses in this category are related to the "Gaps in Details/Data" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Highly complex systems are often operated by personnel who have years of experience in managing that particular facility or plant. Much of their knowledge is passed along through verbal or hands-on training but may not be fully documented in written practices and procedures." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

Scala

1382

Weaknesses in this category are related to the "Emerging Energy Technologies" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "With the rapid evolution of the energy system accelerated by the emergence of new technologies such as DERs, electric vehicles, advanced communications (5G+), novel and diverse challenges arise for secure and resilient operation of the system." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

Scala

1383

Weaknesses in this category are related to the "Compliance/Conformance with Regulatory Requirements" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "The ICS environment faces overlapping regulatory regimes and authorities with multiple focus areas (e.g., operational resiliency, physical safety, interoperability, and security) which can result in cyber security vulnerabilities when implemented as written due to gaps in considerations, outdatedness, or conflicting requirements." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

Scala

1387

CWE entries in this view are listed in the 2022 CWE Top 25 Most Dangerous Software Weaknesses.

Scala

1397

Weaknesses in this category are related to comparison.

Scala

1400

This view organizes weaknesses around categories that are of interest to large-scale software assurance research to support the elimination of weaknesses using tactics such as secure language development. It is also intended to help tracking weakness trends in publicly disclosed vulnerability data. This view is comprehensive in that every weakness must be contained in it, unlike most other views that only use a subset of weaknesses. This view is structured with categories at the top level, with a second level of only weaknesses. Relationships among the weaknesses presented under the research view (CWE-1000) are not shown. Each weakness is added to only one category. All categories are mutually exclusive; that is, no weakness can be a member of more than one category. While weaknesses defy strict categorization along only one characteristic, the forced bucketing into a single category can simplify certain kinds of analysis. Note that the size of each category can vary widely because (1) CWE is not as well fleshed-out in some areas compared to others; (2) abstraction of the CWEs in the grouping might go down to Variant level for some buckets, versus others.

Scala

1406

Weaknesses in this category are related to improper input validation.

Scala

1407

Weaknesses in this category are related to improper neutralization.

Scala

1408

Weaknesses in this category are related to incorrect calculation.

Scala

1409

Weaknesses in this category are related to injection.

Scala

1410

Weaknesses in this category are related to insufficient control flow management.

Scala

1412

Weaknesses in this category are related to poor coding practices.

Scala

1413

Weaknesses in this category are related to protection mechanism failure.

Scala

1416

Weaknesses in this category are related to resource lifecycle management.

Swift

17

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

Swift

18

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

Swift

19

Weaknesses in this category are typically found in functionality that processes data. Data processing is the manipulation of input to retrieve or save information.

Swift

20

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Swift

21

This category has been deprecated. It was originally used for organizing weaknesses involving file names, which enabled access to files outside of a restricted directory (path traversal) or to perform operations on files that would otherwise be restricted (path equivalence). Consider using either the File Handling Issues category (CWE-1219) or the class Use of Incorrectly-Resolved Name or Reference (CWE-706).

Swift

22

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Swift

74

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Swift

79

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Swift

89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.

Swift

91

The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.

Swift

94

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Swift

95

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").

Swift

99

The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control.

Swift

116

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

Swift

137

Weaknesses in this category are related to the creation or neutralization of data using an incorrect format.

Swift

171

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. Weaknesses in this category were related to improper handling of data within protection mechanisms that attempt to perform neutralization for untrusted data. These weaknesses can be found in other similar categories.

Swift

172

The product does not properly encode or decode the data, resulting in unexpected values.

Swift

176

The product does not properly handle when an input contains Unicode encoding.

Swift

199

Weaknesses in this category are related to improper handling of sensitive information.

Swift

200

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Swift

212

The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product makes the resource available to unauthorized actors.

Swift

227

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that involve the software using an API in a manner contrary to its intended use. According to the authors of the Seven Pernicious Kingdoms, "An API is a contract between a caller and a callee. The most common forms of API misuse occurs when the caller does not honor its end of this contract. For example, if a program does not call chdir() after calling chroot(), it violates the contract that specifies how to change the active root directory in a secure fashion. Another good example of library abuse is expecting the callee to return trustworthy DNS information to the caller. In this case, the caller misuses the callee API by making certain assumptions about its behavior (that the return value can be used for authentication purposes). One can also violate the caller-callee contract from the other side. For example, if a coder subclasses SecureRandom and returns a non-random value, the contract is violated."

Swift

254

Software security is not security software. Here we're concerned with topics like authentication, access control, confidentiality, cryptography, and privilege management.

Swift

255

Weaknesses in this category are related to the management of credentials.

Swift

264

Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control.

Swift

265

Weaknesses in this category occur with improper handling, assignment, or management of privileges. A privilege is a property of an agent, such as a user. It lets the agent do things that are not ordinarily allowed. For example, there are privileges which allow an agent to perform maintenance functions such as restart a computer.

Swift

284

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Swift

285

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

Swift

287

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Swift

295

The product does not validate, or incorrectly validates, a certificate.

Swift

296

The product does not follow, or incorrectly follows, the chain of trust for a certificate back to a trusted root certificate, resulting in incorrect trust of any resource that is associated with that certificate.

Swift

300

The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint.

Swift

310

Weaknesses in this category are related to the design and implementation of data confidentiality and integrity. Frequently these deal with the use of encoding techniques, encryption libraries, and hashing algorithms. The weaknesses in this category could lead to a degradation of the quality data if they are not addressed.

Swift

311

The product does not encrypt sensitive or critical information before storage or transmission.

Swift

312

The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

Swift

319

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

Swift

320

Weaknesses in this category are related to errors in the management of cryptographic keys.

Swift

326

The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

Swift

327

The product uses a broken or risky cryptographic algorithm or protocol.

Swift

330

The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.

Swift

344

The product uses a constant value, name, or reference, but this value can (or should) vary across different environments.

Swift

345

The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

Swift

346

The product does not properly verify that the source of data or communication is valid.

Swift

352

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

Swift

359

The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.

Swift

361

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses related to the improper management of time and state in an environment that supports simultaneous or near-simultaneous computation by multiple systems, processes, or threads. According to the authors of the Seven Pernicious Kingdoms, "Distributed computation is about time and state. That is, in order for more than one component to communicate, state must be shared, and all that takes time. Most programmers anthropomorphize their work. They think about one thread of control carrying out the entire program in the same way they would if they had to do the job themselves. Modern computers, however, switch between tasks very quickly, and in multi-core, multi-CPU, or distributed systems, two events may take place at exactly the same time. Defects rush to fill the gap between the programmer's model of how a program executes and what happens in reality. These defects are related to unexpected interactions between threads, processes, time, and information. These interactions happen through shared state: semaphores, variables, the file system, and, basically, anything that can store information."

Swift

376

This category has been deprecated. It was originally used for organizing the Development View (CWE-699), but it introduced unnecessary complexity and depth to the resulting tree. Consider using the File Handling Issues category (CWE-1219).

Swift

377

Creating and using insecure temporary files can leave application and system data vulnerable to attack.

Swift

398

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that do not directly introduce a weakness or vulnerability, but indicate that the product has not been carefully developed or maintained. According to the authors of the Seven Pernicious Kingdoms, "Poor code quality leads to unpredictable behavior. From a user's perspective that often manifests itself as poor usability. For an adversary it provides an opportunity to stress the system in unexpected ways."

Swift

399

Weaknesses in this category are related to improper management of system resources.

Swift

400

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

Swift

417

Weaknesses in this category are related to improper handling of communication channels and access paths. These weaknesses include problems in creating, managing, or removing alternate channels and alternate paths. Some of these can overlap virtual file problems and are commonly used in "bypass" attacks, such as those that exploit authentication errors.

Swift

442

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

Swift

452

Weaknesses in this category occur in behaviors that are used for initialization and breakdown.

Swift

485

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that occur when the product does not sufficiently encapsulate critical data or functionality. According to the authors of the Seven Pernicious Kingdoms, "Encapsulation is about drawing strong boundaries. In a web browser that might mean ensuring that your mobile code cannot be abused by other mobile code. On the server it might mean differentiation between validated data and unvalidated data, between one user's data and another's, or between data users are allowed to see and data that they are not."

Swift

497

The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does.

Swift

502

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

Swift

505

This category has been deprecated as it was originally used for organizing the Development View (CWE-699), but it introduced unnecessary complexity and depth to the resulting tree.

Swift

524

The code uses a cache that contains sensitive information, but the cache can be read by an actor outside of the intended control sphere.

Swift

525

The web application does not use an appropriate caching policy that specifies the extent to which each web page and associated form fields should be cached.

Swift

573

The product does not follow or incorrectly follows the specifications as required by the implementation language, environment, framework, protocol, or platform.

Swift

610

The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.

Swift

611

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

Swift

613

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

Swift

614

The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session.

Swift

629

CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2007. This view is considered obsolete as a newer version of the OWASP Top 10 is available.

Swift

632

This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE.

Swift

635

CWE nodes in this view (slice) were used by NIST to categorize vulnerabilities within NVD, from 2008 to 2016. This original version has been used by many other projects.

Swift

643

The product uses external input to dynamically construct an XPath expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query.

Swift

657

The product violates well-established principles for secure design.

Swift

664

The product does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release.

Swift

666

The product performs an operation on a resource at the wrong phase of the resource's lifecycle, which can lead to unexpected behaviors.

Swift

668

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

Swift

669

The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource.

Swift

671

The product uses security features in a way that prevents the product's administrator from tailoring security settings to reflect the environment in which the product is being used. This introduces resultant weaknesses or prevents it from operating at a level of security that is desired by the administrator.

Swift

672

The product uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked.

Swift

691

The code does not sufficiently manage its control flow during execution, creating conditions in which the control flow can be modified in unexpected ways.

Swift

693

The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.

Swift

699

This view organizes weaknesses around concepts that are frequently used or encountered in software development. This includes all aspects of the software development lifecycle including both architecture and implementation. Accordingly, this view can align closely with the perspectives of architects, developers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping.

Swift

700

This view (graph) organizes weaknesses using a hierarchical structure that is similar to that used by Seven Pernicious Kingdoms.

Swift

706

The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.

Swift

707

The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component.

Swift

710

The product does not follow certain coding rules for development, which can lead to resultant weaknesses or increase the severity of the associated vulnerabilities.

Swift

711

CWE entries in this view (graph) are associated with the OWASP Top 10, as released in 2004, and as required for compliance with PCI DSS version 1.1. This view is considered obsolete as a newer version of the OWASP Top 10 is available.

Swift

712

Weaknesses in this category are related to the A1 category in the OWASP Top 10 2007.

Swift

713

Weaknesses in this category are related to the A2 category in the OWASP Top 10 2007.

Swift

714

Weaknesses in this category are related to the A3 category in the OWASP Top 10 2007.

Swift

715

Weaknesses in this category are related to the A4 category in the OWASP Top 10 2007.

Swift

716

Weaknesses in this category are related to the A5 category in the OWASP Top 10 2007.

Swift

717

Weaknesses in this category are related to the A6 category in the OWASP Top 10 2007.

Swift

718

Weaknesses in this category are related to the A7 category in the OWASP Top 10 2007.

Swift

719

Weaknesses in this category are related to the A8 category in the OWASP Top 10 2007.

Swift

720

Weaknesses in this category are related to the A9 category in the OWASP Top 10 2007.

Swift

721

Weaknesses in this category are related to the A10 category in the OWASP Top 10 2007.

Swift

722

Weaknesses in this category are related to the A1 category in the OWASP Top 10 2004.

Swift

723

Weaknesses in this category are related to the A2 category in the OWASP Top 10 2004.

Swift

724

Weaknesses in this category are related to the A3 category in the OWASP Top 10 2004.

Swift

725

Weaknesses in this category are related to the A4 category in the OWASP Top 10 2004.

Swift

727

Weaknesses in this category are related to the A6 category in the OWASP Top 10 2004.

Swift

729

Weaknesses in this category are related to the A8 category in the OWASP Top 10 2004.

Swift

730

Weaknesses in this category are related to the A9 category in the OWASP Top 10 2004.

Swift

731

Weaknesses in this category are related to the A10 category in the OWASP Top 10 2004.

Swift

734

CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT C Secure Coding Standard" published in 2008. This view is considered obsolete, as a newer version of the coding standard is available. This view statically represents the coding rules as they were in 2008.

Swift

738

Weaknesses in this category are related to the rules and recommendations in the Integers (INT) chapter of the CERT C Secure Coding Standard (2008).

Swift

742

Weaknesses in this category are related to the rules and recommendations in the Memory Management (MEM) chapter of the CERT C Secure Coding Standard (2008).

Swift

743

Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) chapter of the CERT C Secure Coding Standard (2008).

Swift

746

Weaknesses in this category are related to the rules and recommendations in the Error Handling (ERR) chapter of the CERT C Secure Coding Standard (2008).

Swift

747

Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) chapter of the CERT C Secure Coding Standard (2008).

Swift

750

CWE entries in this view (graph) are listed in the 2009 CWE/SANS Top 25 Programming Errors. This view is considered obsolete as a newer version of the Top 25 is available.

Swift

751

Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2009 CWE/SANS Top 25 Programming Errors.

Swift

752

Weaknesses in this category are listed in the "Risky Resource Management" section of the 2009 CWE/SANS Top 25 Programming Errors.

Swift

753

Weaknesses in this category are listed in the "Porous Defenses" section of the 2009 CWE/SANS Top 25 Programming Errors.

Swift

759

The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product does not also use a salt as part of the input.

Swift

779

The product logs too much information, making log files hard to process and possibly hindering recovery efforts or forensic analysis after an attack.

Swift

798

The product contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.

Swift

800

CWE entries in this view (graph) are listed in the 2010 CWE/SANS Top 25 Programming Errors. This view is considered obsolete as a newer version of the Top 25 is available.

Swift

801

Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2010 CWE/SANS Top 25 Programming Errors.

Swift

802

Weaknesses in this category are listed in the "Risky Resource Management" section of the 2010 CWE/SANS Top 25 Programming Errors.

Swift

803

Weaknesses in this category are listed in the "Porous Defenses" section of the 2010 CWE/SANS Top 25 Programming Errors.

Swift

808

Weaknesses in this category are not part of the general Top 25, but they were part of the original nominee list from which the Top 25 was drawn.

Swift

809

CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2010. This view is considered obsolete as a newer version of the OWASP Top 10 is available.

Swift

810

Weaknesses in this category are related to the A1 category in the OWASP Top 10 2010.

Swift

811

Weaknesses in this category are related to the A2 category in the OWASP Top 10 2010.

Swift

812

Weaknesses in this category are related to the A3 category in the OWASP Top 10 2010.

Swift

813

Weaknesses in this category are related to the A4 category in the OWASP Top 10 2010.

Swift

814

Weaknesses in this category are related to the A5 category in the OWASP Top 10 2010.

Swift

816

Weaknesses in this category are related to the A7 category in the OWASP Top 10 2010.

Swift

817

Weaknesses in this category are related to the A8 category in the OWASP Top 10 2010.

Swift

818

Weaknesses in this category are related to the A9 category in the OWASP Top 10 2010.

Swift

829

The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.

Swift

840

Weaknesses in this category identify some of the underlying problems that commonly allow attackers to manipulate the business logic of an application. Errors in business logic can be devastating to an entire application. They can be difficult to find automatically, since they typically involve legitimate use of the application's functionality. However, many business logic errors can exhibit patterns that are similar to well-understood implementation and design weaknesses.

Swift

844

CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT Oracle Secure Coding Standard for Java" published in 2011. This view is considered obsolete as a newer version of the coding standard is available.

Swift

845

Weaknesses in this category are related to rules in the Input Validation and Data Sanitization (IDS) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

Swift

850

Weaknesses in this category are related to rules in the Methods (MET) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

Swift

851

Weaknesses in this category are related to rules in the Exceptional Behavior (ERR) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

Swift

857

Weaknesses in this category are related to rules in the Input Output (FIO) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

Swift

858

Weaknesses in this category are related to rules in the Serialization (SER) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

Swift

859

Weaknesses in this category are related to rules in the Platform Security (SEC) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

Swift

861

Weaknesses in this category are related to rules in the Miscellaneous (MSC) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

Swift

863

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

Swift

864

Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.

Swift

865

Weaknesses in this category are listed in the "Risky Resource Management" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.

Swift

866

Weaknesses in this category are listed in the "Porous Defenses" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.

Swift

867

Weaknesses in this category are not part of the general Top 25, but they were part of the original nominee list from which the Top 25 was drawn.

Swift

868

CWE entries in this view (graph) are fully or partially eliminated by following the SEI CERT C++ Coding Standard, as published in 2016. This view is no longer being actively maintained, since it statically represents the coding rules as they were in 2016.

Swift

872

Weaknesses in this category are related to rules in the Integers (INT) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

Swift

876

Weaknesses in this category are related to rules in the Memory Management (MEM) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

Swift

877

Weaknesses in this category are related to rules in the Input Output (FIO) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

Swift

880

Weaknesses in this category are related to rules in the Exceptions and Error Handling (ERR) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

Swift

881

Weaknesses in this category are related to rules in the Object Oriented Programming (OOP) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

Swift

883

Weaknesses in this category are related to rules in the Miscellaneous (MSC) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

Swift

884

This view contains a selection of weaknesses that represent the variety of weaknesses that are captured in CWE, at a level of abstraction that is likely to be useful to most audiences. It can be used by researchers to determine how broad their theories, models, or tools are. It will also be used by the CWE content team in 2012 to focus quality improvement efforts for individual CWE entries.

Swift

887

This category identifies Software Fault Patterns (SFPs) within the API cluster (SFP3).

Swift

888

CWE identifiers in this view are associated with clusters of Software Fault Patterns (SFPs).

Swift

892

This category identifies Software Fault Patterns (SFPs) within the Resource Management cluster (SFP37).

Swift

893

This category identifies Software Fault Patterns (SFPs) within the Path Resolution cluster (SFP16, SFP17, SFP18).

Swift

895

This category identifies Software Fault Patterns (SFPs) within the Information Leak cluster (SFP23).

Swift

896

This category identifies Software Fault Patterns (SFPs) within the Tainted Input cluster (SFP24, SFP25, SFP26, SFP27).

Swift

898

This category identifies Software Fault Patterns (SFPs) within the Authentication cluster (SFP29, SFP30, SFP31, SFP32, SFP33, SFP34).

Swift

899

This category identifies Software Fault Patterns (SFPs) within the Access Control cluster (SFP35).

Swift

900

CWE entries in this view (graph) are listed in the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.

Swift

902

This category identifies Software Fault Patterns (SFPs) within the Channel cluster.

Swift

903

This category identifies Software Fault Patterns (SFPs) within the Cryptography cluster.

Swift

905

This category identifies Software Fault Patterns (SFPs) within the Predictability cluster.

Swift

907

This category identifies Software Fault Patterns (SFPs) within the Other cluster.

Swift

913

The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements.

Swift

916

The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive.

Swift

921

The product stores sensitive information in a file system or device that does not have built-in access control.

Swift

922

The product stores sensitive information without properly limiting read or write access by unauthorized actors.

