Coverity version 2022.9.0
At its core, Common Weakness Enumerations (CWEs) are software weaknesses. CWEs provide a taxonomy to categorize and describe software weaknesses, giving developers and security practitioners a common language for software security.
MITRE owns and maintains the project. To learn more about CWE, click here.
Search below to see Coverity's CWE support of languages in your codebase.
| Language/Platform | CWE | Description |
|---|---|---|
| Apex | 17 | This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. |
| Apex | 18 | This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. |
| Apex | 19 | Weaknesses in this category are typically found in functionality that processes data. Data processing is the manipulation of input to retrieve or save information. |
| Apex | 20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
| Apex | 74 | The software constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
| Apex | 77 | The software constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| Apex | 79 | The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| Apex | 89 | The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. |
| Apex | 116 | The software prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved. |
| Apex | 137 | Weaknesses in this category are related to the creation or neutralization of data using an incorrect format. |
| Apex | 171 | This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. Weaknesses in this category were related to improper handling of data within protection mechanisms that attempt to perform neutralization for untrusted data. These weaknesses can be found in other similar categories. |
| Apex | 199 | Weaknesses in this category are related to improper handling of sensitive information. |
| Apex | 227 | This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that involve the software using an API in a manner contrary to its intended use. According to the authors of the Seven Pernicious Kingdoms, "An API is a contract between a caller and a callee. The most common forms of API misuse occurs when the caller does not honor its end of this contract. For example, if a program does not call chdir() after calling chroot(), it violates the contract that specifies how to change the active root directory in a secure fashion. Another good example of library abuse is expecting the callee to return trustworthy DNS information to the caller. In this case, the caller misuses the callee API by making certain assumptions about its behavior (that the return value can be used for authentication purposes). One can also violate the caller-callee contract from the other side. For example, if a coder subclasses SecureRandom and returns a non-random value, the contract is violated." |
| Apex | 242 | The program calls a function that can never be guaranteed to work safely. |
| Apex | 254 | Software security is not security software. Here we're concerned with topics like authentication, access control, confidentiality, cryptography, and privilege management. |
| Apex | 255 | Weaknesses in this category are related to the management of credentials. |
| Apex | 259 | The software contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components. |
| Apex | 264 | Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control. |
| Apex | 265 | Weaknesses in this category occur with improper handling, assignment, or management of privileges. A privilege is a property of an agent, such as a user. It lets the agent do things that are not ordinarily allowed. For example, there are privileges which allow an agent to perform maintenance functions such as restart a computer. |
| Apex | 269 | The software does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |
| Apex | 274 | The software does not handle or incorrectly handles when it has insufficient privileges to perform an operation, leading to resultant weaknesses. |
| Apex | 284 | The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
| Apex | 287 | When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct. |
| Apex | 310 | Weaknesses in this category are related to the design and implementation of data confidentiality and integrity. Frequently these deal with the use of encoding techniques, encryption libraries, and hashing algorithms. The weaknesses in this category could lead to a degradation of the quality data if they are not addressed. |
| Apex | 311 | The software does not encrypt sensitive or critical information before storage or transmission. |
| Apex | 319 | The software transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors. |
| Apex | 320 | Weaknesses in this category are related to errors in the management of cryptographic keys. |
| Apex | 321 | The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered. |
| Apex | 330 | The software uses insufficiently random numbers or values in a security context that depends on unpredictable numbers. |
| Apex | 344 | The product uses a constant value, name, or reference, but this value can (or should) vary across different environments. |
| Apex | 345 | The software does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data. |
| Apex | 352 | The web application does not, or cannot, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request. |
| Apex | 361 | This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses related to the improper management of time and state in an environment that supports simultaneous or near-simultaneous computation by multiple systems, processes, or threads. According to the authors of the Seven Pernicious Kingdoms, "Distributed computation is about time and state. That is, in order for more than one component to communicate, state must be shared, and all that takes time. Most programmers anthropomorphize their work. They think about one thread of control carrying out the entire program in the same way they would if they had to do the job themselves. Modern computers, however, switch between tasks very quickly, and in multi-core, multi-CPU, or distributed systems, two events may take place at exactly the same time. Defects rush to fill the gap between the programmer's model of how a program executes and what happens in reality. These defects are related to unexpected interactions between threads, processes, time, and information. These interactions happen through shared state: semaphores, variables, the file system, and, basically, anything that can store information." |
| Apex | 388 | This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that occur when an application does not properly handle errors that occur during processing. According to the authors of the Seven Pernicious Kingdoms, "Errors and error handling represent a class of API. Errors related to error handling are so common that they deserve a special kingdom of their own. As with 'API Abuse,' there are two ways to introduce an error-related security vulnerability: the most common one is handling errors poorly (or not at all). The second is producing errors that either give out too much information (to possible attackers) or are difficult to handle." |
| Apex | 389 | This category includes weaknesses that occur if a function does not generate the correct return/status code, or if the application does not handle all possible return/status codes that could be generated by a function. This type of problem is most often found in conditions that are rarely encountered during the normal operation of the product. Presumably, most bugs related to common conditions are found and eliminated during development and testing. In some cases, the attacker can directly control or influence the environment to trigger the rare conditions. |
| Apex | 442 | This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. |
| Apex | 601 | A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks. |
| Apex | 610 | The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere. |
| Apex | 629 | CWE nodes in this view (graph) are associated with the OWASP Top Ten, as released in 2007. This view is considered obsolete as a newer version of the OWASP Top Ten is available. |
| Apex | 632 | This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE. |
| Apex | 635 | CWE nodes in this view (slice) were used by NIST to categorize vulnerabilities within NVD, from 2008 to 2016. This original version has been used by many other projects. |
| Apex | 657 | The product violates well-established principles for secure design. |
| Apex | 664 | The software does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release. |
| Apex | 671 | The product uses security features in a way that prevents the product's administrator from tailoring security settings to reflect the environment in which the product is being used. This introduces resultant weaknesses or prevents it from operating at a level of security that is desired by the administrator. |
| Apex | 693 | The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product. |
| Apex | 699 | This view organizes weaknesses around concepts that are frequently used or encountered in software development. This includes all aspects of the software development lifecycle including both architecture and implementation. Accordingly, this view can align closely with the perspectives of architects, developers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping. |
| Apex | 700 | This view (graph) organizes weaknesses using a hierarchical structure that is similar to that used by Seven Pernicious Kingdoms. |
| Apex | 703 | The software does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the software. |
| Apex | 707 | The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component. |
| Apex | 710 | The software does not follow certain coding rules for development, which can lead to resultant weaknesses or increase the severity of the associated vulnerabilities. |
| Apex | 711 | CWE entries in this view (graph) are associated with the OWASP Top Ten, as released in 2004, and as required for compliance with PCI DSS version 1.1. This view is considered obsolete as a newer version of the OWASP Top Ten is available. |
| Apex | 712 | Weaknesses in this category are related to the A1 category in the OWASP Top Ten 2007. |
| Apex | 713 | Weaknesses in this category are related to the A2 category in the OWASP Top Ten 2007. |
| Apex | 716 | Weaknesses in this category are related to the A5 category in the OWASP Top Ten 2007. |
| Apex | 718 | Weaknesses in this category are related to the A7 category in the OWASP Top Ten 2007. |
| Apex | 719 | Weaknesses in this category are related to the A8 category in the OWASP Top Ten 2007. |
| Apex | 720 | Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2007. |
| Apex | 722 | Weaknesses in this category are related to the A1 category in the OWASP Top Ten 2004. |
| Apex | 723 | Weaknesses in this category are related to the A2 category in the OWASP Top Ten 2004. |
| Apex | 724 | Weaknesses in this category are related to the A3 category in the OWASP Top Ten 2004. |
| Apex | 725 | Weaknesses in this category are related to the A4 category in the OWASP Top Ten 2004. |
| Apex | 727 | Weaknesses in this category are related to the A6 category in the OWASP Top Ten 2004. |
| Apex | 728 | Weaknesses in this category are related to the A7 category in the OWASP Top Ten 2004. |
| Apex | 729 | Weaknesses in this category are related to the A8 category in the OWASP Top Ten 2004. |
| Apex | 734 | CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT C Secure Coding Standard" published in 2008. This view is considered obsolete, as a newer version of the coding standard is available. This view statically represents the coding rules as they were in 2008. |
| Apex | 738 | Weaknesses in this category are related to the rules and recommendations in the Integers (INT) chapter of the CERT C Secure Coding Standard (2008). |
| Apex | 742 | Weaknesses in this category are related to the rules and recommendations in the Memory Management (MEM) chapter of the CERT C Secure Coding Standard (2008). |
| Apex | 746 | Weaknesses in this category are related to the rules and recommendations in the Error Handling (ERR) chapter of the CERT C Secure Coding Standard (2008). |
| Apex | 747 | Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) chapter of the CERT C Secure Coding Standard (2008). |
| Apex | 748 | Weaknesses in this category are related to the rules and recommendations in the POSIX (POS) appendix of the CERT C Secure Coding Standard (2008). |
| Apex | 750 | CWE entries in this view (graph) are listed in the 2009 CWE/SANS Top 25 Programming Errors. This view is considered obsolete as a newer version of the Top 25 is available. |
| Apex | 751 | Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2009 CWE/SANS Top 25 Programming Errors. |
| Apex | 753 | Weaknesses in this category are listed in the "Porous Defenses" section of the 2009 CWE/SANS Top 25 Programming Errors. |
| Apex | 798 | The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. |
| Apex | 800 | CWE entries in this view (graph) are listed in the 2010 CWE/SANS Top 25 Programming Errors. This view is considered obsolete as a newer version of the Top 25 is available. |
| Apex | 801 | Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2010 CWE/SANS Top 25 Programming Errors. |
| Apex | 803 | Weaknesses in this category are listed in the "Porous Defenses" section of the 2010 CWE/SANS Top 25 Programming Errors. |
| Apex | 808 | Weaknesses in this category are not part of the general Top 25, but they were part of the original nominee list from which the Top 25 was drawn. |
| Apex | 809 | CWE nodes in this view (graph) are associated with the OWASP Top Ten, as released in 2010. This view is considered obsolete as a newer version of the OWASP Top Ten is available. |
| Apex | 810 | Weaknesses in this category are related to the A1 category in the OWASP Top Ten 2010. |
| Apex | 811 | Weaknesses in this category are related to the A2 category in the OWASP Top Ten 2010. |
| Apex | 812 | Weaknesses in this category are related to the A3 category in the OWASP Top Ten 2010. |
| Apex | 814 | Weaknesses in this category are related to the A5 category in the OWASP Top Ten 2010. |
| Apex | 816 | Weaknesses in this category are related to the A7 category in the OWASP Top Ten 2010. |
| Apex | 818 | Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2010. |
| Apex | 819 | Weaknesses in this category are related to the A10 category in the OWASP Top Ten 2010. |
| Apex | 844 | CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT Oracle Secure Coding Standard for Java" published in 2011. This view is considered obsolete as a newer version of the coding standard is available. |
| Apex | 845 | Weaknesses in this category are related to rules in the Input Validation and Data Sanitization (IDS) chapter of The CERT Oracle Secure Coding Standard for Java (2011). |
| Apex | 851 | Weaknesses in this category are related to rules in the Exceptional Behavior (ERR) chapter of The CERT Oracle Secure Coding Standard for Java (2011). |
| Apex | 858 | Weaknesses in this category are related to rules in the Serialization (SER) chapter of The CERT Oracle Secure Coding Standard for Java (2011). |
| Apex | 859 | Weaknesses in this category are related to rules in the Platform Security (SEC) chapter of The CERT Oracle Secure Coding Standard for Java (2011). |
| Apex | 861 | Weaknesses in this category are related to rules in the Miscellaneous (MSC) chapter of The CERT Oracle Secure Coding Standard for Java (2011). |
| Apex | 864 | Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors. |
| Apex | 866 | Weaknesses in this category are listed in the "Porous Defenses" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors. |
| Apex | 867 | Weaknesses in this category are not part of the general Top 25, but they were part of the original nominee list from which the Top 25 was drawn. |
| Apex | 868 | CWE entries in this view (graph) are fully or partially eliminated by following the SEI CERT C++ Coding Standard, as published in 2016. This view is no longer being actively maintained, since it statically represents the coding rules as they were in 2016. |
| Apex | 872 | Weaknesses in this category are related to rules in the Integers (INT) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete. |
| Apex | 876 | Weaknesses in this category are related to rules in the Memory Management (MEM) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete. |
| Apex | 880 | Weaknesses in this category are related to rules in the Exceptions and Error Handling (ERR) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete. |
| Apex | 883 | Weaknesses in this category are related to rules in the Miscellaneous (MSC) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete. |
| Apex | 884 | This view contains a selection of weaknesses that represent the variety of weaknesses that are captured in CWE, at a level of abstraction that is likely to be useful to most audiences. It can be used by researchers to determine how broad their theories, models, or tools are. It will also be used by the CWE content team in 2012 to focus quality improvement efforts for individual CWE entries. |
| Apex | 887 | This category identifies Software Fault Patterns (SFPs) within the API cluster (SFP3). |
| Apex | 888 | CWE identifiers in this view are associated with clusters of Software Fault Patterns (SFPs). |
| Apex | 889 | This category identifies Software Fault Patterns (SFPs) within the Exception Management cluster (SFP4, SFP5, SFP6). |
| Apex | 892 | This category identifies Software Fault Patterns (SFPs) within the Resource Management cluster (SFP37). |
| Apex | 893 | This category identifies Software Fault Patterns (SFPs) within the Path Resolution cluster (SFP16, SFP17, SFP18). |
| Apex | 895 | This category identifies Software Fault Patterns (SFPs) within the Information Leak cluster (SFP23). |
| Apex | 896 | This category identifies Software Fault Patterns (SFPs) within the Tainted Input cluster (SFP24, SFP25, SFP26, SFP27). |
| Apex | 898 | This category identifies Software Fault Patterns (SFPs) within the Authentication cluster (SFP29, SFP30, SFP31, SFP32, SFP33, SFP34). |