Swift

923

The product establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that it is communicating with the correct endpoint.

Swift

928

CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2013. This view is considered obsolete as a newer version of the OWASP Top 10 is available.

Swift

929

Weaknesses in this category are related to the A1 category in the OWASP Top 10 2013.

Swift

930

Weaknesses in this category are related to the A2 category in the OWASP Top 10 2013.

Swift

931

Weaknesses in this category are related to the A3 category in the OWASP Top 10 2013.

Swift

932

Weaknesses in this category are related to the A4 category in the OWASP Top 10 2013.

Swift

934

Weaknesses in this category are related to the A6 category in the OWASP Top 10 2013.

Swift

935

Weaknesses in this category are related to the A7 category in the OWASP Top 10 2013.

Swift

936

Weaknesses in this category are related to the A8 category in the OWASP Top 10 2013.

Swift

943

The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query.

Swift

944

This category identifies Software Fault Patterns (SFPs) within the Access Management cluster.

Swift

945

This category identifies Software Fault Patterns (SFPs) within the Insecure Resource Access cluster (SFP35).

Swift

947

This category identifies Software Fault Patterns (SFPs) within the Authentication Bypass cluster.

Swift

948

This category identifies Software Fault Patterns (SFPs) within the Digital Certificate cluster.

Swift

949

This category identifies Software Fault Patterns (SFPs) within the Faulty Endpoint Authentication cluster (SFP29).

Swift

951

This category identifies Software Fault Patterns (SFPs) within the Insecure Authentication Policy cluster.

Swift

956

This category identifies Software Fault Patterns (SFPs) within the Channel Attack cluster.

Swift

958

This category identifies Software Fault Patterns (SFPs) within the Broken Cryptography cluster.

Swift

959

This category identifies Software Fault Patterns (SFPs) within the Weak Cryptography cluster.

Swift

963

This category identifies Software Fault Patterns (SFPs) within the Exposed Data cluster (SFP23).

Swift

964

This category identifies Software Fault Patterns (SFPs) within the Exposure Temporary File cluster.

Swift

965

This category identifies Software Fault Patterns (SFPs) within the Insecure Session Management cluster.

Swift

966

This category identifies Software Fault Patterns (SFPs) within the Other Exposures cluster.

Swift

975

This category identifies Software Fault Patterns (SFPs) within the Architecture cluster.

Swift

977

This category identifies Software Fault Patterns (SFPs) within the Design cluster.

Swift

978

This category identifies Software Fault Patterns (SFPs) within the Implementation cluster.

Swift

980

This category identifies Software Fault Patterns (SFPs) within the Link in Resource Name Resolution cluster (SFP18).

Swift

981

This category identifies Software Fault Patterns (SFPs) within the Path Traversal cluster (SFP16).

Swift

983

This category identifies Software Fault Patterns (SFPs) within the Faulty Resource Use cluster (SFP15).

Swift

984

This category identifies Software Fault Patterns (SFPs) within the Life Cycle cluster.

Swift

985

This category identifies Software Fault Patterns (SFPs) within the Unrestricted Consumption cluster (SFP13).

Swift

990

This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Command cluster (SFP24).

Swift

991

This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Environment cluster (SFP27).

Swift

992

This category identifies Software Fault Patterns (SFPs) within the Faulty Input Transformation cluster.

Swift

994

This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Variable cluster (SFP25).

Swift

1000

This view is intended to facilitate research into weaknesses, including their inter-dependencies, and can be leveraged to systematically identify theoretical gaps within CWE. It is mainly organized according to abstractions of behaviors instead of how they can be detected, where they appear in code, or when they are introduced in the development life cycle. By design, this view is expected to include every weakness within CWE.

Swift

1001

This category identifies Software Fault Patterns (SFPs) within the Use of an Improper API cluster (SFP3).

Swift

1003

CWE entries in this view (graph) may be used to categorize potential weaknesses within sources that handle public, third-party vulnerability information, such as the National Vulnerability Database (NVD). By design, this view is incomplete; it is limited to a small number of the most commonly-seen weaknesses, so that it is easier for humans to use. This view uses a shallow hierarchy of two levels in order to simplify the complex, category-oriented navigation of the entire CWE corpus.

Swift

1005

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that exist when an application does not properly validate or represent input. According to the authors of the Seven Pernicious Kingdoms, "Input validation and representation problems are caused by metacharacters, alternate encodings and numeric representations. Security problems result from trusting input."

Swift

1006

Weaknesses in this category are related to coding practices that are deemed unsafe and increase the chances that an exploitable vulnerability will be present in the application. These weaknesses do not directly introduce a vulnerability, but indicate that the product has not been carefully developed or maintained. If a program is complex, difficult to maintain, not portable, or shows evidence of neglect, then there is a higher likelihood that weaknesses are buried in the code.

Swift

1008

This view organizes weaknesses according to common architectural security tactics. It is intended to assist architects in identifying potential mistakes that can be made when designing software.

Swift

1009

Weaknesses in this category are related to the design and architecture of audit-based components of the system. Frequently these deal with logging user activities in order to identify attackers and modifications to the system. The weaknesses in this category could lead to a degradation of the quality of the audit capability if they are not addressed when designing or implementing a secure architecture.

Swift

1010

Weaknesses in this category are related to the design and architecture of authentication components of the system. Frequently these deal with verifying the entity is indeed who it claims to be. The weaknesses in this category could lead to a degradation of the quality of authentication if they are not addressed when designing or implementing a secure architecture.

Swift

1011

Weaknesses in this category are related to the design and architecture of a system's authorization components. Frequently these deal with enforcing that agents have the required permissions before performing certain operations, such as modifying data. The weaknesses in this category could lead to a degradation of quality of the authorization capability if they are not addressed when designing or implementing a secure architecture.

Swift

1013

Weaknesses in this category are related to the design and architecture of data confidentiality in a system. Frequently these deal with the use of encryption libraries. The weaknesses in this category could lead to a degradation of the quality data encryption if they are not addressed when designing or implementing a secure architecture.

Swift

1014

Weaknesses in this category are related to the design and architecture of a system's identification management components. Frequently these deal with verifying that external agents provide inputs into the system. The weaknesses in this category could lead to a degradation of the quality of identification management if they are not addressed when designing or implementing a secure architecture.

Swift

1015

Weaknesses in this category are related to the design and architecture of system resources. Frequently these deal with restricting the amount of resources that are accessed by actors, such as memory, network connections, CPU or access points. The weaknesses in this category could lead to a degradation of the quality of authentication if they are not addressed when designing or implementing a secure architecture.

Swift

1016

Weaknesses in this category are related to the design and architecture of the entry points to a system. Frequently these deal with minimizing the attack surface through designing the system with the least needed amount of entry points. The weaknesses in this category could lead to a degradation of a system's defenses if they are not addressed when designing or implementing a secure architecture.

Swift

1018

Weaknesses in this category are related to the design and architecture of session management. Frequently these deal with the information or status about each user and their access rights for the duration of multiple requests. The weaknesses in this category could lead to a degradation of the quality of session management if they are not addressed when designing or implementing a secure architecture.

Swift

1019

Weaknesses in this category are related to the design and architecture of a system's input validation components. Frequently these deal with sanitizing, neutralizing and validating any externally provided inputs to minimize malformed data from entering the system and preventing code injection in the input data. The weaknesses in this category could lead to a degradation of the quality of data flow in a system if they are not addressed when designing or implementing a secure architecture.

Swift

1020

Weaknesses in this category are related to the design and architecture of a system's data integrity components. Frequently these deal with ensuring integrity of data, such as messages, resource files, deployment files, and configuration files. The weaknesses in this category could lead to a degradation of data integrity quality if they are not addressed when designing or implementing a secure architecture.

Swift

1026

CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2017.

Swift

1027

Weaknesses in this category are related to the A1 category in the OWASP Top 10 2017.

Swift

1028

Weaknesses in this category are related to the A2 category in the OWASP Top 10 2017.

Swift

1029

Weaknesses in this category are related to the A3 category in the OWASP Top 10 2017.

Swift

1030

Weaknesses in this category are related to the A4 category in the OWASP Top 10 2017.

Swift

1031

Weaknesses in this category are related to the A5 category in the OWASP Top 10 2017.

Swift

1033

Weaknesses in this category are related to the A7 category in the OWASP Top 10 2017.

Swift

1034

Weaknesses in this category are related to the A8 category in the OWASP Top 10 2017.

Swift

1128

This view outlines the most important software quality issues as identified by the Consortium for Information & Software Quality (CISQ) Automated Quality Characteristic Measures, released in 2016. These measures are derived from Object Management Group (OMG) standards.

Swift

1131

Weaknesses in this category are related to the CISQ Quality Measures for Security, as documented in 2016 with the Automated Source Code Security Measure (ASCSM) Specification 1.0. Presence of these weaknesses could reduce the security of the software.

Swift

1133

CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT Oracle Coding Standard for Java.

Swift

1134

Weaknesses in this category are related to the rules and recommendations in the Input Validation and Data Sanitization (IDS) section of the SEI CERT Oracle Secure Coding Standard for Java.

Swift

1140

Weaknesses in this category are related to the rules and recommendations in the Methods (MET) section of the SEI CERT Oracle Secure Coding Standard for Java.

Swift

1147

Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) section of the SEI CERT Oracle Secure Coding Standard for Java.

Swift

1148

Weaknesses in this category are related to the rules and recommendations in the Serialization (SER) section of the SEI CERT Oracle Secure Coding Standard for Java.

Swift

1152

Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT Oracle Secure Coding Standard for Java.

Swift

1154

CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT C Coding Standard.

Swift

1162

Weaknesses in this category are related to the rules and recommendations in the Memory Management (MEM) section of the SEI CERT C Coding Standard.

Swift

1163

Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) section of the SEI CERT C Coding Standard.

Swift

1169

Weaknesses in this category are related to the rules and recommendations in the Concurrency (CON) section of the SEI CERT C Coding Standard.

Swift

1170

Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT C Coding Standard.

Swift

1172

Weaknesses in this category are related to the rules and recommendations in the Microsoft Windows (WIN) section of the SEI CERT C Coding Standard.

Swift

1178

CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT Perl Coding Standard.

Swift

1179

Weaknesses in this category are related to the rules and recommendations in the Input Validation and Data Sanitization (IDS) section of the SEI CERT Perl Coding Standard.

Swift

1194

This view organizes weaknesses around concepts that are frequently used or encountered in hardware design. Accordingly, this view can align closely with the perspectives of designers, manufacturers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping.

Swift

1199

Weaknesses in this category are related to hardware-circuit design and logic (e.g., CMOS transistors, finite state machines, and registers) as well as issues related to hardware description languages such as System Verilog and VHDL.

Swift

1200

CWE entries in this view are listed in the 2019 CWE Top 25 Most Dangerous Software Errors.

Swift

1204

The product uses a cryptographic primitive that uses an Initialization Vector (IV), but the product does not generate IVs that are sufficiently unpredictable or unique according to the expected cryptographic requirements for that primitive.

Swift

1207

Weaknesses in this category are related to hardware debug and test interfaces such as JTAG and scan chain.

Swift

1210

Weaknesses in this category are related to audit-based components of a software system. Frequently these deal with logging user activities in order to identify undesired access and modifications to the system. The weaknesses in this category could lead to a degradation of the quality of the audit capability if they are not addressed.

Swift

1211

Weaknesses in this category are related to authentication components of a system. Frequently these deal with the ability to verify that an entity is indeed who it claims to be. If not addressed when designing or implementing a software system, these weaknesses could lead to a degradation of the quality of the authentication capability.

Swift

1213

Weaknesses in this category are related to a software system's random number generation.

Swift

1214

Weaknesses in this category are related to a software system's data integrity components. Frequently these deal with the ability to ensure the integrity of data, such as messages, resource files, deployment files, and configuration files. The weaknesses in this category could lead to a degradation of data integrity quality if they are not addressed.

Swift

1217

Weaknesses in this category are related to session management. Frequently these deal with the information or status about each user and their access rights for the duration of multiple requests. The weaknesses in this category could lead to a degradation of the quality of session management if they are not addressed.

Swift

1219

Weaknesses in this category are related to the handling of files within a software system. Files, directories, and folders are so central to information technology that many different weaknesses and variants have been discovered.

Swift

1250

The product has or supports multiple distributed components or sub-systems that are each required to keep their own local copy of shared data - such as state or cache - but the product does not ensure that all local copies remain consistent with each other.

Swift

1305

This view outlines the most important software quality issues as identified by the Consortium for Information & Software Quality (CISQ) Automated Quality Characteristic Measures, released in 2020. These measures are derived from Object Management Group (OMG) standards.

Swift

1306

Weaknesses in this category are related to the CISQ Quality Measures for Reliability. Presence of these weaknesses could reduce the reliability of the software.

Swift

1308

Weaknesses in this category are related to the CISQ Quality Measures for Security. Presence of these weaknesses could reduce the security of the software.

Swift

1337

CWE entries in this view are listed in the 2021 CWE Top 25 Most Dangerous Software Weaknesses.

Swift

1340

This view outlines the SMM representation of the Automated Source Code Data Protection Measurement specifications, as identified by the Consortium for Information & Software Quality (CISQ) Working Group.

Swift

1344

CWE entries in this view (graph) are associated with the OWASP Top 10, as released in 2021.

Swift

1345

Weaknesses in this category are related to the A01 category "Broken Access Control" in the OWASP Top 10 2021.

Swift

1346

Weaknesses in this category are related to the A02 category "Cryptographic Failures" in the OWASP Top 10 2021.

Swift

1347

Weaknesses in this category are related to the A03 category "Injection" in the OWASP Top 10 2021.

Swift

1348

Weaknesses in this category are related to the A04 "Insecure Design" category in the OWASP Top 10 2021.

Swift

1349

Weaknesses in this category are related to the A05 category "Security Misconfiguration" in the OWASP Top 10 2021.

Swift

1350

CWE entries in this view are listed in the 2020 CWE Top 25 Most Dangerous Software Weaknesses.

Swift

1353

Weaknesses in this category are related to the A07 category "Identification and Authentication Failures" in the OWASP Top 10 2021.

Swift

1354

Weaknesses in this category are related to the A08 category "Software and Data Integrity Failures" in the OWASP Top 10 2021.

Swift

1358

CWE entries in this view (graph) are associated with the Categories of Security Vulnerabilities in ICS, as published by the Securing Energy Infrastructure Executive Task Force (SEI ETF) in March 2022. Weaknesses and categories in this view are focused on issues that affect ICS (Industrial Control Systems) but have not been traditionally covered by CWE in the past due to its earlier emphasis on enterprise IT software. Note: weaknesses in this view are based on "Nearest IT Neighbor" recommendations and other suggestions by the CWE team. These relationships are likely to change in future CWE versions.

Swift

1359

Weaknesses in this category are related to the "ICS Communications" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.

Swift

1360

Weaknesses in this category are related to the "ICS Dependencies (& Architecture)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.

Swift

1361

Weaknesses in this category are related to the "ICS Supply Chain" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.

Swift

1362

Weaknesses in this category are related to the "ICS Engineering (Constructions/Deployment)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.

Swift

1363

Weaknesses in this category are related to the "ICS Operations (& Maintenance)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.

Swift

1364

Weaknesses in this category are related to the "Zone Boundary Failures" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Within an ICS system, for traffic that crosses through network zone boundaries, vulnerabilities arise when those boundaries were designed for safety or other purposes but are being repurposed for security." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

Swift

1366

Weaknesses in this category are related to the "Frail Security in Protocols" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Vulnerabilities arise as a result of mis-implementation or incomplete implementation of security in ICS implementations of communication protocols." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

Swift

1368

Weaknesses in this category are related to the "External Digital Systems" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Due to the highly interconnected technologies in use, an external dependency on another digital system could cause a confidentiality, integrity, or availability incident for the protected system." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

Swift

1369

Weaknesses in this category are related to the "IT/OT Convergence/Expansion" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "The increased penetration of DER devices and smart loads make emerging ICS networks more like IT networks and thus susceptible to vulnerabilities similar to those of IT networks." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

Swift

1370

Weaknesses in this category are related to the "Common Mode Frailties" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "At the component level, most ICS systems are assembled from common parts made by other companies. One or more of these common parts might contain a vulnerability that could result in a wide-spread incident." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

Swift

1372

Weaknesses in this category are related to the "OT Counterfeit and Malicious Corruption" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "In ICS, when this procurement process results in a vulnerability or component damage, it can have grid impacts or cause physical harm." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

Swift

1375

Weaknesses in this category are related to the "Gaps in Details/Data" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Highly complex systems are often operated by personnel who have years of experience in managing that particular facility or plant. Much of their knowledge is passed along through verbal or hands-on training but may not be fully documented in written practices and procedures." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

Swift

1382

Weaknesses in this category are related to the "Emerging Energy Technologies" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "With the rapid evolution of the energy system accelerated by the emergence of new technologies such as DERs, electric vehicles, advanced communications (5G+), novel and diverse challenges arise for secure and resilient operation of the system." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

Swift

1383

Weaknesses in this category are related to the "Compliance/Conformance with Regulatory Requirements" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "The ICS environment faces overlapping regulatory regimes and authorities with multiple focus areas (e.g., operational resiliency, physical safety, interoperability, and security) which can result in cyber security vulnerabilities when implemented as written due to gaps in considerations, outdatedness, or conflicting requirements." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

Swift

1387

CWE entries in this view are listed in the 2022 CWE Top 25 Most Dangerous Software Weaknesses.

Swift

1396

Weaknesses in this category are related to access control.

Swift

1400

This view organizes weaknesses around categories that are of interest to large-scale software assurance research to support the elimination of weaknesses using tactics such as secure language development. It is also intended to help tracking weakness trends in publicly disclosed vulnerability data. This view is comprehensive in that every weakness must be contained in it, unlike most other views that only use a subset of weaknesses. This view is structured with categories at the top level, with a second level of only weaknesses. Relationships among the weaknesses presented under the research view (CWE-1000) are not shown. Each weakness is added to only one category. All categories are mutually exclusive; that is, no weakness can be a member of more than one category. While weaknesses defy strict categorization along only one characteristic, the forced bucketing into a single category can simplify certain kinds of analysis. Note that the size of each category can vary widely because (1) CWE is not as well fleshed-out in some areas compared to others; (2) abstraction of the CWEs in the grouping might go down to Variant level for some buckets, versus others.

Swift

1402

Weaknesses in this category are related to encryption.

Swift

1403

Weaknesses in this category are related to exposed resource.

Swift

1404

Weaknesses in this category are related to file handling.

Swift

1406

Weaknesses in this category are related to improper input validation.

Swift

1407

Weaknesses in this category are related to improper neutralization.

Swift

1409

Weaknesses in this category are related to injection.

Swift

1410

Weaknesses in this category are related to insufficient control flow management.

Swift

1411

Weaknesses in this category are related to insufficient verification of data authenticity.

Swift

1412

Weaknesses in this category are related to poor coding practices.

Swift

1413

Weaknesses in this category are related to protection mechanism failure.

Swift

1414

Weaknesses in this category are related to randomness.

Swift

1415

Weaknesses in this category are related to resource control.

Swift

1416

Weaknesses in this category are related to resource lifecycle management.

Swift

1417

Weaknesses in this category are related to sensitive information exposure.

Swift

1418

Weaknesses in this category are related to violation of secure design principles.

TypeScript

2

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that are typically introduced during unexpected environmental conditions. According to the authors of the Seven Pernicious Kingdoms, "This section includes everything that is outside of the source code but is still critical to the security of the product that is being created. Because the issues covered by this kingdom are not directly related to source code, we separated it from the rest of the kingdoms."

TypeScript

4

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

TypeScript

5

Information sent over a network can be compromised while in transit. An attacker may be able to read or modify the contents if the data are sent in plaintext or are weakly encrypted.

TypeScript

16

Weaknesses in this category are typically introduced during the configuration of the software.

TypeScript

17

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

TypeScript

18

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

TypeScript

19

Weaknesses in this category are typically found in functionality that processes data. Data processing is the manipulation of input to retrieve or save information.

TypeScript

20

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

TypeScript

21

This category has been deprecated. It was originally used for organizing weaknesses involving file names, which enabled access to files outside of a restricted directory (path traversal) or to perform operations on files that would otherwise be restricted (path equivalence). Consider using either the File Handling Issues category (CWE-1219) or the class Use of Incorrectly-Resolved Name or Reference (CWE-706).

TypeScript

22

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

TypeScript

23

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.

TypeScript

36

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as "/abs/path" that can resolve to a location that is outside of that directory.

TypeScript

73

The product allows user input to control or influence paths or file names that are used in filesystem operations.

TypeScript

74

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

TypeScript

77

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

TypeScript

78

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

TypeScript

79

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

TypeScript

80

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.

TypeScript

82

The web application does not neutralize or incorrectly neutralizes scripting elements within attributes of HTML IMG tags, such as the src attribute.

TypeScript

83

The product does not neutralize or incorrectly neutralizes "javascript:" or other URIs from dangerous attributes within tags, such as onmouseover, onload, onerror, or style.

TypeScript

85

The web application does not filter user-controlled input for executable script disguised using doubling of the involved characters.

TypeScript

86

The product does not neutralize or incorrectly neutralizes invalid characters or byte sequences in the middle of tag names, URI schemes, and other identifiers.

TypeScript

87

The product does not neutralize or incorrectly neutralizes user-controlled input for alternate script syntax.

TypeScript

88

The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.

TypeScript

89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.

TypeScript

93

The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.

TypeScript

94

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

TypeScript

95

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").

TypeScript

99

The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control.

TypeScript

113

The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.

TypeScript

116

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

TypeScript

117

The product does not neutralize or incorrectly neutralizes output that is written to logs.

TypeScript

133

Weaknesses in this category are related to the creation and modification of strings.

TypeScript

137

Weaknesses in this category are related to the creation or neutralization of data using an incorrect format.

TypeScript

138

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as control elements or syntactic markers when they are sent to a downstream component.

TypeScript

140

The product does not neutralize or incorrectly neutralizes delimiters.

TypeScript

141

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as parameter or argument delimiters when they are sent to a downstream component.

TypeScript

142

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as value delimiters when they are sent to a downstream component.

TypeScript

143

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as record delimiters when they are sent to a downstream component.

TypeScript

146

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as expression or command delimiters when they are sent to a downstream component.

TypeScript

149

Quotes injected into a product can be used to compromise a system. As data are parsed, an injected/absent/duplicate/malformed use of quotes may cause the process to take unexpected actions.

TypeScript

150

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component.

TypeScript

157

The product does not properly handle the characters that are used to mark the beginning and ending of a group of entities, such as parentheses, brackets, and braces.

TypeScript

171

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. Weaknesses in this category were related to improper handling of data within protection mechanisms that attempt to perform neutralization for untrusted data. These weaknesses can be found in other similar categories.

TypeScript

183

The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is too permissive - that is, it allows an input that is unsafe, leading to resultant weaknesses.

TypeScript

185

The product specifies a regular expression in a way that causes data to be improperly matched or compared.

TypeScript

187

The product performs a comparison that only examines a portion of a factor before determining whether there is a match, such as a substring, leading to resultant weaknesses.

TypeScript

199

Weaknesses in this category are related to improper handling of sensitive information.

TypeScript

200

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

TypeScript

201

The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.

TypeScript

209

The product generates an error message that includes sensitive information about its environment, users, or associated data.

TypeScript

210

The product identifies an error condition and creates its own diagnostic or error messages that contain sensitive information.

TypeScript

211

The product performs an operation that triggers an external diagnostic or error message that is not directly generated or controlled by the product, such as an error generated by the programming language interpreter that a software application uses. The error can contain sensitive system information.

TypeScript

215

The product inserts sensitive information into debugging code, which could expose this information if the debugging code is not disabled in production.

TypeScript

221

The product does not record, or improperly records, security-relevant information that leads to an incorrect decision or hampers later analysis.

TypeScript

223

The product does not record or display information that would be important for identifying the source or nature of an attack, or determining if an action is safe.

TypeScript

226

The product releases a resource such as memory or a file so that it can be made available for reuse, but it does not clear or "zeroize" the information contained in the resource before the product performs a critical state transition or makes the resource available for reuse by other entities.

TypeScript

227

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that involve the software using an API in a manner contrary to its intended use. According to the authors of the Seven Pernicious Kingdoms, "An API is a contract between a caller and a callee. The most common forms of API misuse occurs when the caller does not honor its end of this contract. For example, if a program does not call chdir() after calling chroot(), it violates the contract that specifies how to change the active root directory in a secure fashion. Another good example of library abuse is expecting the callee to return trustworthy DNS information to the caller. In this case, the caller misuses the callee API by making certain assumptions about its behavior (that the return value can be used for authentication purposes). One can also violate the caller-callee contract from the other side. For example, if a coder subclasses SecureRandom and returns a non-random value, the contract is violated."

TypeScript

228

The product does not handle or incorrectly handles input that is not syntactically well-formed with respect to the associated specification.

TypeScript

233

The product does not properly handle when the expected number of parameters, fields, or arguments is not provided in input, or if those parameters are undefined.

TypeScript

248

An exception is thrown from a function, but it is not caught.

TypeScript

249

This entry has been deprecated because of name confusion and an accidental combination of multiple weaknesses. Most of its content has been transferred to CWE-785.

TypeScript

254

Software security is not security software. Here we're concerned with topics like authentication, access control, confidentiality, cryptography, and privilege management.

TypeScript

255

Weaknesses in this category are related to the management of credentials.

TypeScript

256

Storing a password in plaintext may result in a system compromise.

TypeScript

257

The storage of passwords in a recoverable format makes them subject to password reuse attacks by malicious users. In fact, it should be noted that recoverable encrypted passwords provide no significant benefit over plaintext passwords since they are subject not only to reuse by malicious attackers but also by malicious insiders. If a system administrator can recover a password directly, or use a brute force search on the available information, the administrator can use the password on other accounts.

TypeScript

258

Using an empty string as a password is insecure.

TypeScript

260

The product stores a password in a configuration file that might be accessible to actors who do not know the password.

TypeScript

263

The product supports password aging, but the expiration period is too long.

TypeScript

264

Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control.

TypeScript

265

Weaknesses in this category occur with improper handling, assignment, or management of privileges. A privilege is a property of an agent, such as a user. It lets the agent do things that are not ordinarily allowed. For example, there are privileges which allow an agent to perform maintenance functions such as restart a computer.

TypeScript

269

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

TypeScript

271

The product does not drop privileges before passing control of a resource to an actor that does not have those privileges.

TypeScript

272

The elevated privilege level required to perform operations such as chroot() should be dropped immediately after the operation is performed.

TypeScript

275

Weaknesses in this category are related to improper assignment or handling of permissions.

TypeScript

284

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

TypeScript

285

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

TypeScript

287

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

TypeScript

289

The product performs authentication based on the name of a resource being accessed, or the name of the actor performing the access, but it does not properly check all possible names for that resource or actor.

TypeScript

290

This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.

TypeScript

295

The product does not validate, or incorrectly validates, a certificate.

TypeScript

296

The product does not follow, or incorrectly follows, the chain of trust for a certificate back to a trusted root certificate, resulting in incorrect trust of any resource that is associated with that certificate.

TypeScript

300

The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint.

TypeScript

304

The product implements an authentication technique, but it skips a step that weakens the technique.

TypeScript

305

The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error.

TypeScript

306

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

TypeScript

307

The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it more susceptible to brute force attacks.

TypeScript

308

The use of single-factor authentication can lead to unnecessary risk of compromise when compared with the benefits of a dual-factor authentication scheme.

TypeScript

309

The use of password systems as the primary means of authentication may be subject to several flaws or shortcomings, each reducing the effectiveness of the mechanism.

TypeScript

310

Weaknesses in this category are related to the design and implementation of data confidentiality and integrity. Frequently these deal with the use of encoding techniques, encryption libraries, and hashing algorithms. The weaknesses in this category could lead to a degradation of the quality data if they are not addressed.

TypeScript

311

The product does not encrypt sensitive or critical information before storage or transmission.

TypeScript

312

The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

TypeScript

313

The product stores sensitive information in cleartext in a file, or on disk.

TypeScript

314

The product stores sensitive information in cleartext in the registry.

TypeScript

315

The product stores sensitive information in cleartext in a cookie.

TypeScript

317

The product stores sensitive information in cleartext within the GUI.

TypeScript

319

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

TypeScript

320

Weaknesses in this category are related to errors in the management of cryptographic keys.

TypeScript

322

The product performs a key exchange with an actor without verifying the identity of that actor.

TypeScript

324

The product uses a cryptographic key or password past its expiration date, which diminishes its safety significantly by increasing the timing window for cracking attacks against that key.

TypeScript

326

The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

TypeScript

327

The product uses a broken or risky cryptographic algorithm or protocol.

TypeScript

328

The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (2nd preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack).

TypeScript

330

The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.

TypeScript

338

The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.

TypeScript

344

The product uses a constant value, name, or reference, but this value can (or should) vary across different environments.

TypeScript

345

The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

TypeScript

346

The product does not properly verify that the source of data or communication is valid.

TypeScript

347

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

TypeScript

352

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

TypeScript

353

The product uses a transmission protocol that does not include a mechanism for verifying the integrity of the data during transmission, such as a checksum.

TypeScript

355

Weaknesses in this category are related to or introduced in the User Interface (UI).

TypeScript

358

The product does not implement or incorrectly implements one or more security-relevant checks as specified by the design of a standardized algorithm, protocol, or technique.

TypeScript

359

The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.

TypeScript

361

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses related to the improper management of time and state in an environment that supports simultaneous or near-simultaneous computation by multiple systems, processes, or threads. According to the authors of the Seven Pernicious Kingdoms, "Distributed computation is about time and state. That is, in order for more than one component to communicate, state must be shared, and all that takes time. Most programmers anthropomorphize their work. They think about one thread of control carrying out the entire program in the same way they would if they had to do the job themselves. Modern computers, however, switch between tasks very quickly, and in multi-core, multi-CPU, or distributed systems, two events may take place at exactly the same time. Defects rush to fill the gap between the programmer's model of how a program executes and what happens in reality. These defects are related to unexpected interactions between threads, processes, time, and information. These interactions happen through shared state: semaphores, variables, the file system, and, basically, anything that can store information."

TypeScript

371

Weaknesses in this category are related to improper management of system state.

TypeScript

388

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that occur when an application does not properly handle errors that occur during processing. According to the authors of the Seven Pernicious Kingdoms, "Errors and error handling represent a class of API. Errors related to error handling are so common that they deserve a special kingdom of their own. As with 'API Abuse,' there are two ways to introduce an error-related security vulnerability: the most common one is handling errors poorly (or not at all). The second is producing errors that either give out too much information (to possible attackers) or are difficult to handle."

TypeScript

389

This category includes weaknesses that occur if a function does not generate the correct return/status code, or if the application does not handle all possible return/status codes that could be generated by a function. This type of problem is most often found in conditions that are rarely encountered during the normal operation of the product. Presumably, most bugs related to common conditions are found and eliminated during development and testing. In some cases, the attacker can directly control or influence the environment to trigger the rare conditions.

TypeScript

398

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that do not directly introduce a weakness or vulnerability, but indicate that the product has not been carefully developed or maintained. According to the authors of the Seven Pernicious Kingdoms, "Poor code quality leads to unpredictable behavior. From a user's perspective that often manifests itself as poor usability. For an adversary it provides an opportunity to stress the system in unexpected ways."

TypeScript

399

Weaknesses in this category are related to improper management of system resources.

TypeScript

400

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

TypeScript

404

The product does not release or incorrectly releases a resource before it is made available for re-use.

TypeScript

405

The product does not properly control situations in which an adversary can cause the product to consume or produce excessive resources without requiring the adversary to invest equivalent work or otherwise prove authorization, i.e., the adversary's influence is "asymmetric."

TypeScript

409

The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.

TypeScript

417

Weaknesses in this category are related to improper handling of communication channels and access paths. These weaknesses include problems in creating, managing, or removing alternate channels and alternate paths. Some of these can overlap virtual file problems and are commonly used in "bypass" attacks, such as those that exploit authentication errors.

TypeScript

418

This category has been deprecated because it redundant with the grouping provided by CWE-417.

TypeScript

419

The product uses a primary channel for administration or restricted functionality, but it does not properly protect the channel.

TypeScript

435

An interaction error occurs when two entities have correct behavior when running independently of each other, but when they are integrated as components in a larger system or process, they introduce incorrect behaviors that may cause resultant weaknesses.

TypeScript

436

Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.

TypeScript

438

Weaknesses in this category are related to unexpected behaviors from code that an application uses.

TypeScript

441

The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor.

TypeScript

442

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

TypeScript

452

Weaknesses in this category occur in behaviors that are used for initialization and breakdown.

TypeScript

455

The product does not exit or otherwise modify its operation when security-relevant errors occur during initialization, such as when a configuration file has a format error or a hardware security module (HSM) cannot be activated, which can cause the product to execute in a less secure fashion than intended by the administrator.

TypeScript

459

The product does not properly "clean up" and remove temporary or supporting resources after they have been used.

TypeScript

461

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

TypeScript

463

The accidental deletion of a data-structure sentinel can cause serious programming logic problems.

TypeScript

465

Weaknesses in this category are related to improper handling of pointers.

TypeScript

476

A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.

TypeScript

480

The product accidentally uses the wrong operator, which changes the logic in security-relevant ways.

TypeScript

483

The code does not explicitly delimit a block that is intended to contain 2 or more statements, creating a logic error.

TypeScript

484

The product omits a break statement within a switch or similar construct, causing code associated with multiple conditions to execute. This can cause problems when the programmer only intended to execute code associated with one condition.

TypeScript

485

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that occur when the product does not sufficiently encapsulate critical data or functionality. According to the authors of the Seven Pernicious Kingdoms, "Encapsulation is about drawing strong boundaries. In a web browser that might mean ensuring that your mobile code cannot be abused by other mobile code. On the server it might mean differentiation between validated data and unvalidated data, between one user's data and another's, or between data users are allowed to see and data that they are not."

TypeScript

489

The product is deployed to unauthorized actors with debugging code still enabled or active, which can create unintended entry points or expose sensitive information.

TypeScript

497

The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does.

TypeScript

502

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

TypeScript

505

This category has been deprecated as it was originally used for organizing the Development View (CWE-699), but it introduced unnecessary complexity and depth to the resulting tree.

TypeScript

506

The product contains code that appears to be malicious in nature.

TypeScript

521

The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts.

TypeScript

522

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

TypeScript

523

Login pages do not use adequate measures to protect the user name and password while they are in transit from the client to the server.

TypeScript

524

The code uses a cache that contains sensitive information, but the cache can be read by an actor outside of the intended control sphere.

TypeScript

525

The web application does not use an appropriate caching policy that specifies the extent to which each web page and associated form fields should be cached.

TypeScript

526

The product uses an environment variable to store unencrypted sensitive information.

TypeScript

530

A backup file is stored in a directory or archive that is made accessible to unauthorized actors.

TypeScript

532

Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.

TypeScript

536

A servlet error message indicates that there exists an unhandled exception in your web application code and may provide useful information to an attacker.

TypeScript

538

The product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the sensitive information.

TypeScript

539

The web application uses persistent cookies, but the cookies contain sensitive information.

TypeScript

548

A directory listing is inappropriately exposed, yielding potentially sensitive information to attackers.

TypeScript

550

Certain conditions, such as network failure, will cause a server error message to be displayed.

TypeScript

552

The product makes files or directories accessible to unauthorized actors, even though they should not be.

TypeScript

559

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

TypeScript

561

The product contains dead code, which can never be executed.

TypeScript

565

The product relies on the existence or values of cookies when performing security-critical operations, but it does not properly ensure that the setting is valid for the associated user.

TypeScript

566

The product uses a database table that includes records that should not be accessible to an actor, but it executes a SQL statement with a primary key that can be controlled by that actor.

TypeScript

569

Weaknesses in this category are related to incorrectly written expressions within code.

TypeScript

573

The product does not follow or incorrectly follows the specifications as required by the implementation language, environment, framework, protocol, or platform.

TypeScript

592

This weakness has been deprecated because it covered redundant concepts already described in CWE-287.

TypeScript

601

A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.

TypeScript

602

The product is composed of a server that relies on the client to implement a mechanism that is intended to protect the server.

TypeScript

610

The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.

TypeScript

611

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

TypeScript

613

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

TypeScript

614

The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session.

TypeScript

624

The product uses a regular expression that either (1) contains an executable component with user-controlled inputs, or (2) allows a user to enable execution by inserting pattern modifiers.

TypeScript

625

The product uses a regular expression that does not sufficiently restrict the set of allowed values.

TypeScript

628

The product calls a function, procedure, or routine with arguments that are not correctly specified, leading to always-incorrect behavior and resultant weaknesses.

TypeScript

629

CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2007. This view is considered obsolete as a newer version of the OWASP Top 10 is available.

TypeScript

632

This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE.

TypeScript

633

This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE.

TypeScript

634

This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE.

TypeScript

635

CWE nodes in this view (slice) were used by NIST to categorize vulnerabilities within NVD, from 2008 to 2016. This original version has been used by many other projects.

TypeScript

636

When the product encounters an error condition or failure, its design requires it to fall back to a state that is less secure than other options that are available, such as selecting the weakest encryption algorithm or using the most permissive access control restrictions.

TypeScript

639

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

TypeScript

642

The product stores security-critical state information about its users, or the product itself, in a location that is accessible to unauthorized actors.

TypeScript

644

The product does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers, such as Flash.

TypeScript

654

A protection mechanism relies exclusively, or to a large extent, on the evaluation of a single condition or the integrity of a single object or entity in order to make a decision about granting access to restricted resources or functionality.

TypeScript

657

The product violates well-established principles for secure design.

TypeScript

664

The product does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release.

TypeScript

665

The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.

TypeScript

666

The product performs an operation on a resource at the wrong phase of the resource's lifecycle, which can lead to unexpected behaviors.

TypeScript

668

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

TypeScript

669

The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource.