| Apex | 899 | This category identifies Software Fault Patterns (SFPs) within the Access Control cluster (SFP35). |
| Apex | 900 | CWE entries in this view (graph) are listed in the 2011 CWE/SANS Top 25 Most Dangerous Software Errors. |
| Apex | 901 | This category identifies Software Fault Patterns (SFPs) within the Privilege cluster (SFP36). |
| Apex | 905 | This category identifies Software Fault Patterns (SFPs) within the Predictability cluster. |
| Apex | 907 | This category identifies Software Fault Patterns (SFPs) within the Other cluster. |
| Apex | 917 | The software constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed. |
| Apex | 928 | CWE nodes in this view (graph) are associated with the OWASP Top Ten, as released in 2013. This view is considered obsolete as a newer version of the OWASP Top Ten is available. |
| Apex | 929 | Weaknesses in this category are related to the A1 category in the OWASP Top Ten 2013. |
| Apex | 930 | Weaknesses in this category are related to the A2 category in the OWASP Top Ten 2013. |
| Apex | 931 | Weaknesses in this category are related to the A3 category in the OWASP Top Ten 2013. |
| Apex | 934 | Weaknesses in this category are related to the A6 category in the OWASP Top Ten 2013. |
| Apex | 935 | Weaknesses in this category are related to the A7 category in the OWASP Top Ten 2013. |
| Apex | 936 | Weaknesses in this category are related to the A8 category in the OWASP Top Ten 2013. |
| Apex | 938 | Weaknesses in this category are related to the A10 category in the OWASP Top Ten 2013. |
| Apex | 943 | The application generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query. |
| Apex | 944 | This category identifies Software Fault Patterns (SFPs) within the Access Management cluster. |
| Apex | 947 | This category identifies Software Fault Patterns (SFPs) within the Authentication Bypass cluster. |
| Apex | 949 | This category identifies Software Fault Patterns (SFPs) within the Faulty Endpoint Authentication cluster (SFP29). |
| Apex | 950 | This category identifies Software Fault Patterns (SFPs) within the Hardcoded Sensitive Data cluster (SFP33). |
| Apex | 961 | This category identifies Software Fault Patterns (SFPs) within the Incorrect Exception Behavior cluster (SFP6). |
| Apex | 963 | This category identifies Software Fault Patterns (SFPs) within the Exposed Data cluster (SFP23). |
| Apex | 975 | This category identifies Software Fault Patterns (SFPs) within the Architecture cluster. |
| Apex | 978 | This category identifies Software Fault Patterns (SFPs) within the Implementation cluster. |
| Apex | 980 | This category identifies Software Fault Patterns (SFPs) within the Link in Resource Name Resolution cluster (SFP18). |
| Apex | 984 | This category identifies Software Fault Patterns (SFPs) within the Life Cycle cluster. |
| Apex | 990 | This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Command cluster (SFP24). |
| Apex | 992 | This category identifies Software Fault Patterns (SFPs) within the Faulty Input Transformation cluster. |
| Apex | 994 | This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Variable cluster (SFP25). |
| Apex | 1000 | This view is intended to facilitate research into weaknesses, including their inter-dependencies, and can be leveraged to systematically identify theoretical gaps within CWE. It is mainly organized according to abstractions of behaviors instead of how they can be detected, where they appear in code, or when they are introduced in the development life cycle. By design, this view is expected to include every weakness within CWE. |
| Apex | 1001 | This category identifies Software Fault Patterns (SFPs) within the Use of an Improper API cluster (SFP3). |
| Apex | 1003 | CWE entries in this view (graph) may be used to categorize potential weaknesses within sources that handle public, third-party vulnerability information, such as the National Vulnerability Database (NVD). By design, this view is incomplete; it is limited to a small number of the most commonly-seen weaknesses, so that it is easier for humans to use. This view uses a shallow hierarchy of two levels in order to simplify the complex, category-oriented navigation of the entire CWE corpus. |
| Apex | 1005 | This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that exist when an application does not properly validate or represent input. According to the authors of the Seven Pernicious Kingdoms, "Input validation and representation problems are caused by metacharacters, alternate encodings and numeric representations. Security problems result from trusting input." |
| Apex | 1006 | Weaknesses in this category are related to coding practices that are deemed unsafe and increase the chances that an exploitable vulnerability will be present in the application. These weaknesses do not directly introduce a vulnerability, but indicate that the product has not been carefully developed or maintained. If a program is complex, difficult to maintain, not portable, or shows evidence of neglect, then there is a higher likelihood that weaknesses are buried in the code. |
| Apex | 1008 | This view organizes weaknesses according to common architectural security tactics. It is intended to assist architects in identifying potential mistakes that can be made when designing software. |
| Apex | 1010 | Weaknesses in this category are related to the design and architecture of authentication components of the system. Frequently these deal with verifying the entity is indeed who it claims to be. The weaknesses in this category could lead to a degradation of the quality of authentication if they are not addressed when designing or implementing a secure architecture. |
| Apex | 1011 | Weaknesses in this category are related to the design and architecture of a system's authorization components. Frequently these deal with enforcing that agents have the required permissions before performing certain operations, such as modifying data. The weaknesses in this category could lead to a degradation of quality of the authorization capability if they are not addressed when designing or implementing a secure architecture. |
| Apex | 1012 | Weaknesses in this category are related to the design and architecture of multiple security tactics and how they affect a system. For example, information exposure can impact the Limit Access and Limit Exposure security tactics. The weaknesses in this category could lead to a degradation of the quality of many capabilities if they are not addressed when designing or implementing a secure architecture. |
| Apex | 1013 | Weaknesses in this category are related to the design and architecture of data confidentiality in a system. Frequently these deal with the use of encryption libraries. The weaknesses in this category could lead to a degradation of the quality data encryption if they are not addressed when designing or implementing a secure architecture. |
| Apex | 1014 | Weaknesses in this category are related to the design and architecture of a system's identification management components. Frequently these deal with verifying that external agents provide inputs into the system. The weaknesses in this category could lead to a degradation of the quality of identification management if they are not addressed when designing or implementing a secure architecture. |
| Apex | 1015 | Weaknesses in this category are related to the design and architecture of system resources. Frequently these deal with restricting the amount of resources that are accessed by actors, such as memory, network connections, CPU or access points. The weaknesses in this category could lead to a degradation of the quality of authentication if they are not addressed when designing or implementing a secure architecture. |
| Apex | 1019 | Weaknesses in this category are related to the design and architecture of a system's input validation components. Frequently these deal with sanitizing, neutralizing and validating any externally provided inputs to minimize malformed data from entering the system and preventing code injection in the input data. The weaknesses in this category could lead to a degradation of the quality of data flow in a system if they are not addressed when designing or implementing a secure architecture. |
| Apex | 1020 | Weaknesses in this category are related to the design and architecture of a system's data integrity components. Frequently these deal with ensuring integrity of data, such as messages, resource files, deployment files, and configuration files. The weaknesses in this category could lead to a degradation of data integrity quality if they are not addressed when designing or implementing a secure architecture. |
| Apex | 1026 | CWE nodes in this view (graph) are associated with the OWASP Top Ten, as released in 2017. |
| Apex | 1027 | Weaknesses in this category are related to the A1 category in the OWASP Top Ten 2017. |
| Apex | 1028 | Weaknesses in this category are related to the A2 category in the OWASP Top Ten 2017. |
| Apex | 1029 | Weaknesses in this category are related to the A3 category in the OWASP Top Ten 2017. |
| Apex | 1031 | Weaknesses in this category are related to the A5 category in the OWASP Top Ten 2017. |
| Apex | 1033 | Weaknesses in this category are related to the A7 category in the OWASP Top Ten 2017. |
| Apex | 1128 | This view outlines the most important software quality issues as identified by the Consortium for Information & Software Quality (CISQ) Automated Quality Characteristic Measures, released in 2016. These measures are derived from Object Management Group (OMG) standards. |
| Apex | 1131 | Weaknesses in this category are related to the CISQ Quality Measures for Security, as documented in 2016 with the Automated Source Code Security Measure (ASCSM) Specification 1.0. Presence of these weaknesses could reduce the security of the software. |
| Apex | 1133 | CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT Oracle Coding Standard for Java. |
| Apex | 1134 | Weaknesses in this category are related to the rules and recommendations in the Input Validation and Data Sanitization (IDS) section of the SEI CERT Oracle Secure Coding Standard for Java. |
| Apex | 1141 | Weaknesses in this category are related to the rules and recommendations in the Exceptional Behavior (ERR) section of the SEI CERT Oracle Secure Coding Standard for Java. |
| Apex | 1147 | Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) section of the SEI CERT Oracle Secure Coding Standard for Java. |
| Apex | 1148 | Weaknesses in this category are related to the rules and recommendations in the Serialization (SER) section of the SEI CERT Oracle Secure Coding Standard for Java. |
| Apex | 1152 | Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT Oracle Secure Coding Standard for Java. |
| Apex | 1154 | CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT C Coding Standard. |
| Apex | 1163 | Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) section of the SEI CERT C Coding Standard. |
| Apex | 1169 | Weaknesses in this category are related to the rules and recommendations in the Concurrency (CON) section of the SEI CERT C Coding Standard. |
| Apex | 1170 | Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT C Coding Standard. |
| Apex | 1171 | Weaknesses in this category are related to the rules and recommendations in the POSIX (POS) section of the SEI CERT C Coding Standard. |
| Apex | 1172 | Weaknesses in this category are related to the rules and recommendations in the Microsoft Windows (WIN) section of the SEI CERT C Coding Standard. |
| Apex | 1178 | CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT Perl Coding Standard. |
| Apex | 1179 | Weaknesses in this category are related to the rules and recommendations in the Input Validation and Data Sanitization (IDS) section of the SEI CERT Perl Coding Standard. |
| Apex | 1200 | CWE entries in this view are listed in the 2019 CWE Top 25 Most Dangerous Software Errors. |
| Apex | 1228 | Weaknesses in this category are related to the use of built-in functions or external APIs. |
| Apex | 1305 | This view outlines the most important software quality issues as identified by the Consortium for Information & Software Quality (CISQ) Automated Quality Characteristic Measures, released in 2020. These measures are derived from Object Management Group (OMG) standards. |
| Apex | 1306 | Weaknesses in this category are related to the CISQ Quality Measures for Reliability. Presence of these weaknesses could reduce the reliability of the software. |
| Apex | 1308 | Weaknesses in this category are related to the CISQ Quality Measures for Security. Presence of these weaknesses could reduce the security of the software. |
| Apex | 1337 | CWE entries in this view are listed in the 2021 CWE Top 25 Most Dangerous Software Weaknesses. |
| Apex | 1340 | This view outlines the SMM representation of the Automated Source Code Data Protection Measurement specifications, as identified by the Consortium for Information & Software Quality (CISQ) Working Group. |
| Apex | 1344 | CWE entries in this view (graph) are associated with the OWASP Top Ten, as released in 2021. |
| Apex | 1345 | Weaknesses in this category are related to the A01 category "Broken Access Control" in the OWASP Top Ten 2021. |
| Apex | 1346 | Weaknesses in this category are related to the A02 category "Cryptographic Failures" in the OWASP Top Ten 2021. |
| Apex | 1347 | Weaknesses in this category are related to the A03 category "Injection" in the OWASP Top Ten 2021. |
| Apex | 1348 | Weaknesses in this category are related to the A04 "Insecure Design" category in the OWASP Top Ten 2021. |
| Apex | 1350 | CWE entries in this view are listed in the 2020 CWE Top 25 Most Dangerous Software Weaknesses. |
| Apex | 1353 | Weaknesses in this category are related to the A07 category "Identification and Authentication Failures" in the OWASP Top Ten 2021. |
| Apex | 1354 | Weaknesses in this category are related to the A08 category "Software and Data Integrity Failures" in the OWASP Top Ten 2021. |
| Apex | 1358 | CWE entries in this view (graph) are associated with the Categories of Security Vulnerabilities in ICS, as published by the Securing Energy Infrastructure Executive Task Force (SEI ETF) in March 2022. Weaknesses and categories in this view are focused on issues that affect ICS (Industrial Control Systems) but have not been traditionally covered by CWE in the past due to its earlier emphasis on enterprise IT software. Note: weaknesses in this view are based on "Nearest IT Neighbor" recommendations and other suggestions by the CWE team. These relationships are likely to change in future CWE versions. |
| Apex | 1360 | Weaknesses in this category are related to the "ICS Dependencies (& Architecture)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022. |
| Apex | 1362 | Weaknesses in this category are related to the "ICS Engineering (Constructions/Deployment)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022. |
| Apex | 1363 | Weaknesses in this category are related to the "ICS Operations (& Maintenance)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022. |
| Apex | 1368 | Weaknesses in this category are related to the "External Digital Systems" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022. Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. |
| Apex | 1373 | Weaknesses in this category are related to the "Trust Model Problems" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022. Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. |
| Apex | 1382 | Weaknesses in this category are related to the "Emerging Energy Technologies" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022. Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. |
| Apex | 1383 | Weaknesses in this category are related to the "Compliance/Conformance with Regulatory Requirements" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022. Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. |
| Apex | 1387 | CWE entries in this view are listed in the 2022 CWE Top 25 Most Dangerous Software Weaknesses. |
| C# | 2 | This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that are typically introduced during unexpected environmental conditions. According to the authors of the Seven Pernicious Kingdoms, "This section includes everything that is outside of the source code but is still critical to the security of the product that is being created. Because the issues covered by this kingdom are not directly related to source code, we separated it from the rest of the kingdoms." |
| C# | 4 | This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. |
| C# | 5 | Information sent over a network can be compromised while in transit. An attacker may be able to read or modify the contents if the data are sent in plaintext or are weakly encrypted. |
| C# | 10 | This category has been deprecated. It added unnecessary depth and complexity to its associated views. |
| C# | 11 | Debugging messages help attackers learn about the system and plan a form of attack. |
| C# | 16 | Weaknesses in this category are typically introduced during the configuration of the software. |
| C# | 17 | This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. |
| C# | 18 | This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. |
| C# | 19 | Weaknesses in this category are typically found in functionality that processes data. Data processing is the manipulation of input to retrieve or save information. |
| C# | 20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
| C# | 21 | This category has been deprecated. It was originally used for organizing weaknesses involving file names, which enabled access to files outside of a restricted directory (path traversal) or to perform operations on files that would otherwise be restricted (path equivalence). Consider using either the File Handling Issues category (CWE-1219) or the class Use of Incorrectly-Resolved Name or Reference (CWE-706). |
| C# | 22 | The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
| C# | 23 | The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory. |