TypeScript

670

The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated.

TypeScript

671

The product uses security features in a way that prevents the product's administrator from tailoring security settings to reflect the environment in which the product is being used. This introduces resultant weaknesses or prevents it from operating at a level of security that is desired by the administrator.

TypeScript

672

The product uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked.

TypeScript

674

The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.

TypeScript

676

The product invokes a potentially dangerous function that could introduce a vulnerability if it is used incorrectly, but the function can also be used safely.

TypeScript

688

The product calls a function, procedure, or routine, but the caller specifies the wrong variable or reference as one of the arguments, which may lead to undefined behavior and resultant weaknesses.

TypeScript

691

The code does not sufficiently manage its control flow during execution, creating conditions in which the control flow can be modified in unexpected ways.

TypeScript

692

The product uses a denylist-based protection mechanism to defend against XSS attacks, but the denylist is incomplete, allowing XSS variants to succeed.

TypeScript

693

The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.

TypeScript

697

The product compares two entities in a security-relevant context, but the comparison is incorrect, which may lead to resultant weaknesses.

TypeScript

699

This view organizes weaknesses around concepts that are frequently used or encountered in software development. This includes all aspects of the software development lifecycle including both architecture and implementation. Accordingly, this view can align closely with the perspectives of architects, developers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping.

TypeScript

700

This view (graph) organizes weaknesses using a hierarchical structure that is similar to that used by Seven Pernicious Kingdoms.

TypeScript

703

The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product.

TypeScript

705

The product does not properly return control flow to the proper location after it has completed a task or detected an unusual condition.

TypeScript

706

The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.

TypeScript

707

The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component.

TypeScript

710

The product does not follow certain coding rules for development, which can lead to resultant weaknesses or increase the severity of the associated vulnerabilities.

TypeScript

711

CWE entries in this view (graph) are associated with the OWASP Top 10, as released in 2004, and as required for compliance with PCI DSS version 1.1. This view is considered obsolete as a newer version of the OWASP Top 10 is available.

TypeScript

712

Weaknesses in this category are related to the A1 category in the OWASP Top 10 2007.

TypeScript

713

Weaknesses in this category are related to the A2 category in the OWASP Top 10 2007.

TypeScript

714

Weaknesses in this category are related to the A3 category in the OWASP Top 10 2007.

TypeScript

715

Weaknesses in this category are related to the A4 category in the OWASP Top 10 2007.

TypeScript

716

Weaknesses in this category are related to the A5 category in the OWASP Top 10 2007.

TypeScript

717

Weaknesses in this category are related to the A6 category in the OWASP Top 10 2007.

TypeScript

718

Weaknesses in this category are related to the A7 category in the OWASP Top 10 2007.

TypeScript

719

Weaknesses in this category are related to the A8 category in the OWASP Top 10 2007.

TypeScript

720

Weaknesses in this category are related to the A9 category in the OWASP Top 10 2007.

TypeScript

721

Weaknesses in this category are related to the A10 category in the OWASP Top 10 2007.

TypeScript

722

Weaknesses in this category are related to the A1 category in the OWASP Top 10 2004.

TypeScript

723

Weaknesses in this category are related to the A2 category in the OWASP Top 10 2004.

TypeScript

724

Weaknesses in this category are related to the A3 category in the OWASP Top 10 2004.

TypeScript

725

Weaknesses in this category are related to the A4 category in the OWASP Top 10 2004.

TypeScript

727

Weaknesses in this category are related to the A6 category in the OWASP Top 10 2004.

TypeScript

728

Weaknesses in this category are related to the A7 category in the OWASP Top 10 2004.

TypeScript

729

Weaknesses in this category are related to the A8 category in the OWASP Top 10 2004.

TypeScript

730

Weaknesses in this category are related to the A9 category in the OWASP Top 10 2004.

TypeScript

731

Weaknesses in this category are related to the A10 category in the OWASP Top 10 2004.

TypeScript

732

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

TypeScript

734

CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT C Secure Coding Standard" published in 2008. This view is considered obsolete, as a newer version of the coding standard is available. This view statically represents the coding rules as they were in 2008.

TypeScript

736

Weaknesses in this category are related to the rules and recommendations in the Declarations and Initialization (DCL) chapter of the CERT C Secure Coding Standard (2008).

TypeScript

737

Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) chapter of the CERT C Secure Coding Standard (2008).

TypeScript

738

Weaknesses in this category are related to the rules and recommendations in the Integers (INT) chapter of the CERT C Secure Coding Standard (2008).

TypeScript

740

Weaknesses in this category are related to the rules and recommendations in the Arrays (ARR) chapter of the CERT C Secure Coding Standard (2008).

TypeScript

741

Weaknesses in this category are related to the rules and recommendations in the Characters and Strings (STR) chapter of the CERT C Secure Coding Standard (2008).

TypeScript

742

Weaknesses in this category are related to the rules and recommendations in the Memory Management (MEM) chapter of the CERT C Secure Coding Standard (2008).

TypeScript

743

Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) chapter of the CERT C Secure Coding Standard (2008).

TypeScript

744

Weaknesses in this category are related to the rules and recommendations in the Environment (ENV) chapter of the CERT C Secure Coding Standard (2008).

TypeScript

746

Weaknesses in this category are related to the rules and recommendations in the Error Handling (ERR) chapter of the CERT C Secure Coding Standard (2008).

TypeScript

747

Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) chapter of the CERT C Secure Coding Standard (2008).

TypeScript

748

Weaknesses in this category are related to the rules and recommendations in the POSIX (POS) appendix of the CERT C Secure Coding Standard (2008).

TypeScript

750

CWE entries in this view (graph) are listed in the 2009 CWE/SANS Top 25 Programming Errors. This view is considered obsolete as a newer version of the Top 25 is available.

TypeScript

751

Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2009 CWE/SANS Top 25 Programming Errors.

TypeScript

752

Weaknesses in this category are listed in the "Risky Resource Management" section of the 2009 CWE/SANS Top 25 Programming Errors.

TypeScript

753

Weaknesses in this category are listed in the "Porous Defenses" section of the 2009 CWE/SANS Top 25 Programming Errors.

TypeScript

755

The product does not handle or incorrectly handles an exceptional condition.

TypeScript

757

A protocol or its implementation supports interaction between multiple actors and allows those actors to negotiate which algorithm should be used as a protection mechanism such as encryption or authentication, but it does not select the strongest algorithm that is available to both parties.

TypeScript

759

The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product does not also use a salt as part of the input.

TypeScript

760

The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product uses a predictable salt as part of the input.

TypeScript

776

The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.

TypeScript

778

When a security-critical event occurs, the product either does not record the event or omits important details about the event when logging it.

TypeScript

779

The product logs too much information, making log files hard to process and possibly hindering recovery efforts or forensic analysis after an attack.

TypeScript

783

The product uses an expression in which operator precedence causes incorrect logic to be used.

TypeScript

798

The product contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.

TypeScript

799

The product does not properly limit the number or frequency of interactions that it has with an actor, such as the number of incoming requests.

TypeScript

800

CWE entries in this view (graph) are listed in the 2010 CWE/SANS Top 25 Programming Errors. This view is considered obsolete as a newer version of the Top 25 is available.

TypeScript

801

Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2010 CWE/SANS Top 25 Programming Errors.

TypeScript

802

Weaknesses in this category are listed in the "Risky Resource Management" section of the 2010 CWE/SANS Top 25 Programming Errors.

TypeScript

803

Weaknesses in this category are listed in the "Porous Defenses" section of the 2010 CWE/SANS Top 25 Programming Errors.

TypeScript

807

The product uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism.

TypeScript

808

Weaknesses in this category are not part of the general Top 25, but they were part of the original nominee list from which the Top 25 was drawn.

TypeScript

809

CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2010. This view is considered obsolete as a newer version of the OWASP Top 10 is available.

TypeScript

810

Weaknesses in this category are related to the A1 category in the OWASP Top 10 2010.

TypeScript

811

Weaknesses in this category are related to the A2 category in the OWASP Top 10 2010.

TypeScript

812

Weaknesses in this category are related to the A3 category in the OWASP Top 10 2010.

TypeScript

813

Weaknesses in this category are related to the A4 category in the OWASP Top 10 2010.

TypeScript

814

Weaknesses in this category are related to the A5 category in the OWASP Top 10 2010.

TypeScript

815

Weaknesses in this category are related to the A6 category in the OWASP Top 10 2010.

TypeScript

816

Weaknesses in this category are related to the A7 category in the OWASP Top 10 2010.

TypeScript

817

Weaknesses in this category are related to the A8 category in the OWASP Top 10 2010.

TypeScript

818

Weaknesses in this category are related to the A9 category in the OWASP Top 10 2010.

TypeScript

819

Weaknesses in this category are related to the A10 category in the OWASP Top 10 2010.

TypeScript

829

The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.

TypeScript

834

The product performs an iteration or loop without sufficiently limiting the number of times that the loop is executed.

TypeScript

840

Weaknesses in this category identify some of the underlying problems that commonly allow attackers to manipulate the business logic of an application. Errors in business logic can be devastating to an entire application. They can be difficult to find automatically, since they typically involve legitimate use of the application's functionality. However, many business logic errors can exhibit patterns that are similar to well-understood implementation and design weaknesses.

TypeScript

844

CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT Oracle Secure Coding Standard for Java" published in 2011. This view is considered obsolete as a newer version of the coding standard is available.

TypeScript

845

Weaknesses in this category are related to rules in the Input Validation and Data Sanitization (IDS) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

TypeScript

846

Weaknesses in this category are related to rules in the Declarations and Initialization (DCL) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

TypeScript

850

Weaknesses in this category are related to rules in the Methods (MET) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

TypeScript

851

Weaknesses in this category are related to rules in the Exceptional Behavior (ERR) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

TypeScript

854

Weaknesses in this category are related to rules in the Thread APIs (THI) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

TypeScript

855

Weaknesses in this category are related to rules in the Thread Pools (TPS) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

TypeScript

857

Weaknesses in this category are related to rules in the Input Output (FIO) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

TypeScript

858

Weaknesses in this category are related to rules in the Serialization (SER) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

TypeScript

859

Weaknesses in this category are related to rules in the Platform Security (SEC) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

TypeScript

860

Weaknesses in this category are related to rules in the Runtime Environment (ENV) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

TypeScript

861

Weaknesses in this category are related to rules in the Miscellaneous (MSC) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

TypeScript

862

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

TypeScript

864

Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.

TypeScript

865

Weaknesses in this category are listed in the "Risky Resource Management" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.

TypeScript

866

Weaknesses in this category are listed in the "Porous Defenses" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.

TypeScript

867

Weaknesses in this category are not part of the general Top 25, but they were part of the original nominee list from which the Top 25 was drawn.

TypeScript

868

CWE entries in this view (graph) are fully or partially eliminated by following the SEI CERT C++ Coding Standard, as published in 2016. This view is no longer being actively maintained, since it statically represents the coding rules as they were in 2016.

TypeScript

871

Weaknesses in this category are related to rules in the Expressions (EXP) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

TypeScript

872

Weaknesses in this category are related to rules in the Integers (INT) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

TypeScript

874

Weaknesses in this category are related to rules in the Arrays and the STL (ARR) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

TypeScript

875

Weaknesses in this category are related to rules in the Characters and Strings (STR) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

TypeScript

876

Weaknesses in this category are related to rules in the Memory Management (MEM) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

TypeScript

877

Weaknesses in this category are related to rules in the Input Output (FIO) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

TypeScript

878

Weaknesses in this category are related to rules in the Environment (ENV) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

TypeScript

880

Weaknesses in this category are related to rules in the Exceptions and Error Handling (ERR) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

TypeScript

881

Weaknesses in this category are related to rules in the Object Oriented Programming (OOP) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

TypeScript

882

Weaknesses in this category are related to rules in the Concurrency (CON) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

TypeScript

883

Weaknesses in this category are related to rules in the Miscellaneous (MSC) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

TypeScript

884

This view contains a selection of weaknesses that represent the variety of weaknesses that are captured in CWE, at a level of abstraction that is likely to be useful to most audiences. It can be used by researchers to determine how broad their theories, models, or tools are. It will also be used by the CWE content team in 2012 to focus quality improvement efforts for individual CWE entries.

TypeScript

885

This category identifies Software Fault Patterns (SFPs) within the Risky Values cluster (SFP1).

TypeScript

886

This category identifies Software Fault Patterns (SFPs) within the Unused entities cluster (SFP2).

TypeScript

887

This category identifies Software Fault Patterns (SFPs) within the API cluster (SFP3).

TypeScript

888

CWE identifiers in this view are associated with clusters of Software Fault Patterns (SFPs).

TypeScript

889

This category identifies Software Fault Patterns (SFPs) within the Exception Management cluster (SFP4, SFP5, SFP6).

TypeScript

890

This category identifies Software Fault Patterns (SFPs) within the Memory Access cluster (SFP7, SFP8).

TypeScript

892

This category identifies Software Fault Patterns (SFPs) within the Resource Management cluster (SFP37).

TypeScript

893

This category identifies Software Fault Patterns (SFPs) within the Path Resolution cluster (SFP16, SFP17, SFP18).

TypeScript

895

This category identifies Software Fault Patterns (SFPs) within the Information Leak cluster (SFP23).

TypeScript

896

This category identifies Software Fault Patterns (SFPs) within the Tainted Input cluster (SFP24, SFP25, SFP26, SFP27).

TypeScript

897

This category identifies Software Fault Patterns (SFPs) within the Entry Points cluster (SFP28).

TypeScript

898

This category identifies Software Fault Patterns (SFPs) within the Authentication cluster (SFP29, SFP30, SFP31, SFP32, SFP33, SFP34).

TypeScript

899

This category identifies Software Fault Patterns (SFPs) within the Access Control cluster (SFP35).

TypeScript

900

CWE entries in this view (graph) are listed in the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.

TypeScript

901

This category identifies Software Fault Patterns (SFPs) within the Privilege cluster (SFP36).

TypeScript

902

This category identifies Software Fault Patterns (SFPs) within the Channel cluster.

TypeScript

903

This category identifies Software Fault Patterns (SFPs) within the Cryptography cluster.

TypeScript

904

This category identifies Software Fault Patterns (SFPs) within the Malware cluster.

TypeScript

905

This category identifies Software Fault Patterns (SFPs) within the Predictability cluster.

TypeScript

906

This category identifies Software Fault Patterns (SFPs) within the UI cluster.

TypeScript

907

This category identifies Software Fault Patterns (SFPs) within the Other cluster.

TypeScript

908

The product uses or accesses a resource that has not been initialized.

TypeScript

912

The product contains functionality that is not documented, not part of the specification, and not accessible through an interface or command sequence that is obvious to the product's users or administrators.

TypeScript

913

The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements.

TypeScript

916

The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive.

TypeScript

917

The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.

TypeScript

918

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

TypeScript

921

The product stores sensitive information in a file system or device that does not have built-in access control.

TypeScript

922

The product stores sensitive information without properly limiting read or write access by unauthorized actors.

TypeScript

923

The product establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that it is communicating with the correct endpoint.

TypeScript

928

CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2013. This view is considered obsolete as a newer version of the OWASP Top 10 is available.

TypeScript

929

Weaknesses in this category are related to the A1 category in the OWASP Top 10 2013.

TypeScript

930

Weaknesses in this category are related to the A2 category in the OWASP Top 10 2013.

TypeScript

931

Weaknesses in this category are related to the A3 category in the OWASP Top 10 2013.

TypeScript

932

Weaknesses in this category are related to the A4 category in the OWASP Top 10 2013.

TypeScript

933

Weaknesses in this category are related to the A5 category in the OWASP Top 10 2013.

TypeScript

934

Weaknesses in this category are related to the A6 category in the OWASP Top 10 2013.

TypeScript

935

Weaknesses in this category are related to the A7 category in the OWASP Top 10 2013.

TypeScript

936

Weaknesses in this category are related to the A8 category in the OWASP Top 10 2013.

TypeScript

938

Weaknesses in this category are related to the A10 category in the OWASP Top 10 2013.

TypeScript

942

The product uses a cross-domain policy file that includes domains that should not be trusted.

TypeScript

943

The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query.

TypeScript

944

This category identifies Software Fault Patterns (SFPs) within the Access Management cluster.

TypeScript

945

This category identifies Software Fault Patterns (SFPs) within the Insecure Resource Access cluster (SFP35).

TypeScript

946

This category identifies Software Fault Patterns (SFPs) within the Insecure Resource Permissions cluster.

TypeScript

947

This category identifies Software Fault Patterns (SFPs) within the Authentication Bypass cluster.

TypeScript

948

This category identifies Software Fault Patterns (SFPs) within the Digital Certificate cluster.

TypeScript

949

This category identifies Software Fault Patterns (SFPs) within the Faulty Endpoint Authentication cluster (SFP29).

TypeScript

950

This category identifies Software Fault Patterns (SFPs) within the Hardcoded Sensitive Data cluster (SFP33).

TypeScript

951

This category identifies Software Fault Patterns (SFPs) within the Insecure Authentication Policy cluster.

TypeScript

952

This category identifies Software Fault Patterns (SFPs) within the Missing Authentication cluster.

TypeScript

955

This category identifies Software Fault Patterns (SFPs) within the Unrestricted Authentication cluster (SFP34).

TypeScript

956

This category identifies Software Fault Patterns (SFPs) within the Channel Attack cluster.

TypeScript

957

This category identifies Software Fault Patterns (SFPs) within the Protocol Error cluster.

TypeScript

958

This category identifies Software Fault Patterns (SFPs) within the Broken Cryptography cluster.

TypeScript

959

This category identifies Software Fault Patterns (SFPs) within the Weak Cryptography cluster.

TypeScript

961

This category identifies Software Fault Patterns (SFPs) within the Incorrect Exception Behavior cluster (SFP6).

TypeScript

962

This category identifies Software Fault Patterns (SFPs) within the Unchecked Status Condition cluster (SFP4).

TypeScript

963

This category identifies Software Fault Patterns (SFPs) within the Exposed Data cluster (SFP23).

TypeScript

965

This category identifies Software Fault Patterns (SFPs) within the Insecure Session Management cluster.

TypeScript

966

This category identifies Software Fault Patterns (SFPs) within the Other Exposures cluster.

TypeScript

971

This category identifies Software Fault Patterns (SFPs) within the Faulty Pointer Use cluster (SFP7).

TypeScript

975

This category identifies Software Fault Patterns (SFPs) within the Architecture cluster.

TypeScript

977

This category identifies Software Fault Patterns (SFPs) within the Design cluster.

TypeScript

978

This category identifies Software Fault Patterns (SFPs) within the Implementation cluster.

TypeScript

980

This category identifies Software Fault Patterns (SFPs) within the Link in Resource Name Resolution cluster (SFP18).

TypeScript

981

This category identifies Software Fault Patterns (SFPs) within the Path Traversal cluster (SFP16).

TypeScript

982

This category identifies Software Fault Patterns (SFPs) within the Failure to Release Resource cluster (SFP14).

TypeScript

983

This category identifies Software Fault Patterns (SFPs) within the Faulty Resource Use cluster (SFP15).

TypeScript

984

This category identifies Software Fault Patterns (SFPs) within the Life Cycle cluster.

TypeScript

985

This category identifies Software Fault Patterns (SFPs) within the Unrestricted Consumption cluster (SFP13).

TypeScript

990

This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Command cluster (SFP24).

TypeScript

991

This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Environment cluster (SFP27).

TypeScript

992

This category identifies Software Fault Patterns (SFPs) within the Faulty Input Transformation cluster.

TypeScript

993

This category identifies Software Fault Patterns (SFPs) within the Incorrect Input Handling cluster.

TypeScript

994

This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Variable cluster (SFP25).

TypeScript

997

This category identifies Software Fault Patterns (SFPs) within the Information Loss cluster.

TypeScript

998

This category identifies Software Fault Patterns (SFPs) within the Glitch in Computation cluster (SFP1).

TypeScript

1000

This view is intended to facilitate research into weaknesses, including their inter-dependencies, and can be leveraged to systematically identify theoretical gaps within CWE. It is mainly organized according to abstractions of behaviors instead of how they can be detected, where they appear in code, or when they are introduced in the development life cycle. By design, this view is expected to include every weakness within CWE.

TypeScript

1001

This category identifies Software Fault Patterns (SFPs) within the Use of an Improper API cluster (SFP3).

TypeScript

1002

This category identifies Software Fault Patterns (SFPs) within the Unexpected Entry Points cluster.

TypeScript

1003

CWE entries in this view (graph) may be used to categorize potential weaknesses within sources that handle public, third-party vulnerability information, such as the National Vulnerability Database (NVD). By design, this view is incomplete; it is limited to a small number of the most commonly-seen weaknesses, so that it is easier for humans to use. This view uses a shallow hierarchy of two levels in order to simplify the complex, category-oriented navigation of the entire CWE corpus.

TypeScript

1004

The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag.

TypeScript

1005

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that exist when an application does not properly validate or represent input. According to the authors of the Seven Pernicious Kingdoms, "Input validation and representation problems are caused by metacharacters, alternate encodings and numeric representations. Security problems result from trusting input."

TypeScript

1006

Weaknesses in this category are related to coding practices that are deemed unsafe and increase the chances that an exploitable vulnerability will be present in the application. These weaknesses do not directly introduce a vulnerability, but indicate that the product has not been carefully developed or maintained. If a program is complex, difficult to maintain, not portable, or shows evidence of neglect, then there is a higher likelihood that weaknesses are buried in the code.

TypeScript

1008

This view organizes weaknesses according to common architectural security tactics. It is intended to assist architects in identifying potential mistakes that can be made when designing software.

TypeScript

1009

Weaknesses in this category are related to the design and architecture of audit-based components of the system. Frequently these deal with logging user activities in order to identify attackers and modifications to the system. The weaknesses in this category could lead to a degradation of the quality of the audit capability if they are not addressed when designing or implementing a secure architecture.

TypeScript

1010

Weaknesses in this category are related to the design and architecture of authentication components of the system. Frequently these deal with verifying the entity is indeed who it claims to be. The weaknesses in this category could lead to a degradation of the quality of authentication if they are not addressed when designing or implementing a secure architecture.

TypeScript

1011

Weaknesses in this category are related to the design and architecture of a system's authorization components. Frequently these deal with enforcing that agents have the required permissions before performing certain operations, such as modifying data. The weaknesses in this category could lead to a degradation of quality of the authorization capability if they are not addressed when designing or implementing a secure architecture.

TypeScript

1012

Weaknesses in this category are related to the design and architecture of multiple security tactics and how they affect a system. For example, information exposure can impact the Limit Access and Limit Exposure security tactics. The weaknesses in this category could lead to a degradation of the quality of many capabilities if they are not addressed when designing or implementing a secure architecture.

TypeScript

1013

Weaknesses in this category are related to the design and architecture of data confidentiality in a system. Frequently these deal with the use of encryption libraries. The weaknesses in this category could lead to a degradation of the quality data encryption if they are not addressed when designing or implementing a secure architecture.

TypeScript

1014

Weaknesses in this category are related to the design and architecture of a system's identification management components. Frequently these deal with verifying that external agents provide inputs into the system. The weaknesses in this category could lead to a degradation of the quality of identification management if they are not addressed when designing or implementing a secure architecture.

TypeScript

1015

Weaknesses in this category are related to the design and architecture of system resources. Frequently these deal with restricting the amount of resources that are accessed by actors, such as memory, network connections, CPU or access points. The weaknesses in this category could lead to a degradation of the quality of authentication if they are not addressed when designing or implementing a secure architecture.

TypeScript

1016

Weaknesses in this category are related to the design and architecture of the entry points to a system. Frequently these deal with minimizing the attack surface through designing the system with the least needed amount of entry points. The weaknesses in this category could lead to a degradation of a system's defenses if they are not addressed when designing or implementing a secure architecture.

TypeScript

1018

Weaknesses in this category are related to the design and architecture of session management. Frequently these deal with the information or status about each user and their access rights for the duration of multiple requests. The weaknesses in this category could lead to a degradation of the quality of session management if they are not addressed when designing or implementing a secure architecture.

TypeScript

1019

Weaknesses in this category are related to the design and architecture of a system's input validation components. Frequently these deal with sanitizing, neutralizing and validating any externally provided inputs to minimize malformed data from entering the system and preventing code injection in the input data. The weaknesses in this category could lead to a degradation of the quality of data flow in a system if they are not addressed when designing or implementing a secure architecture.

TypeScript

1020

Weaknesses in this category are related to the design and architecture of a system's data integrity components. Frequently these deal with ensuring integrity of data, such as messages, resource files, deployment files, and configuration files. The weaknesses in this category could lead to a degradation of data integrity quality if they are not addressed when designing or implementing a secure architecture.

TypeScript

1021

The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with.

TypeScript

1022

The web application produces links to untrusted external sites outside of its sphere of control, but it does not properly prevent the external site from modifying security-critical properties of the window.opener object, such as the location property.

TypeScript

1025

The code performs a comparison between two entities, but the comparison examines the wrong factors or characteristics of the entities, which can lead to incorrect results and resultant weaknesses.

TypeScript

1026

CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2017.

TypeScript

1027

Weaknesses in this category are related to the A1 category in the OWASP Top 10 2017.

TypeScript

1028

Weaknesses in this category are related to the A2 category in the OWASP Top 10 2017.

TypeScript

1029

Weaknesses in this category are related to the A3 category in the OWASP Top 10 2017.

TypeScript

1030

Weaknesses in this category are related to the A4 category in the OWASP Top 10 2017.

TypeScript

1031

Weaknesses in this category are related to the A5 category in the OWASP Top 10 2017.

TypeScript

1032

Weaknesses in this category are related to the A6 category in the OWASP Top 10 2017.

TypeScript

1033

Weaknesses in this category are related to the A7 category in the OWASP Top 10 2017.

TypeScript

1034

Weaknesses in this category are related to the A8 category in the OWASP Top 10 2017.

TypeScript

1036

Weaknesses in this category are related to the A10 category in the OWASP Top 10 2017.

TypeScript

1041

The product has multiple functions, methods, procedures, macros, etc. that contain the same code.

TypeScript

1078

The source code does not follow desired style or formatting for indentation, white space, comments, etc.

TypeScript

1104

The product relies on third-party components that are not actively supported or maintained by the original developer or a trusted proxy for the original developer.

TypeScript

1114

The source code contains whitespace that is inconsistent across the code or does not follow expected standards for the product.

TypeScript

1128

This view outlines the most important software quality issues as identified by the Consortium for Information & Software Quality (CISQ) Automated Quality Characteristic Measures, released in 2016. These measures are derived from Object Management Group (OMG) standards.

TypeScript

1129

Weaknesses in this category are related to the CISQ Quality Measures for Reliability, as documented in 2016 with the Automated Source Code CISQ Reliability Measure (ASCRM) Specification 1.0. Presence of these weaknesses could reduce the reliability of the software.

TypeScript

1130

Weaknesses in this category are related to the CISQ Quality Measures for Maintainability, as documented in 2016 with the Automated Source Code Maintainability Measure (ASCMM) Specification 1.0. Presence of these weaknesses could reduce the maintainability of the software.

TypeScript

1131

Weaknesses in this category are related to the CISQ Quality Measures for Security, as documented in 2016 with the Automated Source Code Security Measure (ASCSM) Specification 1.0. Presence of these weaknesses could reduce the security of the software.

TypeScript

1133

CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT Oracle Coding Standard for Java.

TypeScript

1134

Weaknesses in this category are related to the rules and recommendations in the Input Validation and Data Sanitization (IDS) section of the SEI CERT Oracle Secure Coding Standard for Java.

TypeScript

1135

Weaknesses in this category are related to the rules and recommendations in the Declarations and Initialization (DCL) section of the SEI CERT Oracle Secure Coding Standard for Java.

TypeScript

1136

Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) section of the SEI CERT Oracle Secure Coding Standard for Java.

TypeScript

1140

Weaknesses in this category are related to the rules and recommendations in the Methods (MET) section of the SEI CERT Oracle Secure Coding Standard for Java.

TypeScript

1141

Weaknesses in this category are related to the rules and recommendations in the Exceptional Behavior (ERR) section of the SEI CERT Oracle Secure Coding Standard for Java.

TypeScript

1145

Weaknesses in this category are related to the rules and recommendations in the Thread Pools (TPS) section of the SEI CERT Oracle Secure Coding Standard for Java.

TypeScript

1147

Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) section of the SEI CERT Oracle Secure Coding Standard for Java.

TypeScript

1148

Weaknesses in this category are related to the rules and recommendations in the Serialization (SER) section of the SEI CERT Oracle Secure Coding Standard for Java.

TypeScript

1149

Weaknesses in this category are related to the rules and recommendations in the Platform Security (SEC) section of the SEI CERT Oracle Secure Coding Standard for Java.

TypeScript

1150

Weaknesses in this category are related to the rules and recommendations in the Runtime Environment (ENV) section of the SEI CERT Oracle Secure Coding Standard for Java.

TypeScript

1152

Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT Oracle Secure Coding Standard for Java.

TypeScript

1154

CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT C Coding Standard.

TypeScript

1157

Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) section of the SEI CERT C Coding Standard.

TypeScript

1161

Weaknesses in this category are related to the rules and recommendations in the Characters and Strings (STR) section of the SEI CERT C Coding Standard.

TypeScript

1162

Weaknesses in this category are related to the rules and recommendations in the Memory Management (MEM) section of the SEI CERT C Coding Standard.

TypeScript

1163

Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) section of the SEI CERT C Coding Standard.

TypeScript

1164

The product contains code that is not essential for execution, i.e. makes no state changes and has no side effects that alter data or control flow, such that removal of the code would have no impact to functionality or correctness.

TypeScript

1165

Weaknesses in this category are related to the rules and recommendations in the Environment (ENV) section of the SEI CERT C Coding Standard.

TypeScript

1167

Weaknesses in this category are related to the rules and recommendations in the Error Handling (ERR) section of the SEI CERT C Coding Standard.

TypeScript

1169

Weaknesses in this category are related to the rules and recommendations in the Concurrency (CON) section of the SEI CERT C Coding Standard.

TypeScript

1170

Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT C Coding Standard.

TypeScript

1172

Weaknesses in this category are related to the rules and recommendations in the Microsoft Windows (WIN) section of the SEI CERT C Coding Standard.

TypeScript

1178

CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT Perl Coding Standard.

TypeScript

1179

Weaknesses in this category are related to the rules and recommendations in the Input Validation and Data Sanitization (IDS) section of the SEI CERT Perl Coding Standard.

TypeScript

1180

Weaknesses in this category are related to the rules and recommendations in the Declarations and Initialization (DCL) section of the SEI CERT Perl Coding Standard.

TypeScript

1181

Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) section of the SEI CERT Perl Coding Standard.

TypeScript

1186

Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT Perl Coding Standard.

TypeScript

1187

This entry has been deprecated because it was a duplicate of CWE-908. All content has been transferred to CWE-908.

TypeScript

1194

This view organizes weaknesses around concepts that are frequently used or encountered in hardware design. Accordingly, this view can align closely with the perspectives of designers, manufacturers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping.

TypeScript

1198

Weaknesses in this category are related to features and mechanisms providing hardware-based isolation and access control (e.g., identity, policy, locking control) of sensitive shared hardware resources such as registers and fuses.

TypeScript

1200

CWE entries in this view are listed in the 2019 CWE Top 25 Most Dangerous Software Errors.

TypeScript

1202

Weaknesses in this category are typically associated with memory (e.g., DRAM, SRAM) and storage technologies (e.g., NAND Flash, OTP, EEPROM, and eMMC).

TypeScript

1207

Weaknesses in this category are related to hardware debug and test interfaces such as JTAG and scan chain.

TypeScript

1210

Weaknesses in this category are related to audit-based components of a software system. Frequently these deal with logging user activities in order to identify undesired access and modifications to the system. The weaknesses in this category could lead to a degradation of the quality of the audit capability if they are not addressed.

TypeScript

1211

Weaknesses in this category are related to authentication components of a system. Frequently these deal with the ability to verify that an entity is indeed who it claims to be. If not addressed when designing or implementing a software system, these weaknesses could lead to a degradation of the quality of the authentication capability.

TypeScript

1212

Weaknesses in this category are related to authorization components of a system. Frequently these deal with the ability to enforce that agents have the required permissions before performing certain operations, such as modifying data. If not addressed when designing or implementing a software system, these weaknesses could lead to a degradation of the quality of the authorization capability.

TypeScript

1213

Weaknesses in this category are related to a software system's random number generation.

TypeScript

1214

Weaknesses in this category are related to a software system's data integrity components. Frequently these deal with the ability to ensure the integrity of data, such as messages, resource files, deployment files, and configuration files. The weaknesses in this category could lead to a degradation of data integrity quality if they are not addressed.

TypeScript

1215

Weaknesses in this category are related to a software system's components for input validation, output validation, or other kinds of validation. Validation is a frequently-used technique for ensuring that data conforms to expectations before it is further processed as input or output. There are many varieties of validation (see CWE-20, which is just for input validation). Validation is distinct from other techniques that attempt to modify data before processing it, although developers may consider all attempts to product "safe" inputs or outputs as some kind of validation. Regardless, validation is a powerful tool that is often used to minimize malformed data from entering the system, or indirectly avoid code injection or other potentially-malicious patterns when generating output. The weaknesses in this category could lead to a degradation of the quality of data flow in a system if they are not addressed.

TypeScript

1217

Weaknesses in this category are related to session management. Frequently these deal with the information or status about each user and their access rights for the duration of multiple requests. The weaknesses in this category could lead to a degradation of the quality of session management if they are not addressed.

TypeScript

1219

Weaknesses in this category are related to the handling of files within a software system. Files, directories, and folders are so central to information technology that many different weaknesses and variants have been discovered.

TypeScript

1228

Weaknesses in this category are related to the use of built-in functions or external APIs.

TypeScript

1275

The SameSite attribute for sensitive cookies is not set, or an insecure value is used.

TypeScript

1305

This view outlines the most important software quality issues as identified by the Consortium for Information & Software Quality (CISQ) Automated Quality Characteristic Measures, released in 2020. These measures are derived from Object Management Group (OMG) standards.

TypeScript

1306

Weaknesses in this category are related to the CISQ Quality Measures for Reliability. Presence of these weaknesses could reduce the reliability of the software.

TypeScript

1307

Weaknesses in this category are related to the CISQ Quality Measures for Maintainability. Presence of these weaknesses could reduce the maintainability of the software.

TypeScript

1308

Weaknesses in this category are related to the CISQ Quality Measures for Security. Presence of these weaknesses could reduce the security of the software.

TypeScript

1309

Weaknesses in this category are related to the CISQ Quality Measures for Efficiency. Presence of these weaknesses could reduce the efficiency of the software.

TypeScript

1327

The product assigns the address 0.0.0.0 for a database server, a cloud service/instance, or any computing resource that communicates remotely.

TypeScript

1337

CWE entries in this view are listed in the 2021 CWE Top 25 Most Dangerous Software Weaknesses.

TypeScript

1340

This view outlines the SMM representation of the Automated Source Code Data Protection Measurement specifications, as identified by the Consortium for Information & Software Quality (CISQ) Working Group.

TypeScript

1344

CWE entries in this view (graph) are associated with the OWASP Top 10, as released in 2021.

TypeScript

1345

Weaknesses in this category are related to the A01 category "Broken Access Control" in the OWASP Top 10 2021.

TypeScript

1346

Weaknesses in this category are related to the A02 category "Cryptographic Failures" in the OWASP Top 10 2021.

TypeScript

1347

Weaknesses in this category are related to the A03 category "Injection" in the OWASP Top 10 2021.

TypeScript

1348

Weaknesses in this category are related to the A04 "Insecure Design" category in the OWASP Top 10 2021.

TypeScript

1349

Weaknesses in this category are related to the A05 category "Security Misconfiguration" in the OWASP Top 10 2021.

TypeScript

1350

CWE entries in this view are listed in the 2020 CWE Top 25 Most Dangerous Software Weaknesses.

TypeScript

1352

Weaknesses in this category are related to the A06 category "Vulnerable and Outdated Components" in the OWASP Top 10 2021.

TypeScript

1353

Weaknesses in this category are related to the A07 category "Identification and Authentication Failures" in the OWASP Top 10 2021.

TypeScript

1354

Weaknesses in this category are related to the A08 category "Software and Data Integrity Failures" in the OWASP Top 10 2021.

TypeScript

1355

Weaknesses in this category are related to the A09 category "Security Logging and Monitoring Failures" in the OWASP Top 10 2021.

TypeScript

1356

Weaknesses in this category are related to the A10 category "Server-Side Request Forgery (SSRF)" in the OWASP Top 10 2021.

TypeScript

1358

CWE entries in this view (graph) are associated with the Categories of Security Vulnerabilities in ICS, as published by the Securing Energy Infrastructure Executive Task Force (SEI ETF) in March 2022. Weaknesses and categories in this view are focused on issues that affect ICS (Industrial Control Systems) but have not been traditionally covered by CWE in the past due to its earlier emphasis on enterprise IT software. Note: weaknesses in this view are based on "Nearest IT Neighbor" recommendations and other suggestions by the CWE team. These relationships are likely to change in future CWE versions.

TypeScript

1359

Weaknesses in this category are related to the "ICS Communications" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.

TypeScript

1360

Weaknesses in this category are related to the "ICS Dependencies (& Architecture)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.

TypeScript

1361

Weaknesses in this category are related to the "ICS Supply Chain" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.

TypeScript

1362

Weaknesses in this category are related to the "ICS Engineering (Constructions/Deployment)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.

TypeScript

1363

Weaknesses in this category are related to the "ICS Operations (& Maintenance)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.