| C# | 36 | The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as "/abs/path" that can resolve to a location that is outside of that directory. |
| C# | 73 | The software allows user input to control or influence paths or file names that are used in filesystem operations. |
| C# | 74 | The software constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
| C# | 77 | The software constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| C# | 78 | The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
| C# | 79 | The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| C# | 80 | The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages. |
| C# | 82 | The web application does not neutralize or incorrectly neutralizes scripting elements within attributes of HTML IMG tags, such as the src attribute. |
| C# | 83 | The software does not neutralize or incorrectly neutralizes "javascript:" or other URIs from dangerous attributes within tags, such as onmouseover, onload, onerror, or style. |
| C# | 85 | The web application does not filter user-controlled input for executable script disguised using doubling of the involved characters. |
| C# | 86 | The software does not neutralize or incorrectly neutralizes invalid characters or byte sequences in the middle of tag names, URI schemes, and other identifiers. |
| C# | 87 | The software does not neutralize or incorrectly neutralizes user-controlled input for alternate script syntax. |
| C# | 88 | The software constructs a string for a command to executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string. |
| C# | 89 | The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. |
| C# | 90 | The software constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component. |
| C# | 91 | The software does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system. |
| C# | 94 | The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
| C# | 95 | The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval"). |
| C# | 116 | The software prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved. |
| C# | 117 | The software does not neutralize or incorrectly neutralizes output that is written to logs. |
| C# | 137 | Weaknesses in this category are related to the creation or neutralization of data using an incorrect format. |
| C# | 138 | The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as control elements or syntactic markers when they are sent to a downstream component. |
| C# | 140 | The software does not neutralize or incorrectly neutralizes delimiters. |
| C# | 141 | The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as parameter or argument delimiters when they are sent to a downstream component. |
| C# | 142 | The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as value delimiters when they are sent to a downstream component. |
| C# | 143 | The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as record delimiters when they are sent to a downstream component. |
| C# | 146 | The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as expression or command delimiters when they are sent to a downstream component. |
| C# | 149 | Quotes injected into an application can be used to compromise a system. As data are parsed, an injected/absent/duplicate/malformed use of quotes may cause the process to take unexpected actions. |
| C# | 150 | The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component. |
| C# | 157 | The software does not properly handle the characters that are used to mark the beginning and ending of a group of entities, such as parentheses, brackets, and braces. |
| C# | 171 | This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. Weaknesses in this category were related to improper handling of data within protection mechanisms that attempt to perform neutralization for untrusted data. These weaknesses can be found in other similar categories. |
| C# | 183 | The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is too permissive - that is, it allows an input that is unsafe, leading to resultant weaknesses. |
| C# | 189 | Weaknesses in this category are related to improper calculation or conversion of numbers. |
| C# | 190 | The software performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control. |
| C# | 199 | Weaknesses in this category are related to improper handling of sensitive information. |
| C# | 200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
| C# | 201 | The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor. |
| C# | 209 | The software generates an error message that includes sensitive information about its environment, users, or associated data. |
| C# | 210 | The software identifies an error condition and creates its own diagnostic or error messages that contain sensitive information. |
| C# | 211 | The application performs an operation that triggers an external diagnostic or error message that is not directly generated or controlled by the application, such as an error generated by the programming language interpreter that the software uses. The error can contain sensitive system information. |
| C# | 215 | The application inserts sensitive information into debugging code, which could expose this information if the debugging code is not disabled in production. |
| C# | 221 | The software does not record, or improperly records, security-relevant information that leads to an incorrect decision or hampers later analysis. |
| C# | 223 | The application does not record or display information that would be important for identifying the source or nature of an attack, or determining if an action is safe. |
| C# | 226 | The product releases a resource such as memory or a file so that it can be made available for reuse, but it does not clear or "zeroize" the information contained in the resource before the product performs a critical state transition or makes the resource available for reuse by other entities. |
| C# | 227 | This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that involve the software using an API in a manner contrary to its intended use. According to the authors of the Seven Pernicious Kingdoms, "An API is a contract between a caller and a callee. The most common forms of API misuse occurs when the caller does not honor its end of this contract. For example, if a program does not call chdir() after calling chroot(), it violates the contract that specifies how to change the active root directory in a secure fashion. Another good example of library abuse is expecting the callee to return trustworthy DNS information to the caller. In this case, the caller misuses the callee API by making certain assumptions about its behavior (that the return value can be used for authentication purposes). One can also violate the caller-callee contract from the other side. For example, if a coder subclasses SecureRandom and returns a non-random value, the contract is violated." |
| C# | 249 | This entry has been deprecated because of name confusion and an accidental combination of multiple weaknesses. Most of its content has been transferred to CWE-785. This entry was deprecated for several reasons. The primary reason is over-loading of the "path manipulation" term and the description. The original description for this entry was the same as that for the "Often Misused: File System" item in the original Seven Pernicious Kingdoms paper. However, Seven Pernicious Kingdoms also has a "Path Manipulation" phrase that is for external control of pathnames (CWE-73), which is a factor in symbolic link following and path traversal, neither of which is explicitly mentioned in 7PK. Fortify uses the phrase "Often Misused: Path Manipulation" for a broader range of problems, generally for issues related to buffer management. Given the multiple conflicting uses of this term, there is a chance that CWE users may have incorrectly mapped to this entry. The second reason for deprecation is an implied combination of multiple weaknesses within buffer-handling functions. The focus of this entry was generally on the path-conversion functions and their association with buffer overflows. However, some of Fortify's Vulncat entries have the term "path manipulation" but describe a non-overflow weakness in which the buffer is not guaranteed to contain the entire pathname, i.e., there is information truncation (see CWE-222 for a similar concept). A new entry for this non-overflow weakness may be created in a future version of CWE. |
| C# | 254 | Software security is not security software. Here we're concerned with topics like authentication, access control, confidentiality, cryptography, and privilege management. |
| C# | 255 | Weaknesses in this category are related to the management of credentials. |
| C# | 256 | Storing a password in plaintext may result in a system compromise. |
| C# | 257 | The storage of passwords in a recoverable format makes them subject to password reuse attacks by malicious users. In fact, it should be noted that recoverable encrypted passwords provide no significant benefit over plaintext passwords since they are subject not only to reuse by malicious attackers but also by malicious insiders. If a system administrator can recover a password directly, or use a brute force search on the available information, the administrator can use the password on other accounts. |
| C# | 259 | The software contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components. |
| C# | 260 | The software stores a password in a configuration file that might be accessible to actors who do not know the password. |
| C# | 264 | Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control. |
| C# | 265 | Weaknesses in this category occur with improper handling, assignment, or management of privileges. A privilege is a property of an agent, such as a user. It lets the agent do things that are not ordinarily allowed. For example, there are privileges which allow an agent to perform maintenance functions such as restart a computer. |
| C# | 275 | Weaknesses in this category are related to improper assignment or handling of permissions. |
| C# | 284 | The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
| C# | 285 | The software does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
| C# | 287 | When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct. |
| C# | 300 | The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint. |
| C# | 304 | The software implements an authentication technique, but it skips a step that weakens the technique. |
| C# | 306 | The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
| C# | 310 | Weaknesses in this category are related to the design and implementation of data confidentiality and integrity. Frequently these deal with the use of encoding techniques, encryption libraries, and hashing algorithms. The weaknesses in this category could lead to a degradation of the quality data if they are not addressed. |
| C# | 311 | The software does not encrypt sensitive or critical information before storage or transmission. |
| C# | 312 | The application stores sensitive information in cleartext within a resource that might be accessible to another control sphere. |
| C# | 313 | The application stores sensitive information in cleartext in a file, or on disk. |
| C# | 314 | The application stores sensitive information in cleartext in the registry. |
| C# | 315 | The application stores sensitive information in cleartext in a cookie. |
| C# | 317 | The application stores sensitive information in cleartext within the GUI. |
| C# | 318 | The application stores sensitive information in cleartext in an executable. |
| C# | 319 | The software transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors. |
| C# | 320 | Weaknesses in this category are related to errors in the management of cryptographic keys. |
| C# | 321 | The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered. |
| C# | 326 | The software stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required. |
| C# | 327 | The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of sensitive information. |
| C# | 328 | The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (2nd preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack). |
| C# | 330 | The software uses insufficiently random numbers or values in a security context that depends on unpredictable numbers. |
| C# | 338 | The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong. |
| C# | 344 | The product uses a constant value, name, or reference, but this value can (or should) vary across different environments. |
| C# | 345 | The software does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data. |
| C# | 352 | The web application does not, or cannot, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request. |
| C# | 355 | Weaknesses in this category are related to or introduced in the User Interface (UI). |
| C# | 359 | The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected. |
| C# | 361 | This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses related to the improper management of time and state in an environment that supports simultaneous or near-simultaneous computation by multiple systems, processes, or threads. According to the authors of the Seven Pernicious Kingdoms, "Distributed computation is about time and state. That is, in order for more than one component to communicate, state must be shared, and all that takes time. Most programmers anthropomorphize their work. They think about one thread of control carrying out the entire program in the same way they would if they had to do the job themselves. Modern computers, however, switch between tasks very quickly, and in multi-core, multi-CPU, or distributed systems, two events may take place at exactly the same time. Defects rush to fill the gap between the programmer's model of how a program executes and what happens in reality. These defects are related to unexpected interactions between threads, processes, time, and information. These interactions happen through shared state: semaphores, variables, the file system, and, basically, anything that can store information." |
| C# | 362 | The program contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently. |
| C# | 366 | If two threads of execution use a resource simultaneously, there exists the possibility that resources may be used while invalid, in turn making the state of execution undefined. |
| C# | 369 | The product divides a value by zero. |
| C# | 371 | Weaknesses in this category are related to improper management of system state. |
| C# | 380 | This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. |
| C# | 381 | This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. |
| C# | 388 | This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that occur when an application does not properly handle errors that occur during processing. According to the authors of the Seven Pernicious Kingdoms, "Errors and error handling represent a class of API. Errors related to error handling are so common that they deserve a special kingdom of their own. As with 'API Abuse,' there are two ways to introduce an error-related security vulnerability: the most common one is handling errors poorly (or not at all). The second is producing errors that either give out too much information (to possible attackers) or are difficult to handle." |
| C# | 389 | This category includes weaknesses that occur if a function does not generate the correct return/status code, or if the application does not handle all possible return/status codes that could be generated by a function. This type of problem is most often found in conditions that are rarely encountered during the normal operation of the product. Presumably, most bugs related to common conditions are found and eliminated during development and testing. In some cases, the attacker can directly control or influence the environment to trigger the rare conditions. |
| C# | 390 | The software detects a specific error, but takes no actions to handle the error. |
| C# | 398 | This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that do not directly introduce a weakness or vulnerability, but indicate that the product has not been carefully developed or maintained. According to the authors of the Seven Pernicious Kingdoms, "Poor code quality leads to unpredictable behavior. From a user's perspective that often manifests itself as poor usability. For an adversary it provides an opportunity to stress the system in unexpected ways." |
| C# | 399 | Weaknesses in this category are related to improper management of system resources. |
| C# | 402 | The software makes resources available to untrusted parties when those resources are only intended to be accessed by the software. |
| C# | 403 | A process does not close sensitive file descriptors before invoking a child process, which allows the child to perform unauthorized I/O operations using those descriptors. |
| C# | 404 | The program does not release or incorrectly releases a resource before it is made available for re-use. |
| C# | 405 | Software that does not appropriately monitor or control resource consumption can lead to adverse system performance. |
| C# | 409 | The software does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output. |
| C# | 411 | Weaknesses in this category are related to improper handling of locks that are used to control access to resources. |
| C# | 435 | An interaction error occurs when two entities have correct behavior when running independently of each other, but when they are integrated as components in a larger system or process, they introduce incorrect behaviors that may cause resultant weaknesses. |
| C# | 436 | Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state. |
| C# | 438 | Weaknesses in this category are related to unexpected behaviors from code that an application uses. |
| C# | 442 | This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. |
| C# | 452 | Weaknesses in this category occur in behaviors that are used for initialization and breakdown. |
| C# | 459 | The software does not properly "clean up" and remove temporary or supporting resources after they have been used. |
| C# | 465 | Weaknesses in this category are related to improper handling of pointers. |
| C# | 470 | The application uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code. |
| C# | 476 | A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit. |
| C# | 480 | The programmer accidentally uses the wrong operator, which changes the application logic in security-relevant ways. |
| C# | 483 | The code does not explicitly delimit a block that is intended to contain 2 or more statements, creating a logic error. |
| C# | 485 | This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that occur when the product does not sufficiently encapsulate critical data or functionality. According to the authors of the Seven Pernicious Kingdoms, "Encapsulation is about drawing strong boundaries. In a web browser that might mean ensuring that your mobile code cannot be abused by other mobile code. On the server it might mean differentiation between validated data and unvalidated data, between one user's data and another's, or between data users are allowed to see and data that they are not." |
| C# | 489 | The application is deployed to unauthorized actors with debugging code still enabled or active, which can create unintended entry points or expose sensitive information. |
| C# | 497 | The application does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the application does. |
| C# | 502 | The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid. |
| C# | 505 | This category has been deprecated as it was originally used for organizing the Development View (CWE-699), but it introduced unnecessary complexity and depth to the resulting tree. |
| C# | 519 | This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. |
| C# | 522 | The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval. |
| C# | 523 | Login pages do not use adequate measures to protect the user name and password while they are in transit from the client to the server. |
| C# | 532 | Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information. |
| C# | 536 | A servlet error message indicates that there exists an unhandled exception in your web application code and may provide useful information to an attacker. |
| C# | 538 | The product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the sensitive information. |
| C# | 539 | The web application uses persistent cookies, but the cookies contain sensitive information. |
| C# | 540 | Source code on a web server or repository often contains sensitive information and should generally not be accessible to users. |
| C# | 543 | The software uses the singleton pattern when creating a resource within a multithreaded environment. |
| C# | 550 | Certain conditions, such as network failure, will cause a server error message to be displayed. |
| C# | 552 | The product makes files or directories accessible to unauthorized actors, even though they should not be. |
| C# | 557 | Weaknesses in this category are related to concurrent use of shared resources. |
| C# | 559 | This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. |
| C# | 561 | The software contains dead code, which can never be executed. |
| C# | 563 | The variable's value is assigned but never used, making it a dead store. |
| C# | 566 | The software uses a database table that includes records that should not be accessible to an actor, but it executes a SQL statement with a primary key that can be controlled by that actor. |
| C# | 567 | The product does not properly synchronize shared data, such as static variables across threads, which can lead to undefined behavior and unpredictable data changes. |
| C# | 569 | Weaknesses in this category are related to incorrectly written expressions within code. |
| C# | 570 | The software contains an expression that will always evaluate to false. |
| C# | 573 | The software does not follow or incorrectly follows the specifications as required by the implementation language, environment, framework, protocol, or platform. |
| C# | 595 | The program compares object references instead of the contents of the objects themselves, preventing it from detecting equivalent objects. |
| C# | 601 | A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks. |
| C# | 610 | The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere. |
| C# | 611 | The software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. |
| C# | 614 | The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session. |
| C# | 615 | While adding general comments is very useful, some programmers tend to leave important data, such as: filenames related to the web application, old links or links which were not meant to be browsed by users, old code fragments, etc. |
| C# | 624 | The product uses a regular expression that either (1) contains an executable component with user-controlled inputs, or (2) allows a user to enable execution by inserting pattern modifiers. |
| C# | 628 | The product calls a function, procedure, or routine with arguments that are not correctly specified, leading to always-incorrect behavior and resultant weaknesses. |
| C# | 629 | CWE nodes in this view (graph) are associated with the OWASP Top Ten, as released in 2007. This view is considered obsolete as a newer version of the OWASP Top Ten is available. |
| C# | 632 | This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE. |
| C# | 633 | This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE. |
| C# | 634 | This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE. |
| C# | 635 | CWE nodes in this view (slice) were used by NIST to categorize vulnerabilities within NVD, from 2008 to 2016. This original version has been used by many other projects. |
| C# | 639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
| C# | 642 | The software stores security-critical state information about its users, or the software itself, in a location that is accessible to unauthorized actors. |
| C# | 643 | The software uses external input to dynamically construct an XPath expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query. |
| C# | 644 | The application does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers, such as Flash. |
| C# | 657 | The product violates well-established principles for secure design. |
| C# | 662 | The software utilizes multiple threads or processes to allow temporary access to a shared resource that can only be exclusive to one process at a time, but it does not properly synchronize these actions, which might cause simultaneous accesses of this resource by multiple threads or processes. |
| C# | 664 | The software does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release. |
| C# | 667 | The software does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors. |
| C# | 668 | The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource. |
| C# | 669 | The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource. |
| C# | 670 | The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated. |
| C# | 671 | The product uses security features in a way that prevents the product's administrator from tailoring security settings to reflect the environment in which the product is being used. This introduces resultant weaknesses or prevents it from operating at a level of security that is desired by the administrator. |
| C# | 674 | The product does not properly control the amount of recursion which takes place, consuming excessive resources, such as allocated memory or the program stack. |
| C# | 682 | The software performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management. |
| C# | 683 | The software calls a function, procedure, or routine, but the caller specifies the arguments in an incorrect order, leading to resultant weaknesses. |
| C# | 691 | The code does not sufficiently manage its control flow during execution, creating conditions in which the control flow can be modified in unexpected ways. |
| C# | 692 | The product uses a denylist-based protection mechanism to defend against XSS attacks, but the denylist is incomplete, allowing XSS variants to succeed. |
| C# | 693 | The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product. |
| C# | 697 | The software compares two entities in a security-relevant context, but the comparison is incorrect, which may lead to resultant weaknesses. |
| C# | 699 | This view organizes weaknesses around concepts that are frequently used or encountered in software development. This includes all aspects of the software development lifecycle including both architecture and implementation. Accordingly, this view can align closely with the perspectives of architects, developers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping. |
| C# | 700 | This view (graph) organizes weaknesses using a hierarchical structure that is similar to that used by Seven Pernicious Kingdoms. |
| C# | 703 | The software does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the software. |
| C# | 706 | The software uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere. |
| C# | 707 | The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component. |
| C# | 710 | The software does not follow certain coding rules for development, which can lead to resultant weaknesses or increase the severity of the associated vulnerabilities. |
| C# | 711 | CWE entries in this view (graph) are associated with the OWASP Top Ten, as released in 2004, and as required for compliance with PCI DSS version 1.1. This view is considered obsolete as a newer version of the OWASP Top Ten is available. |
| C# | 712 | Weaknesses in this category are related to the A1 category in the OWASP Top Ten 2007. |
| C# | 713 | Weaknesses in this category are related to the A2 category in the OWASP Top Ten 2007. |
| C# | 714 | Weaknesses in this category are related to the A3 category in the OWASP Top Ten 2007. |
| C# | 715 | Weaknesses in this category are related to the A4 category in the OWASP Top Ten 2007. |
| C# | 716 | Weaknesses in this category are related to the A5 category in the OWASP Top Ten 2007. |
| C# | 717 | Weaknesses in this category are related to the A6 category in the OWASP Top Ten 2007. |
| C# | 718 | Weaknesses in this category are related to the A7 category in the OWASP Top Ten 2007. |
| C# | 719 | Weaknesses in this category are related to the A8 category in the OWASP Top Ten 2007. |
| C# | 720 | Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2007. |
| C# | 721 | Weaknesses in this category are related to the A10 category in the OWASP Top Ten 2007. |
| C# | 722 | Weaknesses in this category are related to the A1 category in the OWASP Top Ten 2004. |
| C# | 723 | Weaknesses in this category are related to the A2 category in the OWASP Top Ten 2004. |
| C# | 724 | Weaknesses in this category are related to the A3 category in the OWASP Top Ten 2004. |
| C# | 725 | Weaknesses in this category are related to the A4 category in the OWASP Top Ten 2004. |
| C# | 727 | Weaknesses in this category are related to the A6 category in the OWASP Top Ten 2004. |
| C# | 728 | Weaknesses in this category are related to the A7 category in the OWASP Top Ten 2004. |
| C# | 729 | Weaknesses in this category are related to the A8 category in the OWASP Top Ten 2004. |
| C# | 730 | Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2004. |
| C# | 731 | Weaknesses in this category are related to the A10 category in the OWASP Top Ten 2004. |
| C# | 732 | The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. |
| C# | 734 | CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT C Secure Coding Standard" published in 2008. This view is considered obsolete, as a newer version of the coding standard is available. This view statically represents the coding rules as they were in 2008. |
| C# | 736 | Weaknesses in this category are related to the rules and recommendations in the Declarations and Initialization (DCL) chapter of the CERT C Secure Coding Standard (2008). |
| C# | 737 | Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) chapter of the CERT C Secure Coding Standard (2008). |
| C# | 738 | Weaknesses in this category are related to the rules and recommendations in the Integers (INT) chapter of the CERT C Secure Coding Standard (2008). |
| C# | 739 | Weaknesses in this category are related to the rules and recommendations in the Floating Point (FLP) chapter of the CERT C Secure Coding Standard (2008). |
| C# | 741 | Weaknesses in this category are related to the rules and recommendations in the Characters and Strings (STR) chapter of the CERT C Secure Coding Standard (2008). |
| C# | 742 | Weaknesses in this category are related to the rules and recommendations in the Memory Management (MEM) chapter of the CERT C Secure Coding Standard (2008). |
| C# | 743 | Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) chapter of the CERT C Secure Coding Standard (2008). |
| C# | 744 | Weaknesses in this category are related to the rules and recommendations in the Environment (ENV) chapter of the CERT C Secure Coding Standard (2008). |
| C# | 745 | Weaknesses in this category are related to the rules and recommendations in the Signals (SIG) chapter of the CERT C Secure Coding Standard (2008). |
| C# | 746 | Weaknesses in this category are related to the rules and recommendations in the Error Handling (ERR) chapter of the CERT C Secure Coding Standard (2008). |
| C# | 747 | Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) chapter of the CERT C Secure Coding Standard (2008). |
| C# | 748 | Weaknesses in this category are related to the rules and recommendations in the POSIX (POS) appendix of the CERT C Secure Coding Standard (2008). |
| C# | 749 | The software provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted. |
| C# | 750 | CWE entries in this view (graph) are listed in the 2009 CWE/SANS Top 25 Programming Errors. This view is considered obsolete as a newer version of the Top 25 is available. |
| C# | 751 | Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2009 CWE/SANS Top 25 Programming Errors. |
| C# | 752 | Weaknesses in this category are listed in the "Risky Resource Management" section of the 2009 CWE/SANS Top 25 Programming Errors. |
| C# | 753 | Weaknesses in this category are listed in the "Porous Defenses" section of the 2009 CWE/SANS Top 25 Programming Errors. |
| C# | 755 | The software does not handle or incorrectly handles an exceptional condition. |
| C# | 759 | The software uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the software does not also use a salt as part of the input. |
| C# | 760 | The software uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the software uses a predictable salt as part of the input. |
| C# | 776 | The software uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities. |
| C# | 778 | When a security-critical event occurs, the software either does not record the event or omits important details about the event when logging it. |
| C# | 783 | The program uses an expression in which operator precedence causes incorrect logic to be used. |
| C# | 798 | The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. |
| C# | 800 | CWE entries in this view (graph) are listed in the 2010 CWE/SANS Top 25 Programming Errors. This view is considered obsolete as a newer version of the Top 25 is available. |
| C# | 801 | Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2010 CWE/SANS Top 25 Programming Errors. |
| C# | 802 | Weaknesses in this category are listed in the "Risky Resource Management" section of the 2010 CWE/SANS Top 25 Programming Errors. |
| C# | 803 | Weaknesses in this category are listed in the "Porous Defenses" section of the 2010 CWE/SANS Top 25 Programming Errors. |
| C# | 808 | Weaknesses in this category are not part of the general Top 25, but they were part of the original nominee list from which the Top 25 was drawn. |
| C# | 809 | CWE nodes in this view (graph) are associated with the OWASP Top Ten, as released in 2010. This view is considered obsolete as a newer version of the OWASP Top Ten is available. |
| C# | 810 | Weaknesses in this category are related to the A1 category in the OWASP Top Ten 2010. |
| C# | 811 | Weaknesses in this category are related to the A2 category in the OWASP Top Ten 2010. |
| C# | 812 | Weaknesses in this category are related to the A3 category in the OWASP Top Ten 2010. |
| C# | 813 | Weaknesses in this category are related to the A4 category in the OWASP Top Ten 2010. |
| C# | 814 | Weaknesses in this category are related to the A5 category in the OWASP Top Ten 2010. |
| C# | 815 | Weaknesses in this category are related to the A6 category in the OWASP Top Ten 2010. |
| C# | 816 | Weaknesses in this category are related to the A7 category in the OWASP Top Ten 2010. |
| C# | 817 | Weaknesses in this category are related to the A8 category in the OWASP Top Ten 2010. |
| C# | 818 | Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2010. |
| C# | 819 | Weaknesses in this category are related to the A10 category in the OWASP Top Ten 2010. |
| C# | 820 | The software utilizes a shared resource in a concurrent manner but does not attempt to synchronize access to the resource. |
| C# | 827 | The software does not restrict a reference to a Document Type Definition (DTD) to the intended control sphere. This might allow attackers to reference arbitrary DTDs, possibly causing the software to expose files, consume excessive system resources, or execute arbitrary http requests on behalf of the attacker. |
| C# | 829 | The software imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere. |
| C# | 833 | The software contains multiple threads or executable segments that are waiting for each other to release a necessary lock, resulting in deadlock. |
| C# | 834 | The software performs an iteration or loop without sufficiently limiting the number of times that the loop is executed. |
| C# | 835 | The program contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop. |
| C# | 840 | Weaknesses in this category identify some of the underlying problems that commonly allow attackers to manipulate the business logic of an application. Errors in business logic can be devastating to an entire application. They can be difficult to find automatically, since they typically involve legitimate use of the application's functionality. However, many business logic errors can exhibit patterns that are similar to well-understood implementation and design weaknesses. |