TypeScript

1364

Weaknesses in this category are related to the "Zone Boundary Failures" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Within an ICS system, for traffic that crosses through network zone boundaries, vulnerabilities arise when those boundaries were designed for safety or other purposes but are being repurposed for security." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

TypeScript

1366

Weaknesses in this category are related to the "Frail Security in Protocols" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Vulnerabilities arise as a result of mis-implementation or incomplete implementation of security in ICS implementations of communication protocols." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

TypeScript

1368

Weaknesses in this category are related to the "External Digital Systems" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Due to the highly interconnected technologies in use, an external dependency on another digital system could cause a confidentiality, integrity, or availability incident for the protected system." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

TypeScript

1369

Weaknesses in this category are related to the "IT/OT Convergence/Expansion" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "The increased penetration of DER devices and smart loads make emerging ICS networks more like IT networks and thus susceptible to vulnerabilities similar to those of IT networks." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

TypeScript

1370

Weaknesses in this category are related to the "Common Mode Frailties" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "At the component level, most ICS systems are assembled from common parts made by other companies. One or more of these common parts might contain a vulnerability that could result in a wide-spread incident." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

TypeScript

1371

Weaknesses in this category are related to the "Poorly Documented or Undocumented Features" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Undocumented capabilities and configurations pose a risk by not having a clear understanding of what the device is specifically supposed to do and only do. Therefore possibly opening up the attack surface and vulnerabilities." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

TypeScript

1372

Weaknesses in this category are related to the "OT Counterfeit and Malicious Corruption" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "In ICS, when this procurement process results in a vulnerability or component damage, it can have grid impacts or cause physical harm." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

TypeScript

1373

Weaknesses in this category are related to the "Trust Model Problems" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Assumptions made about the user during the design or construction phase may result in vulnerabilities after the system is installed if the user operates it using a different security approach or process than what was designed or built." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

TypeScript

1375

Weaknesses in this category are related to the "Gaps in Details/Data" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Highly complex systems are often operated by personnel who have years of experience in managing that particular facility or plant. Much of their knowledge is passed along through verbal or hands-on training but may not be fully documented in written practices and procedures." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

TypeScript

1382

Weaknesses in this category are related to the "Emerging Energy Technologies" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "With the rapid evolution of the energy system accelerated by the emergence of new technologies such as DERs, electric vehicles, advanced communications (5G+), novel and diverse challenges arise for secure and resilient operation of the system." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

TypeScript

1383

Weaknesses in this category are related to the "Compliance/Conformance with Regulatory Requirements" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "The ICS environment faces overlapping regulatory regimes and authorities with multiple focus areas (e.g., operational resiliency, physical safety, interoperability, and security) which can result in cyber security vulnerabilities when implemented as written due to gaps in considerations, outdatedness, or conflicting requirements." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

TypeScript

1387

CWE entries in this view are listed in the 2022 CWE Top 25 Most Dangerous Software Weaknesses.

TypeScript

1396

Weaknesses in this category are related to access control.

TypeScript

1397

Weaknesses in this category are related to comparison.

TypeScript

1398

Weaknesses in this category are related to component interaction.

TypeScript

1400

This view organizes weaknesses around categories that are of interest to large-scale software assurance research to support the elimination of weaknesses using tactics such as secure language development. It is also intended to help tracking weakness trends in publicly disclosed vulnerability data. This view is comprehensive in that every weakness must be contained in it, unlike most other views that only use a subset of weaknesses. This view is structured with categories at the top level, with a second level of only weaknesses. Relationships among the weaknesses presented under the research view (CWE-1000) are not shown. Each weakness is added to only one category. All categories are mutually exclusive; that is, no weakness can be a member of more than one category. While weaknesses defy strict categorization along only one characteristic, the forced bucketing into a single category can simplify certain kinds of analysis. Note that the size of each category can vary widely because (1) CWE is not as well fleshed-out in some areas compared to others; (2) abstraction of the CWEs in the grouping might go down to Variant level for some buckets, versus others.

TypeScript

1402

Weaknesses in this category are related to encryption.

TypeScript

1403

Weaknesses in this category are related to exposed resource.

TypeScript

1404

Weaknesses in this category are related to file handling.

TypeScript

1405

Weaknesses in this category are related to improper check or handling of exceptional conditions.

TypeScript

1406

Weaknesses in this category are related to improper input validation.

TypeScript

1407

Weaknesses in this category are related to improper neutralization.

TypeScript

1409

Weaknesses in this category are related to injection.

TypeScript

1410

Weaknesses in this category are related to insufficient control flow management.

TypeScript

1411

Weaknesses in this category are related to insufficient verification of data authenticity.

TypeScript

1412

Weaknesses in this category are related to poor coding practices.

TypeScript

1413

Weaknesses in this category are related to protection mechanism failure.

TypeScript

1414

Weaknesses in this category are related to randomness.

TypeScript

1415

Weaknesses in this category are related to resource control.

TypeScript

1416

Weaknesses in this category are related to resource lifecycle management.

TypeScript

1417

Weaknesses in this category are related to sensitive information exposure.

TypeScript

1418

Weaknesses in this category are related to violation of secure design principles.

VB.NET

2

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that are typically introduced during unexpected environmental conditions. According to the authors of the Seven Pernicious Kingdoms, "This section includes everything that is outside of the source code but is still critical to the security of the product that is being created. Because the issues covered by this kingdom are not directly related to source code, we separated it from the rest of the kingdoms."

VB.NET

4

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

VB.NET

5

Information sent over a network can be compromised while in transit. An attacker may be able to read or modify the contents if the data are sent in plaintext or are weakly encrypted.

VB.NET

16

Weaknesses in this category are typically introduced during the configuration of the software.

VB.NET

17

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

VB.NET

18

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

VB.NET

19

Weaknesses in this category are typically found in functionality that processes data. Data processing is the manipulation of input to retrieve or save information.

VB.NET

20

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

VB.NET

21

This category has been deprecated. It was originally used for organizing weaknesses involving file names, which enabled access to files outside of a restricted directory (path traversal) or to perform operations on files that would otherwise be restricted (path equivalence). Consider using either the File Handling Issues category (CWE-1219) or the class Use of Incorrectly-Resolved Name or Reference (CWE-706).

VB.NET

22

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

VB.NET

23

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.

VB.NET

36

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as "/abs/path" that can resolve to a location that is outside of that directory.

VB.NET

73

The product allows user input to control or influence paths or file names that are used in filesystem operations.

VB.NET

74

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

VB.NET

77

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

VB.NET

78

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

VB.NET

79

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

VB.NET

80

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.

VB.NET

82

The web application does not neutralize or incorrectly neutralizes scripting elements within attributes of HTML IMG tags, such as the src attribute.

VB.NET

83

The product does not neutralize or incorrectly neutralizes "javascript:" or other URIs from dangerous attributes within tags, such as onmouseover, onload, onerror, or style.

VB.NET

85

The web application does not filter user-controlled input for executable script disguised using doubling of the involved characters.

VB.NET

86

The product does not neutralize or incorrectly neutralizes invalid characters or byte sequences in the middle of tag names, URI schemes, and other identifiers.

VB.NET

87

The product does not neutralize or incorrectly neutralizes user-controlled input for alternate script syntax.

VB.NET

88

The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.

VB.NET

89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.

VB.NET

90

The product constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component.

VB.NET

91

The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.

VB.NET

94

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

VB.NET

95

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").

VB.NET

116

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

VB.NET

117

The product does not neutralize or incorrectly neutralizes output that is written to logs.

VB.NET

137

Weaknesses in this category are related to the creation or neutralization of data using an incorrect format.

VB.NET

138

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as control elements or syntactic markers when they are sent to a downstream component.

VB.NET

140

The product does not neutralize or incorrectly neutralizes delimiters.

VB.NET

141

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as parameter or argument delimiters when they are sent to a downstream component.

VB.NET

142

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as value delimiters when they are sent to a downstream component.

VB.NET

143

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as record delimiters when they are sent to a downstream component.

VB.NET

146

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as expression or command delimiters when they are sent to a downstream component.

VB.NET

149

Quotes injected into a product can be used to compromise a system. As data are parsed, an injected/absent/duplicate/malformed use of quotes may cause the process to take unexpected actions.

VB.NET

150

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component.

VB.NET

157

The product does not properly handle the characters that are used to mark the beginning and ending of a group of entities, such as parentheses, brackets, and braces.

VB.NET

171

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. Weaknesses in this category were related to improper handling of data within protection mechanisms that attempt to perform neutralization for untrusted data. These weaknesses can be found in other similar categories.

VB.NET

189

Weaknesses in this category are related to improper calculation or conversion of numbers.

VB.NET

199

Weaknesses in this category are related to improper handling of sensitive information.

VB.NET

200

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

VB.NET

201

The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.

VB.NET

209

The product generates an error message that includes sensitive information about its environment, users, or associated data.

VB.NET

210

The product identifies an error condition and creates its own diagnostic or error messages that contain sensitive information.

VB.NET

211

The product performs an operation that triggers an external diagnostic or error message that is not directly generated or controlled by the product, such as an error generated by the programming language interpreter that a software application uses. The error can contain sensitive system information.

VB.NET

221

The product does not record, or improperly records, security-relevant information that leads to an incorrect decision or hampers later analysis.

VB.NET

223

The product does not record or display information that would be important for identifying the source or nature of an attack, or determining if an action is safe.

VB.NET

226

The product releases a resource such as memory or a file so that it can be made available for reuse, but it does not clear or "zeroize" the information contained in the resource before the product performs a critical state transition or makes the resource available for reuse by other entities.

VB.NET

227

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that involve the software using an API in a manner contrary to its intended use. According to the authors of the Seven Pernicious Kingdoms, "An API is a contract between a caller and a callee. The most common forms of API misuse occurs when the caller does not honor its end of this contract. For example, if a program does not call chdir() after calling chroot(), it violates the contract that specifies how to change the active root directory in a secure fashion. Another good example of library abuse is expecting the callee to return trustworthy DNS information to the caller. In this case, the caller misuses the callee API by making certain assumptions about its behavior (that the return value can be used for authentication purposes). One can also violate the caller-callee contract from the other side. For example, if a coder subclasses SecureRandom and returns a non-random value, the contract is violated."

VB.NET

249

This entry has been deprecated because of name confusion and an accidental combination of multiple weaknesses. Most of its content has been transferred to CWE-785.

VB.NET

254

Software security is not security software. Here we're concerned with topics like authentication, access control, confidentiality, cryptography, and privilege management.

VB.NET

255

Weaknesses in this category are related to the management of credentials.

VB.NET

256

Storing a password in plaintext may result in a system compromise.

VB.NET

257

The storage of passwords in a recoverable format makes them subject to password reuse attacks by malicious users. In fact, it should be noted that recoverable encrypted passwords provide no significant benefit over plaintext passwords since they are subject not only to reuse by malicious attackers but also by malicious insiders. If a system administrator can recover a password directly, or use a brute force search on the available information, the administrator can use the password on other accounts.

VB.NET

259

The product contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components.

VB.NET

264

Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control.

VB.NET

265

Weaknesses in this category occur with improper handling, assignment, or management of privileges. A privilege is a property of an agent, such as a user. It lets the agent do things that are not ordinarily allowed. For example, there are privileges which allow an agent to perform maintenance functions such as restart a computer.

VB.NET

284

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

VB.NET

285

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

VB.NET

287

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

VB.NET

295

The product does not validate, or incorrectly validates, a certificate.

VB.NET

296

The product does not follow, or incorrectly follows, the chain of trust for a certificate back to a trusted root certificate, resulting in incorrect trust of any resource that is associated with that certificate.

VB.NET

299

The product does not check or incorrectly checks the revocation status of a certificate, which may cause it to use a certificate that has been compromised.

VB.NET

300

The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint.

VB.NET

304

The product implements an authentication technique, but it skips a step that weakens the technique.

VB.NET

306

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

VB.NET

310

Weaknesses in this category are related to the design and implementation of data confidentiality and integrity. Frequently these deal with the use of encoding techniques, encryption libraries, and hashing algorithms. The weaknesses in this category could lead to a degradation of the quality data if they are not addressed.

VB.NET

311

The product does not encrypt sensitive or critical information before storage or transmission.

VB.NET

312

The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

VB.NET

313

The product stores sensitive information in cleartext in a file, or on disk.

VB.NET

314

The product stores sensitive information in cleartext in the registry.

VB.NET

315

The product stores sensitive information in cleartext in a cookie.

VB.NET

317

The product stores sensitive information in cleartext within the GUI.

VB.NET

318

The product stores sensitive information in cleartext in an executable.

VB.NET

319

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

VB.NET

320

Weaknesses in this category are related to errors in the management of cryptographic keys.

VB.NET

321

The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.

VB.NET

326

The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

VB.NET

327

The product uses a broken or risky cryptographic algorithm or protocol.

VB.NET

328

The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (2nd preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack).

VB.NET

330

The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.

VB.NET

338

The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.

VB.NET

344

The product uses a constant value, name, or reference, but this value can (or should) vary across different environments.

VB.NET

345

The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

VB.NET

352

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

VB.NET

353

The product uses a transmission protocol that does not include a mechanism for verifying the integrity of the data during transmission, such as a checksum.

VB.NET

355

Weaknesses in this category are related to or introduced in the User Interface (UI).

VB.NET

359

The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.

VB.NET

361

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses related to the improper management of time and state in an environment that supports simultaneous or near-simultaneous computation by multiple systems, processes, or threads. According to the authors of the Seven Pernicious Kingdoms, "Distributed computation is about time and state. That is, in order for more than one component to communicate, state must be shared, and all that takes time. Most programmers anthropomorphize their work. They think about one thread of control carrying out the entire program in the same way they would if they had to do the job themselves. Modern computers, however, switch between tasks very quickly, and in multi-core, multi-CPU, or distributed systems, two events may take place at exactly the same time. Defects rush to fill the gap between the programmer's model of how a program executes and what happens in reality. These defects are related to unexpected interactions between threads, processes, time, and information. These interactions happen through shared state: semaphores, variables, the file system, and, basically, anything that can store information."

VB.NET

369

The product divides a value by zero.

VB.NET

371

Weaknesses in this category are related to improper management of system state.

VB.NET

380

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

VB.NET

381

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

VB.NET

384

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

VB.NET

388

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that occur when an application does not properly handle errors that occur during processing. According to the authors of the Seven Pernicious Kingdoms, "Errors and error handling represent a class of API. Errors related to error handling are so common that they deserve a special kingdom of their own. As with 'API Abuse,' there are two ways to introduce an error-related security vulnerability: the most common one is handling errors poorly (or not at all). The second is producing errors that either give out too much information (to possible attackers) or are difficult to handle."

VB.NET

389

This category includes weaknesses that occur if a function does not generate the correct return/status code, or if the application does not handle all possible return/status codes that could be generated by a function. This type of problem is most often found in conditions that are rarely encountered during the normal operation of the product. Presumably, most bugs related to common conditions are found and eliminated during development and testing. In some cases, the attacker can directly control or influence the environment to trigger the rare conditions.

VB.NET

398

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that do not directly introduce a weakness or vulnerability, but indicate that the product has not been carefully developed or maintained. According to the authors of the Seven Pernicious Kingdoms, "Poor code quality leads to unpredictable behavior. From a user's perspective that often manifests itself as poor usability. For an adversary it provides an opportunity to stress the system in unexpected ways."

VB.NET

399

Weaknesses in this category are related to improper management of system resources.

VB.NET

402

The product makes resources available to untrusted parties when those resources are only intended to be accessed by the product.

VB.NET

403

A process does not close sensitive file descriptors before invoking a child process, which allows the child to perform unauthorized I/O operations using those descriptors.

VB.NET

404

The product does not release or incorrectly releases a resource before it is made available for re-use.

VB.NET

405

The product does not properly control situations in which an adversary can cause the product to consume or produce excessive resources without requiring the adversary to invest equivalent work or otherwise prove authorization, i.e., the adversary's influence is "asymmetric."

VB.NET

409

The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.

VB.NET

435

An interaction error occurs when two entities have correct behavior when running independently of each other, but when they are integrated as components in a larger system or process, they introduce incorrect behaviors that may cause resultant weaknesses.

VB.NET

436

Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.

VB.NET

438

Weaknesses in this category are related to unexpected behaviors from code that an application uses.

VB.NET

442

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

VB.NET

452

Weaknesses in this category occur in behaviors that are used for initialization and breakdown.

VB.NET

459

The product does not properly "clean up" and remove temporary or supporting resources after they have been used.

VB.NET

465

Weaknesses in this category are related to improper handling of pointers.

VB.NET

470

The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code.

VB.NET

476

A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.

VB.NET

485

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that occur when the product does not sufficiently encapsulate critical data or functionality. According to the authors of the Seven Pernicious Kingdoms, "Encapsulation is about drawing strong boundaries. In a web browser that might mean ensuring that your mobile code cannot be abused by other mobile code. On the server it might mean differentiation between validated data and unvalidated data, between one user's data and another's, or between data users are allowed to see and data that they are not."

VB.NET

497

The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does.

VB.NET

502

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

VB.NET

505

This category has been deprecated as it was originally used for organizing the Development View (CWE-699), but it introduced unnecessary complexity and depth to the resulting tree.

VB.NET

522

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

VB.NET

523

Login pages do not use adequate measures to protect the user name and password while they are in transit from the client to the server.

VB.NET

526

The product uses an environment variable to store unencrypted sensitive information.

VB.NET

532

Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.

VB.NET

536

A servlet error message indicates that there exists an unhandled exception in your web application code and may provide useful information to an attacker.

VB.NET

538

The product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the sensitive information.

VB.NET

539

The web application uses persistent cookies, but the cookies contain sensitive information.

VB.NET

540

Source code on a web server or repository often contains sensitive information and should generally not be accessible to users.

VB.NET

543

The product uses the singleton pattern when creating a resource within a multithreaded environment.

VB.NET

550

Certain conditions, such as network failure, will cause a server error message to be displayed.

VB.NET

552

The product makes files or directories accessible to unauthorized actors, even though they should not be.

VB.NET

557

Weaknesses in this category are related to concurrent use of shared resources.

VB.NET

559

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

VB.NET

561

The product contains dead code, which can never be executed.

VB.NET

566

The product uses a database table that includes records that should not be accessible to an actor, but it executes a SQL statement with a primary key that can be controlled by that actor.

VB.NET

573

The product does not follow or incorrectly follows the specifications as required by the implementation language, environment, framework, protocol, or platform.

VB.NET

601

A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.

VB.NET

610

The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.

VB.NET

611

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

VB.NET

615

While adding general comments is very useful, some programmers tend to leave important data, such as: filenames related to the web application, old links or links which were not meant to be browsed by users, old code fragments, etc.

VB.NET

624

The product uses a regular expression that either (1) contains an executable component with user-controlled inputs, or (2) allows a user to enable execution by inserting pattern modifiers.

VB.NET

628

The product calls a function, procedure, or routine with arguments that are not correctly specified, leading to always-incorrect behavior and resultant weaknesses.

VB.NET

629

CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2007. This view is considered obsolete as a newer version of the OWASP Top 10 is available.

VB.NET

632

This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE.

VB.NET

633

This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE.

VB.NET

634

This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE.

VB.NET

635

CWE nodes in this view (slice) were used by NIST to categorize vulnerabilities within NVD, from 2008 to 2016. This original version has been used by many other projects.

VB.NET

639

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

VB.NET

642

The product stores security-critical state information about its users, or the product itself, in a location that is accessible to unauthorized actors.