| C# | 844 | CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT Oracle Secure Coding Standard for Java" published in 2011. This view is considered obsolete as a newer version of the coding standard is available. |
| C# | 845 | Weaknesses in this category are related to rules in the Input Validation and Data Sanitization (IDS) chapter of The CERT Oracle Secure Coding Standard for Java (2011). |
| C# | 847 | Weaknesses in this category are related to rules in the Expressions (EXP) chapter of The CERT Oracle Secure Coding Standard for Java (2011). |
| C# | 848 | Weaknesses in this category are related to rules in the Numeric Types and Operations (NUM) chapter of The CERT Oracle Secure Coding Standard for Java (2011). |
| C# | 850 | Weaknesses in this category are related to rules in the Methods (MET) chapter of The CERT Oracle Secure Coding Standard for Java (2011). |
| C# | 851 | Weaknesses in this category are related to rules in the Exceptional Behavior (ERR) chapter of The CERT Oracle Secure Coding Standard for Java (2011). |
| C# | 852 | Weaknesses in this category are related to rules in the Visibility and Atomicity (VNA) chapter of The CERT Oracle Secure Coding Standard for Java (2011). |
| C# | 853 | Weaknesses in this category are related to rules in the Locking (LCK) chapter of The CERT Oracle Secure Coding Standard for Java (2011). |
| C# | 855 | Weaknesses in this category are related to rules in the Thread Pools (TPS) chapter of The CERT Oracle Secure Coding Standard for Java (2011). |
| C# | 857 | Weaknesses in this category are related to rules in the Input Output (FIO) chapter of The CERT Oracle Secure Coding Standard for Java (2011). |
| C# | 858 | Weaknesses in this category are related to rules in the Serialization (SER) chapter of The CERT Oracle Secure Coding Standard for Java (2011). |
| C# | 859 | Weaknesses in this category are related to rules in the Platform Security (SEC) chapter of The CERT Oracle Secure Coding Standard for Java (2011). |
| C# | 860 | Weaknesses in this category are related to rules in the Runtime Environment (ENV) chapter of The CERT Oracle Secure Coding Standard for Java (2011). |
| C# | 861 | Weaknesses in this category are related to rules in the Miscellaneous (MSC) chapter of The CERT Oracle Secure Coding Standard for Java (2011). |
| C# | 862 | The software does not perform an authorization check when an actor attempts to access a resource or perform an action. |
| C# | 863 | The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions. |
| C# | 864 | Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors. |
| C# | 865 | Weaknesses in this category are listed in the "Risky Resource Management" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors. |
| C# | 866 | Weaknesses in this category are listed in the "Porous Defenses" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors. |
| C# | 867 | Weaknesses in this category are not part of the general Top 25, but they were part of the original nominee list from which the Top 25 was drawn. |
| C# | 868 | CWE entries in this view (graph) are fully or partially eliminated by following the SEI CERT C++ Coding Standard, as published in 2016. This view is no longer being actively maintained, since it statically represents the coding rules as they were in 2016. |
| C# | 871 | Weaknesses in this category are related to rules in the Expressions (EXP) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete. |
| C# | 872 | Weaknesses in this category are related to rules in the Integers (INT) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete. |
| C# | 873 | Weaknesses in this category are related to rules in the Floating Point Arithmetic (FLP) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete. |
| C# | 875 | Weaknesses in this category are related to rules in the Characters and Strings (STR) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete. |
| C# | 876 | Weaknesses in this category are related to rules in the Memory Management (MEM) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete. |
| C# | 877 | Weaknesses in this category are related to rules in the Input Output (FIO) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete. |
| C# | 878 | Weaknesses in this category are related to rules in the Environment (ENV) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete. |
| C# | 879 | Weaknesses in this category are related to rules in the Signals (SIG) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete. |
| C# | 880 | Weaknesses in this category are related to rules in the Exceptions and Error Handling (ERR) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete. |
| C# | 881 | Weaknesses in this category are related to rules in the Object Oriented Programming (OOP) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete. |
| C# | 882 | Weaknesses in this category are related to rules in the Concurrency (CON) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete. |
| C# | 883 | Weaknesses in this category are related to rules in the Miscellaneous (MSC) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete. |
| C# | 884 | This view contains a selection of weaknesses that represent the variety of weaknesses that are captured in CWE, at a level of abstraction that is likely to be useful to most audiences. It can be used by researchers to determine how broad their theories, models, or tools are. It will also be used by the CWE content team in 2012 to focus quality improvement efforts for individual CWE entries. |
| C# | 885 | This category identifies Software Fault Patterns (SFPs) within the Risky Values cluster (SFP1). |
| C# | 886 | This category identifies Software Fault Patterns (SFPs) within the Unused entities cluster (SFP2). |
| C# | 887 | This category identifies Software Fault Patterns (SFPs) within the API cluster (SFP3). |
| C# | 888 | CWE identifiers in this view are associated with clusters of Software Fault Patterns (SFPs). |
| C# | 889 | This category identifies Software Fault Patterns (SFPs) within the Exception Management cluster (SFP4, SFP5, SFP6). |
| C# | 890 | This category identifies Software Fault Patterns (SFPs) within the Memory Access cluster (SFP7, SFP8). |
| C# | 892 | This category identifies Software Fault Patterns (SFPs) within the Resource Management cluster (SFP37). |
| C# | 893 | This category identifies Software Fault Patterns (SFPs) within the Path Resolution cluster (SFP16, SFP17, SFP18). |
| C# | 894 | This category identifies Software Fault Patterns (SFPs) within the Synchronization cluster (SFP19, SFP20, SFP21, SFP22). |
| C# | 895 | This category identifies Software Fault Patterns (SFPs) within the Information Leak cluster (SFP23). |
| C# | 896 | This category identifies Software Fault Patterns (SFPs) within the Tainted Input cluster (SFP24, SFP25, SFP26, SFP27). |
| C# | 897 | This category identifies Software Fault Patterns (SFPs) within the Entry Points cluster (SFP28). |
| C# | 898 | This category identifies Software Fault Patterns (SFPs) within the Authentication cluster (SFP29, SFP30, SFP31, SFP32, SFP33, SFP34). |
| C# | 899 | This category identifies Software Fault Patterns (SFPs) within the Access Control cluster (SFP35). |
| C# | 900 | CWE entries in this view (graph) are listed in the 2011 CWE/SANS Top 25 Most Dangerous Software Errors. |
| C# | 902 | This category identifies Software Fault Patterns (SFPs) within the Channel cluster. |
| C# | 903 | This category identifies Software Fault Patterns (SFPs) within the Cryptography cluster. |
| C# | 905 | This category identifies Software Fault Patterns (SFPs) within the Predictability cluster. |
| C# | 906 | This category identifies Software Fault Patterns (SFPs) within the UI cluster. |
| C# | 907 | This category identifies Software Fault Patterns (SFPs) within the Other cluster. |
| C# | 913 | The software does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements. |
| C# | 916 | The software generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive. |
| C# | 922 | The software stores sensitive information without properly limiting read or write access by unauthorized actors. |
| C# | 923 | The software establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that it is communicating with the correct endpoint. |
| C# | 928 | CWE nodes in this view (graph) are associated with the OWASP Top Ten, as released in 2013. This view is considered obsolete as a newer version of the OWASP Top Ten is available. |
| C# | 929 | Weaknesses in this category are related to the A1 category in the OWASP Top Ten 2013. |
| C# | 930 | Weaknesses in this category are related to the A2 category in the OWASP Top Ten 2013. |
| C# | 931 | Weaknesses in this category are related to the A3 category in the OWASP Top Ten 2013. |
| C# | 932 | Weaknesses in this category are related to the A4 category in the OWASP Top Ten 2013. |
| C# | 933 | Weaknesses in this category are related to the A5 category in the OWASP Top Ten 2013. |
| C# | 934 | Weaknesses in this category are related to the A6 category in the OWASP Top Ten 2013. |
| C# | 935 | Weaknesses in this category are related to the A7 category in the OWASP Top Ten 2013. |
| C# | 936 | Weaknesses in this category are related to the A8 category in the OWASP Top Ten 2013. |
| C# | 938 | Weaknesses in this category are related to the A10 category in the OWASP Top Ten 2013. |
| C# | 942 | The software uses a cross-domain policy file that includes domains that should not be trusted. |
| C# | 943 | The application generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query. |
| C# | 944 | This category identifies Software Fault Patterns (SFPs) within the Access Management cluster. |
| C# | 945 | This category identifies Software Fault Patterns (SFPs) within the Insecure Resource Access cluster (SFP35). |
| C# | 946 | This category identifies Software Fault Patterns (SFPs) within the Insecure Resource Permissions cluster. |
| C# | 947 | This category identifies Software Fault Patterns (SFPs) within the Authentication Bypass cluster. |
| C# | 949 | This category identifies Software Fault Patterns (SFPs) within the Faulty Endpoint Authentication cluster (SFP29). |
| C# | 950 | This category identifies Software Fault Patterns (SFPs) within the Hardcoded Sensitive Data cluster (SFP33). |
| C# | 952 | This category identifies Software Fault Patterns (SFPs) within the Missing Authentication cluster. |
| C# | 956 | This category identifies Software Fault Patterns (SFPs) within the Channel Attack cluster. |
| C# | 957 | This category identifies Software Fault Patterns (SFPs) within the Protocol Error cluster. |
| C# | 958 | This category identifies Software Fault Patterns (SFPs) within the Broken Cryptography cluster. |
| C# | 959 | This category identifies Software Fault Patterns (SFPs) within the Weak Cryptography cluster. |
| C# | 961 | This category identifies Software Fault Patterns (SFPs) within the Incorrect Exception Behavior cluster (SFP6). |
| C# | 962 | This category identifies Software Fault Patterns (SFPs) within the Unchecked Status Condition cluster (SFP4). |
| C# | 963 | This category identifies Software Fault Patterns (SFPs) within the Exposed Data cluster (SFP23). |
| C# | 966 | This category identifies Software Fault Patterns (SFPs) within the Other Exposures cluster. |
| C# | 971 | This category identifies Software Fault Patterns (SFPs) within the Faulty Pointer Use cluster (SFP7). |
| C# | 975 | This category identifies Software Fault Patterns (SFPs) within the Architecture cluster. |
| C# | 977 | This category identifies Software Fault Patterns (SFPs) within the Design cluster. |
| C# | 978 | This category identifies Software Fault Patterns (SFPs) within the Implementation cluster. |
| C# | 980 | This category identifies Software Fault Patterns (SFPs) within the Link in Resource Name Resolution cluster (SFP18). |
| C# | 981 | This category identifies Software Fault Patterns (SFPs) within the Path Traversal cluster (SFP16). |
| C# | 982 | This category identifies Software Fault Patterns (SFPs) within the Failure to Release Resource cluster (SFP14). |
| C# | 984 | This category identifies Software Fault Patterns (SFPs) within the Life Cycle cluster. |
| C# | 985 | This category identifies Software Fault Patterns (SFPs) within the Unrestricted Consumption cluster (SFP13). |
| C# | 986 | This category identifies Software Fault Patterns (SFPs) within the Missing Lock cluster (SFP19). |
| C# | 988 | This category identifies Software Fault Patterns (SFPs) within the Race Condition Window cluster (SFP20). |
| C# | 990 | This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Command cluster (SFP24). |
| C# | 991 | This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Environment cluster (SFP27). |
| C# | 992 | This category identifies Software Fault Patterns (SFPs) within the Faulty Input Transformation cluster. |
| C# | 994 | This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Variable cluster (SFP25). |
| C# | 997 | This category identifies Software Fault Patterns (SFPs) within the Information Loss cluster. |
| C# | 998 | This category identifies Software Fault Patterns (SFPs) within the Glitch in Computation cluster (SFP1). |
| C# | 1000 | This view is intended to facilitate research into weaknesses, including their inter-dependencies, and can be leveraged to systematically identify theoretical gaps within CWE. It is mainly organized according to abstractions of behaviors instead of how they can be detected, where they appear in code, or when they are introduced in the development life cycle. By design, this view is expected to include every weakness within CWE. |
| C# | 1001 | This category identifies Software Fault Patterns (SFPs) within the Use of an Improper API cluster (SFP3). |
| C# | 1002 | This category identifies Software Fault Patterns (SFPs) within the Unexpected Entry Points cluster. |
| C# | 1003 | CWE entries in this view (graph) may be used to categorize potential weaknesses within sources that handle public, third-party vulnerability information, such as the National Vulnerability Database (NVD). By design, this view is incomplete; it is limited to a small number of the most commonly-seen weaknesses, so that it is easier for humans to use. This view uses a shallow hierarchy of two levels in order to simplify the complex, category-oriented navigation of the entire CWE corpus. |
| C# | 1004 | The software uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag. |
| C# | 1005 | This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that exist when an application does not properly validate or represent input. According to the authors of the Seven Pernicious Kingdoms, "Input validation and representation problems are caused by metacharacters, alternate encodings and numeric representations. Security problems result from trusting input." |
| C# | 1006 | Weaknesses in this category are related to coding practices that are deemed unsafe and increase the chances that an exploitable vulnerability will be present in the application. These weaknesses do not directly introduce a vulnerability, but indicate that the product has not been carefully developed or maintained. If a program is complex, difficult to maintain, not portable, or shows evidence of neglect, then there is a higher likelihood that weaknesses are buried in the code. |
| C# | 1008 | This view organizes weaknesses according to common architectural security tactics. It is intended to assist architects in identifying potential mistakes that can be made when designing software. |
| C# | 1009 | Weaknesses in this category are related to the design and architecture of audit-based components of the system. Frequently these deal with logging user activities in order to identify attackers and modifications to the system. The weaknesses in this category could lead to a degradation of the quality of the audit capability if they are not addressed when designing or implementing a secure architecture. |
| C# | 1010 | Weaknesses in this category are related to the design and architecture of authentication components of the system. Frequently these deal with verifying the entity is indeed who it claims to be. The weaknesses in this category could lead to a degradation of the quality of authentication if they are not addressed when designing or implementing a secure architecture. |
| C# | 1011 | Weaknesses in this category are related to the design and architecture of a system's authorization components. Frequently these deal with enforcing that agents have the required permissions before performing certain operations, such as modifying data. The weaknesses in this category could lead to a degradation of quality of the authorization capability if they are not addressed when designing or implementing a secure architecture. |
| C# | 1012 | Weaknesses in this category are related to the design and architecture of multiple security tactics and how they affect a system. For example, information exposure can impact the Limit Access and Limit Exposure security tactics. The weaknesses in this category could lead to a degradation of the quality of many capabilities if they are not addressed when designing or implementing a secure architecture. |
| C# | 1013 | Weaknesses in this category are related to the design and architecture of data confidentiality in a system. Frequently these deal with the use of encryption libraries. The weaknesses in this category could lead to a degradation of the quality data encryption if they are not addressed when designing or implementing a secure architecture. |
| C# | 1014 | Weaknesses in this category are related to the design and architecture of a system's identification management components. Frequently these deal with verifying that external agents provide inputs into the system. The weaknesses in this category could lead to a degradation of the quality of identification management if they are not addressed when designing or implementing a secure architecture. |