VB.NET

643

The product uses external input to dynamically construct an XPath expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query.

VB.NET

644

The product does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers, such as Flash.

VB.NET

657

The product violates well-established principles for secure design.

VB.NET

662

The product utilizes multiple threads or processes to allow temporary access to a shared resource that can only be exclusive to one process at a time, but it does not properly synchronize these actions, which might cause simultaneous accesses of this resource by multiple threads or processes.

VB.NET

664

The product does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release.

VB.NET

668

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

VB.NET

669

The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource.

VB.NET

671

The product uses security features in a way that prevents the product's administrator from tailoring security settings to reflect the environment in which the product is being used. This introduces resultant weaknesses or prevents it from operating at a level of security that is desired by the administrator.

VB.NET

674

The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.

VB.NET

682

The product performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management.

VB.NET

683

The product calls a function, procedure, or routine, but the caller specifies the arguments in an incorrect order, leading to resultant weaknesses.

VB.NET

691

The code does not sufficiently manage its control flow during execution, creating conditions in which the control flow can be modified in unexpected ways.

VB.NET

692

The product uses a denylist-based protection mechanism to defend against XSS attacks, but the denylist is incomplete, allowing XSS variants to succeed.

VB.NET

693

The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.

VB.NET

699

This view organizes weaknesses around concepts that are frequently used or encountered in software development. This includes all aspects of the software development lifecycle including both architecture and implementation. Accordingly, this view can align closely with the perspectives of architects, developers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping.

VB.NET

700

This view (graph) organizes weaknesses using a hierarchical structure that is similar to that used by Seven Pernicious Kingdoms.

VB.NET

703

The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product.

VB.NET

706

The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.

VB.NET

707

The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component.

VB.NET

710

The product does not follow certain coding rules for development, which can lead to resultant weaknesses or increase the severity of the associated vulnerabilities.

VB.NET

711

CWE entries in this view (graph) are associated with the OWASP Top 10, as released in 2004, and as required for compliance with PCI DSS version 1.1. This view is considered obsolete as a newer version of the OWASP Top 10 is available.

VB.NET

712

Weaknesses in this category are related to the A1 category in the OWASP Top 10 2007.

VB.NET

713

Weaknesses in this category are related to the A2 category in the OWASP Top 10 2007.

VB.NET

714

Weaknesses in this category are related to the A3 category in the OWASP Top 10 2007.

VB.NET

715

Weaknesses in this category are related to the A4 category in the OWASP Top 10 2007.

VB.NET

716

Weaknesses in this category are related to the A5 category in the OWASP Top 10 2007.

VB.NET

717

Weaknesses in this category are related to the A6 category in the OWASP Top 10 2007.

VB.NET

718

Weaknesses in this category are related to the A7 category in the OWASP Top 10 2007.

VB.NET

719

Weaknesses in this category are related to the A8 category in the OWASP Top 10 2007.

VB.NET

720

Weaknesses in this category are related to the A9 category in the OWASP Top 10 2007.

VB.NET

721

Weaknesses in this category are related to the A10 category in the OWASP Top 10 2007.

VB.NET

722

Weaknesses in this category are related to the A1 category in the OWASP Top 10 2004.

VB.NET

723

Weaknesses in this category are related to the A2 category in the OWASP Top 10 2004.

VB.NET

724

Weaknesses in this category are related to the A3 category in the OWASP Top 10 2004.

VB.NET

725

Weaknesses in this category are related to the A4 category in the OWASP Top 10 2004.

VB.NET

727

Weaknesses in this category are related to the A6 category in the OWASP Top 10 2004.

VB.NET

728

Weaknesses in this category are related to the A7 category in the OWASP Top 10 2004.

VB.NET

729

Weaknesses in this category are related to the A8 category in the OWASP Top 10 2004.

VB.NET

730

Weaknesses in this category are related to the A9 category in the OWASP Top 10 2004.

VB.NET

731

Weaknesses in this category are related to the A10 category in the OWASP Top 10 2004.

VB.NET

734

CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT C Secure Coding Standard" published in 2008. This view is considered obsolete, as a newer version of the coding standard is available. This view statically represents the coding rules as they were in 2008.

VB.NET

736

Weaknesses in this category are related to the rules and recommendations in the Declarations and Initialization (DCL) chapter of the CERT C Secure Coding Standard (2008).

VB.NET

737

Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) chapter of the CERT C Secure Coding Standard (2008).

VB.NET

738

Weaknesses in this category are related to the rules and recommendations in the Integers (INT) chapter of the CERT C Secure Coding Standard (2008).

VB.NET

739

Weaknesses in this category are related to the rules and recommendations in the Floating Point (FLP) chapter of the CERT C Secure Coding Standard (2008).

VB.NET

741

Weaknesses in this category are related to the rules and recommendations in the Characters and Strings (STR) chapter of the CERT C Secure Coding Standard (2008).

VB.NET

742

Weaknesses in this category are related to the rules and recommendations in the Memory Management (MEM) chapter of the CERT C Secure Coding Standard (2008).

VB.NET

743

Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) chapter of the CERT C Secure Coding Standard (2008).

VB.NET

744

Weaknesses in this category are related to the rules and recommendations in the Environment (ENV) chapter of the CERT C Secure Coding Standard (2008).

VB.NET

745

Weaknesses in this category are related to the rules and recommendations in the Signals (SIG) chapter of the CERT C Secure Coding Standard (2008).

VB.NET

746

Weaknesses in this category are related to the rules and recommendations in the Error Handling (ERR) chapter of the CERT C Secure Coding Standard (2008).

VB.NET

747

Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) chapter of the CERT C Secure Coding Standard (2008).

VB.NET

750

CWE entries in this view (graph) are listed in the 2009 CWE/SANS Top 25 Programming Errors. This view is considered obsolete as a newer version of the Top 25 is available.

VB.NET

751

Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2009 CWE/SANS Top 25 Programming Errors.

VB.NET

752

Weaknesses in this category are listed in the "Risky Resource Management" section of the 2009 CWE/SANS Top 25 Programming Errors.

VB.NET

753

Weaknesses in this category are listed in the "Porous Defenses" section of the 2009 CWE/SANS Top 25 Programming Errors.

VB.NET

755

The product does not handle or incorrectly handles an exceptional condition.

VB.NET

759

The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product does not also use a salt as part of the input.

VB.NET

760

The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product uses a predictable salt as part of the input.

VB.NET

776

The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.

VB.NET

778

When a security-critical event occurs, the product either does not record the event or omits important details about the event when logging it.

VB.NET

798

The product contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.

VB.NET

800

CWE entries in this view (graph) are listed in the 2010 CWE/SANS Top 25 Programming Errors. This view is considered obsolete as a newer version of the Top 25 is available.

VB.NET

801

Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2010 CWE/SANS Top 25 Programming Errors.

VB.NET

802

Weaknesses in this category are listed in the "Risky Resource Management" section of the 2010 CWE/SANS Top 25 Programming Errors.

VB.NET

803

Weaknesses in this category are listed in the "Porous Defenses" section of the 2010 CWE/SANS Top 25 Programming Errors.

VB.NET

808

Weaknesses in this category are not part of the general Top 25, but they were part of the original nominee list from which the Top 25 was drawn.

VB.NET

809

CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2010. This view is considered obsolete as a newer version of the OWASP Top 10 is available.

VB.NET

810

Weaknesses in this category are related to the A1 category in the OWASP Top 10 2010.

VB.NET

811

Weaknesses in this category are related to the A2 category in the OWASP Top 10 2010.

VB.NET

812

Weaknesses in this category are related to the A3 category in the OWASP Top 10 2010.

VB.NET

813

Weaknesses in this category are related to the A4 category in the OWASP Top 10 2010.

VB.NET

814

Weaknesses in this category are related to the A5 category in the OWASP Top 10 2010.

VB.NET

815

Weaknesses in this category are related to the A6 category in the OWASP Top 10 2010.

VB.NET

816

Weaknesses in this category are related to the A7 category in the OWASP Top 10 2010.

VB.NET

817

Weaknesses in this category are related to the A8 category in the OWASP Top 10 2010.

VB.NET

818

Weaknesses in this category are related to the A9 category in the OWASP Top 10 2010.

VB.NET

819

Weaknesses in this category are related to the A10 category in the OWASP Top 10 2010.

VB.NET

820

The product utilizes a shared resource in a concurrent manner but does not attempt to synchronize access to the resource.

VB.NET

827

The product does not restrict a reference to a Document Type Definition (DTD) to the intended control sphere. This might allow attackers to reference arbitrary DTDs, possibly causing the product to expose files, consume excessive system resources, or execute arbitrary http requests on behalf of the attacker.

VB.NET

829

The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.

VB.NET

834

The product performs an iteration or loop without sufficiently limiting the number of times that the loop is executed.

VB.NET

835

The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.

VB.NET

840

Weaknesses in this category identify some of the underlying problems that commonly allow attackers to manipulate the business logic of an application. Errors in business logic can be devastating to an entire application. They can be difficult to find automatically, since they typically involve legitimate use of the application's functionality. However, many business logic errors can exhibit patterns that are similar to well-understood implementation and design weaknesses.

VB.NET

844

CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT Oracle Secure Coding Standard for Java" published in 2011. This view is considered obsolete as a newer version of the coding standard is available.

VB.NET

845

Weaknesses in this category are related to rules in the Input Validation and Data Sanitization (IDS) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

VB.NET

848

Weaknesses in this category are related to rules in the Numeric Types and Operations (NUM) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

VB.NET

850

Weaknesses in this category are related to rules in the Methods (MET) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

VB.NET

851

Weaknesses in this category are related to rules in the Exceptional Behavior (ERR) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

VB.NET

852

Weaknesses in this category are related to rules in the Visibility and Atomicity (VNA) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

VB.NET

853

Weaknesses in this category are related to rules in the Locking (LCK) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

VB.NET

855

Weaknesses in this category are related to rules in the Thread Pools (TPS) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

VB.NET

857

Weaknesses in this category are related to rules in the Input Output (FIO) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

VB.NET

858

Weaknesses in this category are related to rules in the Serialization (SER) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

VB.NET

859

Weaknesses in this category are related to rules in the Platform Security (SEC) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

VB.NET

861

Weaknesses in this category are related to rules in the Miscellaneous (MSC) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

VB.NET

862

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

VB.NET

864

Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.

VB.NET

865

Weaknesses in this category are listed in the "Risky Resource Management" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.

VB.NET

866

Weaknesses in this category are listed in the "Porous Defenses" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.

VB.NET

867

Weaknesses in this category are not part of the general Top 25, but they were part of the original nominee list from which the Top 25 was drawn.

VB.NET

868

CWE entries in this view (graph) are fully or partially eliminated by following the SEI CERT C++ Coding Standard, as published in 2016. This view is no longer being actively maintained, since it statically represents the coding rules as they were in 2016.

VB.NET

871

Weaknesses in this category are related to rules in the Expressions (EXP) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

VB.NET

872

Weaknesses in this category are related to rules in the Integers (INT) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

VB.NET

873

Weaknesses in this category are related to rules in the Floating Point Arithmetic (FLP) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

VB.NET

875

Weaknesses in this category are related to rules in the Characters and Strings (STR) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

VB.NET

876

Weaknesses in this category are related to rules in the Memory Management (MEM) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

VB.NET

877

Weaknesses in this category are related to rules in the Input Output (FIO) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

VB.NET

878

Weaknesses in this category are related to rules in the Environment (ENV) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

VB.NET

879

Weaknesses in this category are related to rules in the Signals (SIG) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

VB.NET

880

Weaknesses in this category are related to rules in the Exceptions and Error Handling (ERR) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

VB.NET

881

Weaknesses in this category are related to rules in the Object Oriented Programming (OOP) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

VB.NET

882

Weaknesses in this category are related to rules in the Concurrency (CON) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

VB.NET

883

Weaknesses in this category are related to rules in the Miscellaneous (MSC) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.

VB.NET

884

This view contains a selection of weaknesses that represent the variety of weaknesses that are captured in CWE, at a level of abstraction that is likely to be useful to most audiences. It can be used by researchers to determine how broad their theories, models, or tools are. It will also be used by the CWE content team in 2012 to focus quality improvement efforts for individual CWE entries.

VB.NET

885

This category identifies Software Fault Patterns (SFPs) within the Risky Values cluster (SFP1).

VB.NET

886

This category identifies Software Fault Patterns (SFPs) within the Unused entities cluster (SFP2).

VB.NET

887

This category identifies Software Fault Patterns (SFPs) within the API cluster (SFP3).

VB.NET

888

CWE identifiers in this view are associated with clusters of Software Fault Patterns (SFPs).

VB.NET

889

This category identifies Software Fault Patterns (SFPs) within the Exception Management cluster (SFP4, SFP5, SFP6).

VB.NET

890

This category identifies Software Fault Patterns (SFPs) within the Memory Access cluster (SFP7, SFP8).

VB.NET

892

This category identifies Software Fault Patterns (SFPs) within the Resource Management cluster (SFP37).

VB.NET

893

This category identifies Software Fault Patterns (SFPs) within the Path Resolution cluster (SFP16, SFP17, SFP18).

VB.NET

894

This category identifies Software Fault Patterns (SFPs) within the Synchronization cluster (SFP19, SFP20, SFP21, SFP22).

VB.NET

895

This category identifies Software Fault Patterns (SFPs) within the Information Leak cluster (SFP23).

VB.NET

896

This category identifies Software Fault Patterns (SFPs) within the Tainted Input cluster (SFP24, SFP25, SFP26, SFP27).

VB.NET

898

This category identifies Software Fault Patterns (SFPs) within the Authentication cluster (SFP29, SFP30, SFP31, SFP32, SFP33, SFP34).

VB.NET

899

This category identifies Software Fault Patterns (SFPs) within the Access Control cluster (SFP35).

VB.NET

900

CWE entries in this view (graph) are listed in the 2011 CWE/SANS Top 25 Most Dangerous Software Errors.

VB.NET

902

This category identifies Software Fault Patterns (SFPs) within the Channel cluster.

VB.NET

903

This category identifies Software Fault Patterns (SFPs) within the Cryptography cluster.

VB.NET

905

This category identifies Software Fault Patterns (SFPs) within the Predictability cluster.

VB.NET

906

This category identifies Software Fault Patterns (SFPs) within the UI cluster.

VB.NET

907

This category identifies Software Fault Patterns (SFPs) within the Other cluster.

VB.NET

913

The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements.

VB.NET

915

The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.

VB.NET

916

The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive.

VB.NET

922

The product stores sensitive information without properly limiting read or write access by unauthorized actors.

VB.NET

923

The product establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that it is communicating with the correct endpoint.

VB.NET

928

CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2013. This view is considered obsolete as a newer version of the OWASP Top 10 is available.

VB.NET

929

Weaknesses in this category are related to the A1 category in the OWASP Top 10 2013.

VB.NET

930

Weaknesses in this category are related to the A2 category in the OWASP Top 10 2013.

VB.NET

931

Weaknesses in this category are related to the A3 category in the OWASP Top 10 2013.

VB.NET

932

Weaknesses in this category are related to the A4 category in the OWASP Top 10 2013.

VB.NET

933

Weaknesses in this category are related to the A5 category in the OWASP Top 10 2013.

VB.NET

934

Weaknesses in this category are related to the A6 category in the OWASP Top 10 2013.

VB.NET

935

Weaknesses in this category are related to the A7 category in the OWASP Top 10 2013.

VB.NET

936

Weaknesses in this category are related to the A8 category in the OWASP Top 10 2013.

VB.NET

938

Weaknesses in this category are related to the A10 category in the OWASP Top 10 2013.

VB.NET

943

The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query.

VB.NET

944

This category identifies Software Fault Patterns (SFPs) within the Access Management cluster.

VB.NET

945

This category identifies Software Fault Patterns (SFPs) within the Insecure Resource Access cluster (SFP35).

VB.NET

947

This category identifies Software Fault Patterns (SFPs) within the Authentication Bypass cluster.

VB.NET

948

This category identifies Software Fault Patterns (SFPs) within the Digital Certificate cluster.

VB.NET

949

This category identifies Software Fault Patterns (SFPs) within the Faulty Endpoint Authentication cluster (SFP29).

VB.NET

950

This category identifies Software Fault Patterns (SFPs) within the Hardcoded Sensitive Data cluster (SFP33).

VB.NET

952

This category identifies Software Fault Patterns (SFPs) within the Missing Authentication cluster.

VB.NET

956

This category identifies Software Fault Patterns (SFPs) within the Channel Attack cluster.

VB.NET

957

This category identifies Software Fault Patterns (SFPs) within the Protocol Error cluster.

VB.NET

958

This category identifies Software Fault Patterns (SFPs) within the Broken Cryptography cluster.

VB.NET

959

This category identifies Software Fault Patterns (SFPs) within the Weak Cryptography cluster.

VB.NET

961

This category identifies Software Fault Patterns (SFPs) within the Incorrect Exception Behavior cluster (SFP6).

VB.NET

962

This category identifies Software Fault Patterns (SFPs) within the Unchecked Status Condition cluster (SFP4).

VB.NET

963

This category identifies Software Fault Patterns (SFPs) within the Exposed Data cluster (SFP23).

VB.NET

966

This category identifies Software Fault Patterns (SFPs) within the Other Exposures cluster.

VB.NET

971

This category identifies Software Fault Patterns (SFPs) within the Faulty Pointer Use cluster (SFP7).

VB.NET

975

This category identifies Software Fault Patterns (SFPs) within the Architecture cluster.

VB.NET

977

This category identifies Software Fault Patterns (SFPs) within the Design cluster.

VB.NET

978

This category identifies Software Fault Patterns (SFPs) within the Implementation cluster.

VB.NET

980

This category identifies Software Fault Patterns (SFPs) within the Link in Resource Name Resolution cluster (SFP18).

VB.NET

981

This category identifies Software Fault Patterns (SFPs) within the Path Traversal cluster (SFP16).

VB.NET

982

This category identifies Software Fault Patterns (SFPs) within the Failure to Release Resource cluster (SFP14).

VB.NET

984

This category identifies Software Fault Patterns (SFPs) within the Life Cycle cluster.

VB.NET

985

This category identifies Software Fault Patterns (SFPs) within the Unrestricted Consumption cluster (SFP13).

VB.NET

986

This category identifies Software Fault Patterns (SFPs) within the Missing Lock cluster (SFP19).

VB.NET

990

This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Command cluster (SFP24).

VB.NET

991

This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Environment cluster (SFP27).

VB.NET

992

This category identifies Software Fault Patterns (SFPs) within the Faulty Input Transformation cluster.

VB.NET

994

This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Variable cluster (SFP25).

VB.NET

997

This category identifies Software Fault Patterns (SFPs) within the Information Loss cluster.

VB.NET

998

This category identifies Software Fault Patterns (SFPs) within the Glitch in Computation cluster (SFP1).

VB.NET

1000

This view is intended to facilitate research into weaknesses, including their inter-dependencies, and can be leveraged to systematically identify theoretical gaps within CWE. It is mainly organized according to abstractions of behaviors instead of how they can be detected, where they appear in code, or when they are introduced in the development life cycle. By design, this view is expected to include every weakness within CWE.

VB.NET

1001

This category identifies Software Fault Patterns (SFPs) within the Use of an Improper API cluster (SFP3).

VB.NET

1003

CWE entries in this view (graph) may be used to categorize potential weaknesses within sources that handle public, third-party vulnerability information, such as the National Vulnerability Database (NVD). By design, this view is incomplete; it is limited to a small number of the most commonly-seen weaknesses, so that it is easier for humans to use. This view uses a shallow hierarchy of two levels in order to simplify the complex, category-oriented navigation of the entire CWE corpus.

VB.NET

1005

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that exist when an application does not properly validate or represent input. According to the authors of the Seven Pernicious Kingdoms, "Input validation and representation problems are caused by metacharacters, alternate encodings and numeric representations. Security problems result from trusting input."

VB.NET

1006

Weaknesses in this category are related to coding practices that are deemed unsafe and increase the chances that an exploitable vulnerability will be present in the application. These weaknesses do not directly introduce a vulnerability, but indicate that the product has not been carefully developed or maintained. If a program is complex, difficult to maintain, not portable, or shows evidence of neglect, then there is a higher likelihood that weaknesses are buried in the code.

VB.NET

1008

This view organizes weaknesses according to common architectural security tactics. It is intended to assist architects in identifying potential mistakes that can be made when designing software.

VB.NET

1009

Weaknesses in this category are related to the design and architecture of audit-based components of the system. Frequently these deal with logging user activities in order to identify attackers and modifications to the system. The weaknesses in this category could lead to a degradation of the quality of the audit capability if they are not addressed when designing or implementing a secure architecture.

VB.NET

1010

Weaknesses in this category are related to the design and architecture of authentication components of the system. Frequently these deal with verifying the entity is indeed who it claims to be. The weaknesses in this category could lead to a degradation of the quality of authentication if they are not addressed when designing or implementing a secure architecture.

VB.NET

1011

Weaknesses in this category are related to the design and architecture of a system's authorization components. Frequently these deal with enforcing that agents have the required permissions before performing certain operations, such as modifying data. The weaknesses in this category could lead to a degradation of quality of the authorization capability if they are not addressed when designing or implementing a secure architecture.

VB.NET

1012

Weaknesses in this category are related to the design and architecture of multiple security tactics and how they affect a system. For example, information exposure can impact the Limit Access and Limit Exposure security tactics. The weaknesses in this category could lead to a degradation of the quality of many capabilities if they are not addressed when designing or implementing a secure architecture.

VB.NET

1013

Weaknesses in this category are related to the design and architecture of data confidentiality in a system. Frequently these deal with the use of encryption libraries. The weaknesses in this category could lead to a degradation of the quality data encryption if they are not addressed when designing or implementing a secure architecture.

VB.NET

1014

Weaknesses in this category are related to the design and architecture of a system's identification management components. Frequently these deal with verifying that external agents provide inputs into the system. The weaknesses in this category could lead to a degradation of the quality of identification management if they are not addressed when designing or implementing a secure architecture.

VB.NET

1015

Weaknesses in this category are related to the design and architecture of system resources. Frequently these deal with restricting the amount of resources that are accessed by actors, such as memory, network connections, CPU or access points. The weaknesses in this category could lead to a degradation of the quality of authentication if they are not addressed when designing or implementing a secure architecture.

VB.NET

1016

Weaknesses in this category are related to the design and architecture of the entry points to a system. Frequently these deal with minimizing the attack surface through designing the system with the least needed amount of entry points. The weaknesses in this category could lead to a degradation of a system's defenses if they are not addressed when designing or implementing a secure architecture.

VB.NET

1018

Weaknesses in this category are related to the design and architecture of session management. Frequently these deal with the information or status about each user and their access rights for the duration of multiple requests. The weaknesses in this category could lead to a degradation of the quality of session management if they are not addressed when designing or implementing a secure architecture.

VB.NET

1019

Weaknesses in this category are related to the design and architecture of a system's input validation components. Frequently these deal with sanitizing, neutralizing and validating any externally provided inputs to minimize malformed data from entering the system and preventing code injection in the input data. The weaknesses in this category could lead to a degradation of the quality of data flow in a system if they are not addressed when designing or implementing a secure architecture.

VB.NET

1020

Weaknesses in this category are related to the design and architecture of a system's data integrity components. Frequently these deal with ensuring integrity of data, such as messages, resource files, deployment files, and configuration files. The weaknesses in this category could lead to a degradation of data integrity quality if they are not addressed when designing or implementing a secure architecture.

VB.NET

1026

CWE nodes in this view (graph) are associated with the OWASP Top 10, as released in 2017.

VB.NET

1027

Weaknesses in this category are related to the A1 category in the OWASP Top 10 2017.

VB.NET

1028

Weaknesses in this category are related to the A2 category in the OWASP Top 10 2017.

VB.NET

1029

Weaknesses in this category are related to the A3 category in the OWASP Top 10 2017.

VB.NET

1030

Weaknesses in this category are related to the A4 category in the OWASP Top 10 2017.

VB.NET

1031

Weaknesses in this category are related to the A5 category in the OWASP Top 10 2017.

VB.NET

1032

Weaknesses in this category are related to the A6 category in the OWASP Top 10 2017.

VB.NET

1033

Weaknesses in this category are related to the A7 category in the OWASP Top 10 2017.

VB.NET

1034

Weaknesses in this category are related to the A8 category in the OWASP Top 10 2017.

VB.NET

1036

Weaknesses in this category are related to the A10 category in the OWASP Top 10 2017.

VB.NET

1041

The product has multiple functions, methods, procedures, macros, etc. that contain the same code.

VB.NET

1128

This view outlines the most important software quality issues as identified by the Consortium for Information & Software Quality (CISQ) Automated Quality Characteristic Measures, released in 2016. These measures are derived from Object Management Group (OMG) standards.

VB.NET

1129

Weaknesses in this category are related to the CISQ Quality Measures for Reliability, as documented in 2016 with the Automated Source Code CISQ Reliability Measure (ASCRM) Specification 1.0. Presence of these weaknesses could reduce the reliability of the software.

VB.NET

1130

Weaknesses in this category are related to the CISQ Quality Measures for Maintainability, as documented in 2016 with the Automated Source Code Maintainability Measure (ASCMM) Specification 1.0. Presence of these weaknesses could reduce the maintainability of the software.

VB.NET

1131

Weaknesses in this category are related to the CISQ Quality Measures for Security, as documented in 2016 with the Automated Source Code Security Measure (ASCSM) Specification 1.0. Presence of these weaknesses could reduce the security of the software.

VB.NET

1133

CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT Oracle Coding Standard for Java.

VB.NET

1134

Weaknesses in this category are related to the rules and recommendations in the Input Validation and Data Sanitization (IDS) section of the SEI CERT Oracle Secure Coding Standard for Java.

VB.NET

1136

Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) section of the SEI CERT Oracle Secure Coding Standard for Java.

VB.NET

1137

Weaknesses in this category are related to the rules and recommendations in the Numeric Types and Operations (NUM) section of the SEI CERT Oracle Secure Coding Standard for Java.

VB.NET

1140

Weaknesses in this category are related to the rules and recommendations in the Methods (MET) section of the SEI CERT Oracle Secure Coding Standard for Java.

VB.NET

1141

Weaknesses in this category are related to the rules and recommendations in the Exceptional Behavior (ERR) section of the SEI CERT Oracle Secure Coding Standard for Java.

VB.NET

1142

Weaknesses in this category are related to the rules and recommendations in the Visibility and Atomicity (VNA) section of the SEI CERT Oracle Secure Coding Standard for Java.

VB.NET

1143

Weaknesses in this category are related to the rules and recommendations in the Locking (LCK) section of the SEI CERT Oracle Secure Coding Standard for Java.

VB.NET

1145

Weaknesses in this category are related to the rules and recommendations in the Thread Pools (TPS) section of the SEI CERT Oracle Secure Coding Standard for Java.

VB.NET

1147

Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) section of the SEI CERT Oracle Secure Coding Standard for Java.

VB.NET

1148

Weaknesses in this category are related to the rules and recommendations in the Serialization (SER) section of the SEI CERT Oracle Secure Coding Standard for Java.

VB.NET

1152

Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT Oracle Secure Coding Standard for Java.

VB.NET

1154

CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT C Coding Standard.

VB.NET

1157

Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) section of the SEI CERT C Coding Standard.

VB.NET

1158

Weaknesses in this category are related to the rules and recommendations in the Integers (INT) section of the SEI CERT C Coding Standard.

VB.NET

1159

Weaknesses in this category are related to the rules and recommendations in the Floating Point (FLP) section of the SEI CERT C Coding Standard.

VB.NET

1162

Weaknesses in this category are related to the rules and recommendations in the Memory Management (MEM) section of the SEI CERT C Coding Standard.

VB.NET

1163

Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) section of the SEI CERT C Coding Standard.

VB.NET

1164

The product contains code that is not essential for execution, i.e. makes no state changes and has no side effects that alter data or control flow, such that removal of the code would have no impact to functionality or correctness.

VB.NET

1165

Weaknesses in this category are related to the rules and recommendations in the Environment (ENV) section of the SEI CERT C Coding Standard.

VB.NET

1166

Weaknesses in this category are related to the rules and recommendations in the Signals (SIG) section of the SEI CERT C Coding Standard.

VB.NET

1169

Weaknesses in this category are related to the rules and recommendations in the Concurrency (CON) section of the SEI CERT C Coding Standard.

VB.NET

1170

Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT C Coding Standard.

VB.NET

1172

Weaknesses in this category are related to the rules and recommendations in the Microsoft Windows (WIN) section of the SEI CERT C Coding Standard.

VB.NET

1178

CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT Perl Coding Standard.

VB.NET

1179

Weaknesses in this category are related to the rules and recommendations in the Input Validation and Data Sanitization (IDS) section of the SEI CERT Perl Coding Standard.

VB.NET

1180

Weaknesses in this category are related to the rules and recommendations in the Declarations and Initialization (DCL) section of the SEI CERT Perl Coding Standard.

VB.NET

1181

Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) section of the SEI CERT Perl Coding Standard.

VB.NET

1182

Weaknesses in this category are related to the rules and recommendations in the Integers (INT) section of the SEI CERT Perl Coding Standard.

VB.NET

1186

Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT Perl Coding Standard.

VB.NET

1194

This view organizes weaknesses around concepts that are frequently used or encountered in hardware design. Accordingly, this view can align closely with the perspectives of designers, manufacturers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping.

VB.NET

1200

CWE entries in this view are listed in the 2019 CWE Top 25 Most Dangerous Software Errors.

VB.NET

1202

Weaknesses in this category are typically associated with memory (e.g., DRAM, SRAM) and storage technologies (e.g., NAND Flash, OTP, EEPROM, and eMMC).

VB.NET

1207

Weaknesses in this category are related to hardware debug and test interfaces such as JTAG and scan chain.

VB.NET

1210

Weaknesses in this category are related to audit-based components of a software system. Frequently these deal with logging user activities in order to identify undesired access and modifications to the system. The weaknesses in this category could lead to a degradation of the quality of the audit capability if they are not addressed.

VB.NET

1211

Weaknesses in this category are related to authentication components of a system. Frequently these deal with the ability to verify that an entity is indeed who it claims to be. If not addressed when designing or implementing a software system, these weaknesses could lead to a degradation of the quality of the authentication capability.

VB.NET

1212

Weaknesses in this category are related to authorization components of a system. Frequently these deal with the ability to enforce that agents have the required permissions before performing certain operations, such as modifying data. If not addressed when designing or implementing a software system, these weaknesses could lead to a degradation of the quality of the authorization capability.

VB.NET

1213

Weaknesses in this category are related to a software system's random number generation.

VB.NET

1214

Weaknesses in this category are related to a software system's data integrity components. Frequently these deal with the ability to ensure the integrity of data, such as messages, resource files, deployment files, and configuration files. The weaknesses in this category could lead to a degradation of data integrity quality if they are not addressed.

VB.NET

1219

Weaknesses in this category are related to the handling of files within a software system. Files, directories, and folders are so central to information technology that many different weaknesses and variants have been discovered.

VB.NET

1305

This view outlines the most important software quality issues as identified by the Consortium for Information & Software Quality (CISQ) Automated Quality Characteristic Measures, released in 2020. These measures are derived from Object Management Group (OMG) standards.

VB.NET

1306

Weaknesses in this category are related to the CISQ Quality Measures for Reliability. Presence of these weaknesses could reduce the reliability of the software.

VB.NET

1307

Weaknesses in this category are related to the CISQ Quality Measures for Maintainability. Presence of these weaknesses could reduce the maintainability of the software.

VB.NET

1308

Weaknesses in this category are related to the CISQ Quality Measures for Security. Presence of these weaknesses could reduce the security of the software.

VB.NET

1309

Weaknesses in this category are related to the CISQ Quality Measures for Efficiency. Presence of these weaknesses could reduce the efficiency of the software.

VB.NET

1337

CWE entries in this view are listed in the 2021 CWE Top 25 Most Dangerous Software Weaknesses.

VB.NET

1340

This view outlines the SMM representation of the Automated Source Code Data Protection Measurement specifications, as identified by the Consortium for Information & Software Quality (CISQ) Working Group.

VB.NET

1344

CWE entries in this view (graph) are associated with the OWASP Top 10, as released in 2021.

VB.NET

1345

Weaknesses in this category are related to the A01 category "Broken Access Control" in the OWASP Top 10 2021.

VB.NET

1346

Weaknesses in this category are related to the A02 category "Cryptographic Failures" in the OWASP Top 10 2021.

VB.NET

1347

Weaknesses in this category are related to the A03 category "Injection" in the OWASP Top 10 2021.

VB.NET

1348

Weaknesses in this category are related to the A04 "Insecure Design" category in the OWASP Top 10 2021.

VB.NET

1349

Weaknesses in this category are related to the A05 category "Security Misconfiguration" in the OWASP Top 10 2021.

VB.NET

1350

CWE entries in this view are listed in the 2020 CWE Top 25 Most Dangerous Software Weaknesses.

VB.NET

1353

Weaknesses in this category are related to the A07 category "Identification and Authentication Failures" in the OWASP Top 10 2021.

VB.NET

1354

Weaknesses in this category are related to the A08 category "Software and Data Integrity Failures" in the OWASP Top 10 2021.

VB.NET

1355

Weaknesses in this category are related to the A09 category "Security Logging and Monitoring Failures" in the OWASP Top 10 2021.

VB.NET

1358

CWE entries in this view (graph) are associated with the Categories of Security Vulnerabilities in ICS, as published by the Securing Energy Infrastructure Executive Task Force (SEI ETF) in March 2022. Weaknesses and categories in this view are focused on issues that affect ICS (Industrial Control Systems) but have not been traditionally covered by CWE in the past due to its earlier emphasis on enterprise IT software. Note: weaknesses in this view are based on "Nearest IT Neighbor" recommendations and other suggestions by the CWE team. These relationships are likely to change in future CWE versions.

VB.NET

1359

Weaknesses in this category are related to the "ICS Communications" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.

VB.NET

1360

Weaknesses in this category are related to the "ICS Dependencies (& Architecture)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.

VB.NET

1361

Weaknesses in this category are related to the "ICS Supply Chain" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.

VB.NET

1362

Weaknesses in this category are related to the "ICS Engineering (Constructions/Deployment)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.

VB.NET

1363

Weaknesses in this category are related to the "ICS Operations (& Maintenance)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022.

VB.NET

1364

Weaknesses in this category are related to the "Zone Boundary Failures" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Within an ICS system, for traffic that crosses through network zone boundaries, vulnerabilities arise when those boundaries were designed for safety or other purposes but are being repurposed for security." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

VB.NET

1366

Weaknesses in this category are related to the "Frail Security in Protocols" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Vulnerabilities arise as a result of mis-implementation or incomplete implementation of security in ICS implementations of communication protocols." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

VB.NET

1368

Weaknesses in this category are related to the "External Digital Systems" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Due to the highly interconnected technologies in use, an external dependency on another digital system could cause a confidentiality, integrity, or availability incident for the protected system." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

VB.NET

1369

Weaknesses in this category are related to the "IT/OT Convergence/Expansion" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "The increased penetration of DER devices and smart loads make emerging ICS networks more like IT networks and thus susceptible to vulnerabilities similar to those of IT networks." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

VB.NET

1370

Weaknesses in this category are related to the "Common Mode Frailties" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "At the component level, most ICS systems are assembled from common parts made by other companies. One or more of these common parts might contain a vulnerability that could result in a wide-spread incident." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

VB.NET

1372

Weaknesses in this category are related to the "OT Counterfeit and Malicious Corruption" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "In ICS, when this procurement process results in a vulnerability or component damage, it can have grid impacts or cause physical harm." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

VB.NET

1375

Weaknesses in this category are related to the "Gaps in Details/Data" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "Highly complex systems are often operated by personnel who have years of experience in managing that particular facility or plant. Much of their knowledge is passed along through verbal or hands-on training but may not be fully documented in written practices and procedures." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

VB.NET

1382

Weaknesses in this category are related to the "Emerging Energy Technologies" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "With the rapid evolution of the energy system accelerated by the emergence of new technologies such as DERs, electric vehicles, advanced communications (5G+), novel and diverse challenges arise for secure and resilient operation of the system." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

VB.NET

1383

Weaknesses in this category are related to the "Compliance/Conformance with Regulatory Requirements" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022: "The ICS environment faces overlapping regulatory regimes and authorities with multiple focus areas (e.g., operational resiliency, physical safety, interoperability, and security) which can result in cyber security vulnerabilities when implemented as written due to gaps in considerations, outdatedness, or conflicting requirements." Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions.

VB.NET

1387

CWE entries in this view are listed in the 2022 CWE Top 25 Most Dangerous Software Weaknesses.

VB.NET

1396

Weaknesses in this category are related to access control.

VB.NET

1398

Weaknesses in this category are related to component interaction.

VB.NET

1400

This view organizes weaknesses around categories that are of interest to large-scale software assurance research to support the elimination of weaknesses using tactics such as secure language development. It is also intended to help tracking weakness trends in publicly disclosed vulnerability data. This view is comprehensive in that every weakness must be contained in it, unlike most other views that only use a subset of weaknesses. This view is structured with categories at the top level, with a second level of only weaknesses. Relationships among the weaknesses presented under the research view (CWE-1000) are not shown. Each weakness is added to only one category. All categories are mutually exclusive; that is, no weakness can be a member of more than one category. While weaknesses defy strict categorization along only one characteristic, the forced bucketing into a single category can simplify certain kinds of analysis. Note that the size of each category can vary widely because (1) CWE is not as well fleshed-out in some areas compared to others; (2) abstraction of the CWEs in the grouping might go down to Variant level for some buckets, versus others.

VB.NET

1401

Weaknesses in this category are related to concurrency.

VB.NET

1402

Weaknesses in this category are related to encryption.

VB.NET

1403

Weaknesses in this category are related to exposed resource.

VB.NET

1404

Weaknesses in this category are related to file handling.