| C# | 1015 | Weaknesses in this category are related to the design and architecture of system resources. Frequently these deal with restricting the amount of resources that are accessed by actors, such as memory, network connections, CPU or access points. The weaknesses in this category could lead to a degradation of the quality of authentication if they are not addressed when designing or implementing a secure architecture. |
| C# | 1016 | Weaknesses in this category are related to the design and architecture of the entry points to a system. Frequently these deal with minimizing the attack surface through designing the system with the least needed amount of entry points. The weaknesses in this category could lead to a degradation of a system's defenses if they are not addressed when designing or implementing a secure architecture. |
| C# | 1019 | Weaknesses in this category are related to the design and architecture of a system's input validation components. Frequently these deal with sanitizing, neutralizing and validating any externally provided inputs to minimize malformed data from entering the system and preventing code injection in the input data. The weaknesses in this category could lead to a degradation of the quality of data flow in a system if they are not addressed when designing or implementing a secure architecture. |
| C# | 1020 | Weaknesses in this category are related to the design and architecture of a system's data integrity components. Frequently these deal with ensuring integrity of data, such as messages, resource files, deployment files, and configuration files. The weaknesses in this category could lead to a degradation of data integrity quality if they are not addressed when designing or implementing a secure architecture. |
| C# | 1026 | CWE nodes in this view (graph) are associated with the OWASP Top Ten, as released in 2017. |
| C# | 1027 | Weaknesses in this category are related to the A1 category in the OWASP Top Ten 2017. |
| C# | 1028 | Weaknesses in this category are related to the A2 category in the OWASP Top Ten 2017. |
| C# | 1029 | Weaknesses in this category are related to the A3 category in the OWASP Top Ten 2017. |
| C# | 1030 | Weaknesses in this category are related to the A4 category in the OWASP Top Ten 2017. |
| C# | 1031 | Weaknesses in this category are related to the A5 category in the OWASP Top Ten 2017. |
| C# | 1032 | Weaknesses in this category are related to the A6 category in the OWASP Top Ten 2017. |
| C# | 1033 | Weaknesses in this category are related to the A7 category in the OWASP Top Ten 2017. |
| C# | 1034 | Weaknesses in this category are related to the A8 category in the OWASP Top Ten 2017. |
| C# | 1036 | Weaknesses in this category are related to the A10 category in the OWASP Top Ten 2017. |
| C# | 1041 | The software has multiple functions, methods, procedures, macros, etc. that contain the same code. |
| C# | 1078 | The source code does not follow desired style or formatting for indentation, white space, comments, etc. |
| C# | 1114 | The source code contains whitespace that is inconsistent across the code or does not follow expected standards for the product. |
| C# | 1128 | This view outlines the most important software quality issues as identified by the Consortium for Information & Software Quality (CISQ) Automated Quality Characteristic Measures, released in 2016. These measures are derived from Object Management Group (OMG) standards. |
| C# | 1129 | Weaknesses in this category are related to the CISQ Quality Measures for Reliability, as documented in 2016 with the Automated Source Code CISQ Reliability Measure (ASCRM) Specification 1.0. Presence of these weaknesses could reduce the reliability of the software. |
| C# | 1130 | Weaknesses in this category are related to the CISQ Quality Measures for Maintainability, as documented in 2016 with the Automated Source Code Maintainability Measure (ASCMM) Specification 1.0. Presence of these weaknesses could reduce the maintainability of the software. |
| C# | 1131 | Weaknesses in this category are related to the CISQ Quality Measures for Security, as documented in 2016 with the Automated Source Code Security Measure (ASCSM) Specification 1.0. Presence of these weaknesses could reduce the security of the software. |
| C# | 1133 | CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT Oracle Coding Standard for Java. |
| C# | 1134 | Weaknesses in this category are related to the rules and recommendations in the Input Validation and Data Sanitization (IDS) section of the SEI CERT Oracle Secure Coding Standard for Java. |
| C# | 1136 | Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) section of the SEI CERT Oracle Secure Coding Standard for Java. |
| C# | 1137 | Weaknesses in this category are related to the rules and recommendations in the Numeric Types and Operations (NUM) section of the SEI CERT Oracle Secure Coding Standard for Java. |
| C# | 1140 | Weaknesses in this category are related to the rules and recommendations in the Methods (MET) section of the SEI CERT Oracle Secure Coding Standard for Java. |
| C# | 1141 | Weaknesses in this category are related to the rules and recommendations in the Exceptional Behavior (ERR) section of the SEI CERT Oracle Secure Coding Standard for Java. |
| C# | 1142 | Weaknesses in this category are related to the rules and recommendations in the Visibility and Atomicity (VNA) section of the SEI CERT Oracle Secure Coding Standard for Java. |
| C# | 1143 | Weaknesses in this category are related to the rules and recommendations in the Locking (LCK) section of the SEI CERT Oracle Secure Coding Standard for Java. |
| C# | 1145 | Weaknesses in this category are related to the rules and recommendations in the Thread Pools (TPS) section of the SEI CERT Oracle Secure Coding Standard for Java. |
| C# | 1147 | Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) section of the SEI CERT Oracle Secure Coding Standard for Java. |
| C# | 1148 | Weaknesses in this category are related to the rules and recommendations in the Serialization (SER) section of the SEI CERT Oracle Secure Coding Standard for Java. |
| C# | 1149 | Weaknesses in this category are related to the rules and recommendations in the Platform Security (SEC) section of the SEI CERT Oracle Secure Coding Standard for Java. |
| C# | 1150 | Weaknesses in this category are related to the rules and recommendations in the Runtime Environment (ENV) section of the SEI CERT Oracle Secure Coding Standard for Java. |
| C# | 1152 | Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT Oracle Secure Coding Standard for Java. |
| C# | 1154 | CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT C Coding Standard. |
| C# | 1157 | Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) section of the SEI CERT C Coding Standard. |
| C# | 1158 | Weaknesses in this category are related to the rules and recommendations in the Integers (INT) section of the SEI CERT C Coding Standard. |
| C# | 1159 | Weaknesses in this category are related to the rules and recommendations in the Floating Point (FLP) section of the SEI CERT C Coding Standard. |
| C# | 1162 | Weaknesses in this category are related to the rules and recommendations in the Memory Management (MEM) section of the SEI CERT C Coding Standard. |
| C# | 1163 | Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) section of the SEI CERT C Coding Standard. |
| C# | 1164 | The program contains code that is not essential for execution, i.e. makes no state changes and has no side effects that alter data or control flow, such that removal of the code would have no impact to functionality or correctness. |
| C# | 1165 | Weaknesses in this category are related to the rules and recommendations in the Environment (ENV) section of the SEI CERT C Coding Standard. |
| C# | 1166 | Weaknesses in this category are related to the rules and recommendations in the Signals (SIG) section of the SEI CERT C Coding Standard. |
| C# | 1169 | Weaknesses in this category are related to the rules and recommendations in the Concurrency (CON) section of the SEI CERT C Coding Standard. |
| C# | 1170 | Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT C Coding Standard. |
| C# | 1171 | Weaknesses in this category are related to the rules and recommendations in the POSIX (POS) section of the SEI CERT C Coding Standard. |
| C# | 1172 | Weaknesses in this category are related to the rules and recommendations in the Microsoft Windows (WIN) section of the SEI CERT C Coding Standard. |
| C# | 1178 | CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT Perl Coding Standard. |
| C# | 1179 | Weaknesses in this category are related to the rules and recommendations in the Input Validation and Data Sanitization (IDS) section of the SEI CERT Perl Coding Standard. |
| C# | 1180 | Weaknesses in this category are related to the rules and recommendations in the Declarations and Initialization (DCL) section of the SEI CERT Perl Coding Standard. |
| C# | 1181 | Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) section of the SEI CERT Perl Coding Standard. |
| C# | 1182 | Weaknesses in this category are related to the rules and recommendations in the Integers (INT) section of the SEI CERT Perl Coding Standard. |
| C# | 1186 | Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT Perl Coding Standard. |
| C# | 1194 | This view organizes weaknesses around concepts that are frequently used or encountered in hardware design. Accordingly, this view can align closely with the perspectives of designers, manufacturers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping. |
| C# | 1200 | CWE entries in this view are listed in the 2019 CWE Top 25 Most Dangerous Software Errors. |
| C# | 1202 | Weaknesses in this category are typically associated with memory (e.g., DRAM, SRAM) and storage technologies (e.g., NAND Flash, OTP, EEPROM, and eMMC). |
| C# | 1210 | Weaknesses in this category are related to audit-based components of a software system. Frequently these deal with logging user activities in order to identify undesired access and modifications to the system. The weaknesses in this category could lead to a degradation of the quality of the audit capability if they are not addressed. |
| C# | 1211 | Weaknesses in this category are related to authentication components of a system. Frequently these deal with the ability to verify that an entity is indeed who it claims to be. If not addressed when designing or implementing a software system, these weaknesses could lead to a degradation of the quality of the authentication capability. |
| C# | 1212 | Weaknesses in this category are related to authorization components of a system. Frequently these deal with the ability to enforce that agents have the required permissions before performing certain operations, such as modifying data. If not addressed when designing or implementing a software system, these weaknesses could lead to a degradation of the quality of the authorization capability. |
| C# | 1213 | Weaknesses in this category are related to a software system's random number generation. |
| C# | 1214 | Weaknesses in this category are related to a software system's data integrity components. Frequently these deal with the ability to ensure the integrity of data, such as messages, resource files, deployment files, and configuration files. The weaknesses in this category could lead to a degradation of data integrity quality if they are not addressed. |
| C# | 1215 | Weaknesses in this category are related to a software system's components for input validation, output validation, or other kinds of validation. Validation is a frequently-used technique for ensuring that data conforms to expectations before it is further processed as input or output. There are many varieties of validation (see CWE-20, which is just for input validation). Validation is distinct from other techniques that attempt to modify data before processing it, although developers may consider all attempts to product "safe" inputs or outputs as some kind of validation. Regardless, validation is a powerful tool that is often used to minimize malformed data from entering the system, or indirectly avoid code injection or other potentially-malicious patterns when generating output. The weaknesses in this category could lead to a degradation of the quality of data flow in a system if they are not addressed. |
| C# | 1219 | Weaknesses in this category are related to the handling of files within a software system. Files, directories, and folders are so central to information technology that many different weaknesses and variants have been discovered. |
| C# | 1228 | Weaknesses in this category are related to the use of built-in functions or external APIs. |
| C# | 1275 | The SameSite attribute for sensitive cookies is not set, or an insecure value is used. |
| C# | 1305 | This view outlines the most important software quality issues as identified by the Consortium for Information & Software Quality (CISQ) Automated Quality Characteristic Measures, released in 2020. These measures are derived from Object Management Group (OMG) standards. |
| C# | 1306 | Weaknesses in this category are related to the CISQ Quality Measures for Reliability. Presence of these weaknesses could reduce the reliability of the software. |
| C# | 1307 | Weaknesses in this category are related to the CISQ Quality Measures for Maintainability. Presence of these weaknesses could reduce the maintainability of the software. |
| C# | 1308 | Weaknesses in this category are related to the CISQ Quality Measures for Security. Presence of these weaknesses could reduce the security of the software. |
| C# | 1309 | Weaknesses in this category are related to the CISQ Quality Measures for Efficiency. Presence of these weaknesses could reduce the efficiency of the software. |
| C# | 1337 | CWE entries in this view are listed in the 2021 CWE Top 25 Most Dangerous Software Weaknesses. |
| C# | 1340 | This view outlines the SMM representation of the Automated Source Code Data Protection Measurement specifications, as identified by the Consortium for Information & Software Quality (CISQ) Working Group. |
| C# | 1344 | CWE entries in this view (graph) are associated with the OWASP Top Ten, as released in 2021. |
| C# | 1345 | Weaknesses in this category are related to the A01 category "Broken Access Control" in the OWASP Top Ten 2021. |
| C# | 1346 | Weaknesses in this category are related to the A02 category "Cryptographic Failures" in the OWASP Top Ten 2021. |
| C# | 1347 | Weaknesses in this category are related to the A03 category "Injection" in the OWASP Top Ten 2021. |
| C# | 1348 | Weaknesses in this category are related to the A04 "Insecure Design" category in the OWASP Top Ten 2021. |
| C# | 1349 | Weaknesses in this category are related to the A05 category "Security Misconfiguration" in the OWASP Top Ten 2021. |
| C# | 1350 | CWE entries in this view are listed in the 2020 CWE Top 25 Most Dangerous Software Weaknesses. |
| C# | 1353 | Weaknesses in this category are related to the A07 category "Identification and Authentication Failures" in the OWASP Top Ten 2021. |
| C# | 1354 | Weaknesses in this category are related to the A08 category "Software and Data Integrity Failures" in the OWASP Top Ten 2021. |
| C# | 1355 | Weaknesses in this category are related to the A09 category "Security Logging and Monitoring Failures" in the OWASP Top Ten 2021. |
| C# | 1358 | CWE entries in this view (graph) are associated with the Categories of Security Vulnerabilities in ICS, as published by the Securing Energy Infrastructure Executive Task Force (SEI ETF) in March 2022. Weaknesses and categories in this view are focused on issues that affect ICS (Industrial Control Systems) but have not been traditionally covered by CWE in the past due to its earlier emphasis on enterprise IT software. Note: weaknesses in this view are based on "Nearest IT Neighbor" recommendations and other suggestions by the CWE team. These relationships are likely to change in future CWE versions. |
| C# | 1359 | Weaknesses in this category are related to the "ICS Communications" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022. |
| C# | 1360 | Weaknesses in this category are related to the "ICS Dependencies (& Architecture)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022. |
| C# | 1362 | Weaknesses in this category are related to the "ICS Engineering (Constructions/Deployment)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022. |
| C# | 1363 | Weaknesses in this category are related to the "ICS Operations (& Maintenance)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022. |
| C# | 1364 | Weaknesses in this category are related to the "Zone Boundary Failures" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022. Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. |
| C# | 1366 | Weaknesses in this category are related to the "Frail Security in Protocols" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022. Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. |
| C# | 1368 | Weaknesses in this category are related to the "External Digital Systems" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022. Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. |
| C# | 1376 | Weaknesses in this category are related to the "Security Gaps in Commissioning" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022. Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. |
| C# | 1382 | Weaknesses in this category are related to the "Emerging Energy Technologies" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022. Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. |
| C# | 1383 | Weaknesses in this category are related to the "Compliance/Conformance with Regulatory Requirements" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022. Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. |
| C# | 1387 | CWE entries in this view are listed in the 2022 CWE Top 25 Most Dangerous Software Weaknesses. |
| C/C++ | 2 | This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that are typically introduced during unexpected environmental conditions. According to the authors of the Seven Pernicious Kingdoms, "This section includes everything that is outside of the source code but is still critical to the security of the product that is being created. Because the issues covered by this kingdom are not directly related to source code, we separated it from the rest of the kingdoms." |
| C/C++ | 4 | This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. |
| C/C++ | 5 | Information sent over a network can be compromised while in transit. An attacker may be able to read or modify the contents if the data are sent in plaintext or are weakly encrypted. |
| C/C++ | 16 | Weaknesses in this category are typically introduced during the configuration of the software. |
| C/C++ | 17 | This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. |
| C/C++ | 18 | This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. |
| C/C++ | 19 | Weaknesses in this category are typically found in functionality that processes data. Data processing is the manipulation of input to retrieve or save information. |
| C/C++ | 20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
| C/C++ | 21 | This category has been deprecated. It was originally used for organizing weaknesses involving file names, which enabled access to files outside of a restricted directory (path traversal) or to perform operations on files that would otherwise be restricted (path equivalence). Consider using either the File Handling Issues category (CWE-1219) or the class Use of Incorrectly-Resolved Name or Reference (CWE-706). |
| C/C++ | 22 | The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
| C/C++ | 23 | The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory. |
| C/C++ | 36 | The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as "/abs/path" that can resolve to a location that is outside of that directory. |
| C/C++ | 59 | The software attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource. |
| C/C++ | 66 | The product does not handle or incorrectly handles a file name that identifies a "virtual" resource that is not directly specified within the directory that is associated with the file name, causing the product to perform file-based operations on a resource that is not a file. |
| C/C++ | 67 | The software constructs pathnames from user input, but it does not handle or incorrectly handles a pathname containing a Windows device name such as AUX or CON. This typically leads to denial of service or an information exposure when the application attempts to process the pathname as a regular file. |
| C/C++ | 68 | This category has been deprecated as it was found to be an unnecessary abstraction of platform specific details. Please refer to the category CWE-632 and weakness CWE-66 for relevant relationships. |
| C/C++ | 74 | The software constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
| C/C++ | 77 | The software constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| C/C++ | 78 | The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
| C/C++ | 88 | The software constructs a string for a command to executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string. |
| C/C++ | 89 | The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. |
| C/C++ | 91 | The software does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system. |
| C/C++ | 93 | The software uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs. |
| C/C++ | 94 | The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
| C/C++ | 99 | The software receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control. |
| C/C++ | 113 | The software receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers. |
| C/C++ | 116 | The software prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved. |
| C/C++ | 117 | The software does not neutralize or incorrectly neutralizes output that is written to logs. |
| C/C++ | 118 | The software does not restrict or incorrectly restricts operations within the boundaries of a resource that is accessed using an index or pointer, such as memory or files. |
| C/C++ | 119 | The software performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer. |
| C/C++ | 120 | The program copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow. |
| C/C++ | 121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
| C/C++ | 122 | A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). |
| C/C++ | 123 | Any condition where the attacker has the ability to write an arbitrary value to an arbitrary location, often as the result of a buffer overflow. |
| C/C++ | 124 | The software writes to a buffer using an index or pointer that references a memory location prior to the beginning of the buffer. |
| C/C++ | 125 | The software reads data past the end, or before the beginning, of the intended buffer. |
| C/C++ | 126 | The software reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations after the targeted buffer. |
| C/C++ | 127 | The software reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations prior to the targeted buffer. |
| C/C++ | 128 | Wrap around errors occur whenever a value is incremented past the maximum value for its type and therefore "wraps around" to a very small, negative, or undefined value. |
| C/C++ | 129 | The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array. |
| C/C++ | 130 | The software parses a formatted message or structure, but it does not handle or incorrectly handles a length field that is inconsistent with the actual length of the associated data. |
| C/C++ | 131 | The software does not correctly calculate the size to be used when allocating a buffer, which could lead to a buffer overflow. |
| C/C++ | 133 | Weaknesses in this category are related to the creation and modification of strings. |
| C/C++ | 134 | The software uses a function that accepts a format string as an argument, but the format string originates from an external source. |
| C/C++ | 135 | The software does not correctly calculate the length of strings that can contain wide or multi-byte characters. |
| C/C++ | 136 | Weaknesses in this category are caused by improper data type transformation or improper handling of multiple data types. |
| C/C++ | 137 | Weaknesses in this category are related to the creation or neutralization of data using an incorrect format. |
| C/C++ | 138 | The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as control elements or syntactic markers when they are sent to a downstream component. |
| C/C++ | 140 | The software does not neutralize or incorrectly neutralizes delimiters. |
| C/C++ | 141 | The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as parameter or argument delimiters when they are sent to a downstream component. |
| C/C++ | 142 | The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as value delimiters when they are sent to a downstream component. |
| C/C++ | 143 | The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as record delimiters when they are sent to a downstream component. |
| C/C++ | 146 | The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as expression or command delimiters when they are sent to a downstream component. |
| C/C++ | 149 | Quotes injected into an application can be used to compromise a system. As data are parsed, an injected/absent/duplicate/malformed use of quotes may cause the process to take unexpected actions. |
| C/C++ | 150 | The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component. |
| C/C++ | 157 | The software does not properly handle the characters that are used to mark the beginning and ending of a group of entities, such as parentheses, brackets, and braces. |
| C/C++ | 169 | This category has been deprecated. It was originally intended as a "catch-all" for input validation problems in technologies that did not have their own CWE, but introduces unnecessary depth to the hierarchy. |
| C/C++ | 170 | The software does not terminate or incorrectly terminates a string or array with a null character or equivalent terminator. |
| C/C++ | 171 | This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. Weaknesses in this category were related to improper handling of data within protection mechanisms that attempt to perform neutralization for untrusted data. These weaknesses can be found in other similar categories. |
| C/C++ | 188 | The software makes invalid assumptions about how protocol data or memory is organized at a lower level, resulting in unintended program behavior. |
| C/C++ | 189 | Weaknesses in this category are related to improper calculation or conversion of numbers. |
| C/C++ | 190 | The software performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control. |
| C/C++ | 192 | Integer coercion refers to a set of flaws pertaining to the type casting, extension, or truncation of primitive data types. |
| C/C++ | 194 | The software performs an operation on a number that causes it to be sign extended when it is transformed into a larger data type. When the original number is negative, this can produce unexpected values that lead to resultant weaknesses. |
| C/C++ | 195 | The software uses a signed primitive and performs a cast to an unsigned primitive, which can produce an unexpected value if the value of the signed primitive cannot be represented using an unsigned primitive. |
| C/C++ | 197 | Truncation errors occur when a primitive is cast to a primitive of a smaller size and data is lost in the conversion. |
| C/C++ | 198 | The software receives input from an upstream component, but it does not account for byte ordering (e.g. big-endian and little-endian) when processing the input, causing an incorrect number or value to be used. |
| C/C++ | 199 | Weaknesses in this category are related to improper handling of sensitive information. |
| C/C++ | 200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
| C/C++ | 201 | The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor. |
| C/C++ | 209 | The software generates an error message that includes sensitive information about its environment, users, or associated data. |
| C/C++ | 210 | The software identifies an error condition and creates its own diagnostic or error messages that contain sensitive information. |
| C/C++ | 211 | The application performs an operation that triggers an external diagnostic or error message that is not directly generated or controlled by the application, such as an error generated by the programming language interpreter that the software uses. The error can contain sensitive system information. |
| C/C++ | 216 | This entry has been deprecated, as it was not effective as a weakness and was structured more like a category. In addition, the name is inappropriate, since the "container" term is widely understood by developers in different ways than originally intended by PLOVER, the original source for this entry. |
| C/C++ | 221 | The software does not record, or improperly records, security-relevant information that leads to an incorrect decision or hampers later analysis. |
| C/C++ | 226 | The product releases a resource such as memory or a file so that it can be made available for reuse, but it does not clear or "zeroize" the information contained in the resource before the product performs a critical state transition or makes the resource available for reuse by other entities. |
| C/C++ | 227 | This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that involve the software using an API in a manner contrary to its intended use. According to the authors of the Seven Pernicious Kingdoms, "An API is a contract between a caller and a callee. The most common forms of API misuse occurs when the caller does not honor its end of this contract. For example, if a program does not call chdir() after calling chroot(), it violates the contract that specifies how to change the active root directory in a secure fashion. Another good example of library abuse is expecting the callee to return trustworthy DNS information to the caller. In this case, the caller misuses the callee API by making certain assumptions about its behavior (that the return value can be used for authentication purposes). One can also violate the caller-callee contract from the other side. For example, if a coder subclasses SecureRandom and returns a non-random value, the contract is violated." |
| C/C++ | 228 | The product does not handle or incorrectly handles input that is not syntactically well-formed with respect to the associated specification. |
| C/C++ | 237 | The software does not handle or incorrectly handles inputs that are related to complex structures. |
| C/C++ | 240 | The software does not handle or incorrectly handles when two or more structural elements should be consistent, but are not. |
| C/C++ | 241 | The software does not handle or incorrectly handles when a particular element is not the expected type, e.g. it expects a digit (0-9) but is provided with a letter (A-Z). |
| C/C++ | 242 | The program calls a function that can never be guaranteed to work safely. |
| C/C++ | 243 | The program uses the chroot() system call to create a jail, but does not change the working directory afterward. This does not prevent access to files outside of the jail. |
| C/C++ | 247 | This entry has been deprecated because it was a duplicate of CWE-350. All content has been transferred to CWE-350. |
| C/C++ | 248 | An exception is thrown from a function, but it is not caught. |
| C/C++ | 249 | This entry has been deprecated because of name confusion and an accidental combination of multiple weaknesses. Most of its content has been transferred to CWE-785. This entry was deprecated for several reasons. The primary reason is over-loading of the "path manipulation" term and the description. The original description for this entry was the same as that for the "Often Misused: File System" item in the original Seven Pernicious Kingdoms paper. However, Seven Pernicious Kingdoms also has a "Path Manipulation" phrase that is for external control of pathnames (CWE-73), which is a factor in symbolic link following and path traversal, neither of which is explicitly mentioned in 7PK. Fortify uses the phrase "Often Misused: Path Manipulation" for a broader range of problems, generally for issues related to buffer management. Given the multiple conflicting uses of this term, there is a chance that CWE users may have incorrectly mapped to this entry. The second reason for deprecation is an implied combination of multiple weaknesses within buffer-handling functions. The focus of this entry was generally on the path-conversion functions and their association with buffer overflows. However, some of Fortify's Vulncat entries have the term "path manipulation" but describe a non-overflow weakness in which the buffer is not guaranteed to contain the entire pathname, i.e., there is information truncation (see CWE-222 for a similar concept). A new entry for this non-overflow weakness may be created in a future version of CWE. |
| C/C++ | 252 | The software does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions. |
| C/C++ | 253 | The software incorrectly checks a return value from a function, which prevents the software from detecting errors or exceptional conditions. |
| C/C++ | 254 | Software security is not security software. Here we're concerned with topics like authentication, access control, confidentiality, cryptography, and privilege management. |
| C/C++ | 255 | Weaknesses in this category are related to the management of credentials. |
| C/C++ | 256 | Storing a password in plaintext may result in a system compromise. |
| C/C++ | 257 | The storage of passwords in a recoverable format makes them subject to password reuse attacks by malicious users. In fact, it should be noted that recoverable encrypted passwords provide no significant benefit over plaintext passwords since they are subject not only to reuse by malicious attackers but also by malicious insiders. If a system administrator can recover a password directly, or use a brute force search on the available information, the administrator can use the password on other accounts. |
| C/C++ | 259 | The software contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components. |
| C/C++ | 264 | Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control. |
| C/C++ | 265 | Weaknesses in this category occur with improper handling, assignment, or management of privileges. A privilege is a property of an agent, such as a user. It lets the agent do things that are not ordinarily allowed. For example, there are privileges which allow an agent to perform maintenance functions such as restart a computer. |
| C/C++ | 269 | The software does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |
| C/C++ | 271 | The software does not drop privileges before passing control of a resource to an actor that does not have those privileges. |
| C/C++ | 272 | The elevated privilege level required to perform operations such as chroot() should be dropped immediately after the operation is performed. |
| C/C++ | 273 | The software attempts to drop privileges but does not check or incorrectly checks to see if the drop succeeded. |
| C/C++ | 275 | Weaknesses in this category are related to improper assignment or handling of permissions. |
| C/C++ | 276 | During installation, installed file permissions are set to allow anyone to modify those files. |
| C/C++ | 282 | The software assigns the wrong ownership, or does not properly verify the ownership, of an object or resource. |
| C/C++ | 284 | The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
| C/C++ | 285 | The software does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
| C/C++ | 287 | When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct. |
| C/C++ | 290 | This attack-focused weakness is caused by improperly implemented authentication schemes that are subject to spoofing attacks. |
| C/C++ | 291 | The software uses an IP address for authentication. |
| C/C++ | 293 | The referer field in HTTP requests can be easily modified and, as such, is not a valid means of message integrity checking. |
| C/C++ | 300 | The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint. |
| C/C++ | 310 | Weaknesses in this category are related to the design and implementation of data confidentiality and integrity. Frequently these deal with the use of encoding techniques, encryption libraries, and hashing algorithms. The weaknesses in this category could lead to a degradation of the quality data if they are not addressed. |
| C/C++ | 311 | The software does not encrypt sensitive or critical information before storage or transmission. |
| C/C++ | 312 | The application stores sensitive information in cleartext within a resource that might be accessible to another control sphere. |
| C/C++ | 313 | The application stores sensitive information in cleartext in a file, or on disk. |
| C/C++ | 314 | The application stores sensitive information in cleartext in the registry. |
| C/C++ | 315 | The application stores sensitive information in cleartext in a cookie. |
| C/C++ | 317 | The application stores sensitive information in cleartext within the GUI. |
| C/C++ | 318 | The application stores sensitive information in cleartext in an executable. |
| C/C++ | 319 | The software transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors. |
| C/C++ | 320 | Weaknesses in this category are related to errors in the management of cryptographic keys. |
| C/C++ | 321 | The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered. |
| C/C++ | 326 | The software stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required. |
| C/C++ | 327 | The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of sensitive information. |
| C/C++ | 328 | The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (2nd preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack). |
| C/C++ | 330 | The software uses insufficiently random numbers or values in a security context that depends on unpredictable numbers. |
| C/C++ | 335 | The software uses a Pseudo-Random Number Generator (PRNG) but does not correctly manage seeds. |
| C/C++ | 338 | The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong. |
| C/C++ | 344 | The product uses a constant value, name, or reference, but this value can (or should) vary across different environments. |
| C/C++ | 350 | The software performs reverse DNS resolution on an IP address to obtain the hostname and make a security decision, but it does not properly ensure that the IP address is truly associated with the hostname. |
| C/C++ | 355 | Weaknesses in this category are related to or introduced in the User Interface (UI). |
| C/C++ | 359 | The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected. |
| C/C++ | 361 | This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses related to the improper management of time and state in an environment that supports simultaneous or near-simultaneous computation by multiple systems, processes, or threads. According to the authors of the Seven Pernicious Kingdoms, "Distributed computation is about time and state. That is, in order for more than one component to communicate, state must be shared, and all that takes time. Most programmers anthropomorphize their work. They think about one thread of control carrying out the entire program in the same way they would if they had to do the job themselves. Modern computers, however, switch between tasks very quickly, and in multi-core, multi-CPU, or distributed systems, two events may take place at exactly the same time. Defects rush to fill the gap between the programmer's model of how a program executes and what happens in reality. These defects are related to unexpected interactions between threads, processes, time, and information. These interactions happen through shared state: semaphores, variables, the file system, and, basically, anything that can store information." |
| C/C++ | 362 | The program contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently. |
| C/C++ | 363 | The software checks the status of a file or directory before accessing it, which produces a race condition in which the file can be replaced with a link before the access is performed, causing the software to access the wrong file. |
| C/C++ | 364 | The software uses a signal handler that introduces a race condition. |
| C/C++ | 366 | If two threads of execution use a resource simultaneously, there exists the possibility that resources may be used while invalid, in turn making the state of execution undefined. |
| C/C++ | 367 | The software checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. This can cause the software to perform invalid actions when the resource is in an unexpected state. |
| C/C++ | 369 | The product divides a value by zero. |
| C/C++ | 376 | This category has been deprecated. It was originally used for organizing the Development View (CWE-699), but it introduced unnecessary complexity and depth to the resulting tree. Consider using the File Handling Issues category (CWE-1219). |
| C/C++ | 377 | Creating and using insecure temporary files can leave application and system data vulnerable to attack. |
| C/C++ | 379 | The software creates a temporary file in a directory whose permissions allow unintended actors to determine the file's existence or otherwise access that file. |
| C/C++ | 387 | Weaknesses in this category are related to the improper handling of signals. |
| C/C++ | 388 | This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that occur when an application does not properly handle errors that occur during processing. According to the authors of the Seven Pernicious Kingdoms, "Errors and error handling represent a class of API. Errors related to error handling are so common that they deserve a special kingdom of their own. As with 'API Abuse,' there are two ways to introduce an error-related security vulnerability: the most common one is handling errors poorly (or not at all). The second is producing errors that either give out too much information (to possible attackers) or are difficult to handle." |
| C/C++ | 389 | This category includes weaknesses that occur if a function does not generate the correct return/status code, or if the application does not handle all possible return/status codes that could be generated by a function. This type of problem is most often found in conditions that are rarely encountered during the normal operation of the product. Presumably, most bugs related to common conditions are found and eliminated during development and testing. In some cases, the attacker can directly control or influence the environment to trigger the rare conditions. |
| C/C++ | 391 | [PLANNED FOR DEPRECATION. SEE MAINTENANCE NOTES AND CONSIDER CWE-252, CWE-248, OR CWE-1069.] Ignoring exceptions and other error conditions may allow an attacker to induce unexpected behavior unnoticed. |
| C/C++ | 393 | A function or operation returns an incorrect return value or status code that does not indicate an error, but causes the product to modify its behavior based on the incorrect result. |
| C/C++ | 394 | The software does not properly check when a function or operation returns a value that is legitimate for the function, but is not expected by the software. |
| C/C++ | 396 | Catching overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities. |
| C/C++ | 397 | Throwing overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities. |
| C/C++ | 398 | This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that do not directly introduce a weakness or vulnerability, but indicate that the product has not been carefully developed or maintained. According to the authors of the Seven Pernicious Kingdoms, "Poor code quality leads to unpredictable behavior. From a user's perspective that often manifests itself as poor usability. For an adversary it provides an opportunity to stress the system in unexpected ways." |
| C/C++ | 399 | Weaknesses in this category are related to improper management of system resources. |
| C/C++ | 400 | The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources. |
| C/C++ | 401 | The software does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory. |
| C/C++ | 404 | The program does not release or incorrectly releases a resource before it is made available for re-use. |
| C/C++ | 411 | Weaknesses in this category are related to improper handling of locks that are used to control access to resources. |
| C/C++ | 415 | The product calls free() twice on the same memory address, potentially leading to modification of unexpected memory locations. |
| C/C++ | 416 | Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code. |
| C/C++ | 429 | Weaknesses in this category are related to improper management of handlers. |
| C/C++ | 435 | An interaction error occurs when two entities have correct behavior when running independently of each other, but when they are integrated as components in a larger system or process, they introduce incorrect behaviors that may cause resultant weaknesses. |
| C/C++ | 438 | Weaknesses in this category are related to unexpected behaviors from code that an application uses. |
| C/C++ | 441 | The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor. |
| C/C++ | 442 | This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. |
| C/C++ | 452 | Weaknesses in this category occur in behaviors that are used for initialization and breakdown. |
| C/C++ | 456 | The software does not initialize critical variables, which causes the execution environment to use unexpected values. |
| C/C++ | 457 | The code uses a variable that has not been initialized, leading to unpredictable or unintended results. |
| C/C++ | 459 | The software does not properly "clean up" and remove temporary or supporting resources after they have been used. |
| C/C++ | 461 | This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. |
| C/C++ | 464 | The accidental addition of a data-structure sentinel can cause serious programming logic problems. |
| C/C++ | 465 | Weaknesses in this category are related to improper handling of pointers. |
| C/C++ | 467 | The code calls sizeof() on a malloced pointer type, which always returns the wordsize/8. This can produce an unexpected result if the programmer intended to determine how much memory has been allocated. |
| C/C++ | 468 | In C and C++, one may often accidentally refer to the wrong memory due to the semantics of when math operations are implicitly scaled. |
| C/C++ | 469 | The application subtracts one pointer from another in order to determine size, but this calculation can be incorrect if the pointers do not exist in the same memory chunk. |
| C/C++ | 471 | The software does not properly protect an assumed-immutable element from being modified by an attacker. |
| C/C++ | 475 | The behavior of this function is undefined unless its control parameter is set to a specific value. |
| C/C++ | 476 | A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit. |
| C/C++ | 477 | The code uses deprecated or obsolete functions, which suggests that the code has not been actively reviewed or maintained. |
| C/C++ | 479 | The program defines a signal handler that calls a non-reentrant function. |
| C/C++ | 480 | The programmer accidentally uses the wrong operator, which changes the application logic in security-relevant ways. |
| C/C++ | 481 | The code uses an operator for assignment when the intention was to perform a comparison. |
| C/C++ | 482 | The code uses an operator for comparison when the intention was to perform an assignment. |
| C/C++ | 483 | The code does not explicitly delimit a block that is intended to contain 2 or more statements, creating a logic error. |
| C/C++ | 484 | The program omits a break statement within a switch or similar construct, causing code associated with multiple conditions to execute. This can cause problems when the programmer only intended to execute code associated with one condition. |
| C/C++ | 485 | This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that occur when the product does not sufficiently encapsulate critical data or functionality. According to the authors of the Seven Pernicious Kingdoms, "Encapsulation is about drawing strong boundaries. In a web browser that might mean ensuring that your mobile code cannot be abused by other mobile code. On the server it might mean differentiation between validated data and unvalidated data, between one user's data and another's, or between data users are allowed to see and data that they are not." |
| C/C++ | 490 | This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. |
| C/C++ | 493 | The product has a critical public variable that is not final, which allows the variable to be modified to contain unexpected values. |
| C/C++ | 497 | The application does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the application does. |
| C/C++ | 500 | An object contains a public static field that is not marked final, which might allow it to be modified in unexpected ways. |
| C/C++ | 505 | This category has been deprecated as it was originally used for organizing the Development View (CWE-699), but it introduced unnecessary complexity and depth to the resulting tree. |
| C/C++ | 522 | The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval. |
| C/C++ | 523 | Login pages do not use adequate measures to protect the user name and password while they are in transit from the client to the server. |
| C/C++ | 532 | Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information. |
| C/C++ | 535 | A command shell error message indicates that there exists an unhandled exception in the web application code. In many cases, an attacker can leverage the conditions that cause these errors in order to gain unauthorized access to the system. |
| C/C++ | 536 | A servlet error message indicates that there exists an unhandled exception in your web application code and may provide useful information to an attacker. |
| C/C++ | 538 | The product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the sensitive information. |
| C/C++ | 539 | The web application uses persistent cookies, but the cookies contain sensitive information. |
| C/C++ | 547 | The program uses hard-coded constants instead of symbolic names for security-critical values, which increases the likelihood of mistakes during code maintenance or security policy change. |
| C/C++ | 550 | Certain conditions, such as network failure, will cause a server error message to be displayed. |
| C/C++ | 552 | The product makes files or directories accessible to unauthorized actors, even though they should not be. |
| C/C++ | 557 | Weaknesses in this category are related to concurrent use of shared resources. |
| C/C++ | 559 | This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. |
| C/C++ | 561 | The software contains dead code, which can never be executed. |
| C/C++ | 562 | A function returns the address of a stack variable, which will cause unintended program behavior, typically in the form of a crash. |
| C/C++ | 563 | The variable's value is assigned but never used, making it a dead store. |
| C/C++ | 566 | The software uses a database table that includes records that should not be accessible to an actor, but it executes a SQL statement with a primary key that can be controlled by that actor. |
| C/C++ | 567 | The product does not properly synchronize shared data, such as static variables across threads, which can lead to undefined behavior and unpredictable data changes. |
| C/C++ | 569 | Weaknesses in this category are related to incorrectly written expressions within code. |
| C/C++ | 570 | The software contains an expression that will always evaluate to false. |
| C/C++ | 571 | The software contains an expression that will always evaluate to true. |
| C/C++ | 573 | The software does not follow or incorrectly follows the specifications as required by the implementation language, environment, framework, protocol, or platform. |
| C/C++ | 590 | The application calls free() on a pointer to memory that was not allocated using associated heap allocation functions such as malloc(), calloc(), or realloc(). |
| C/C++ | 592 | This weakness has been deprecated because it covered redundant concepts already described in CWE-287. |
| C/C++ | 595 | The program compares object references instead of the contents of the objects themselves, preventing it from detecting equivalent objects. |
| C/C++ | 597 | The product uses the wrong operator when comparing a string, such as using "==" when the .equals() method should be used instead. |
| C/C++ | 606 | The product does not properly check inputs that are used for loop conditions, potentially leading to a denial of service or other consequences because of excessive looping. |
| C/C++ | 610 | The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere. |
| C/C++ | 617 | The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary. |
| C/C++ | 628 | The product calls a function, procedure, or routine with arguments that are not correctly specified, leading to always-incorrect behavior and resultant weaknesses. |
| C/C++ | 629 | CWE nodes in this view (graph) are associated with the OWASP Top Ten, as released in 2007. This view is considered obsolete as a newer version of the OWASP Top Ten is available. |
| C/C++ | 632 | This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE. |
| C/C++ | 633 | This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE. |
| C/C++ | 634 | This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE. |
| C/C++ | 635 | CWE nodes in this view (slice) were used by NIST to categorize vulnerabilities within NVD, from 2008 to 2016. This original version has been used by many other projects. |
| C/C++ | 637 | The software uses a more complex mechanism than necessary, which could lead to resultant weaknesses when the mechanism is not correctly understood, modeled, configured, implemented, or used. |
| C/C++ | 639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
| C/C++ | 643 | The software uses external input to dynamically construct an XPath expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query. |
| C/C++ | 644 | The application does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers, such as Flash. |
| C/C++ | 655 | The software has a protection mechanism that is too difficult or inconvenient to use, encouraging non-malicious users to disable or bypass the mechanism, whether by accident or on purpose. |
| C/C++ | 657 | The product violates well-established principles for secure design. |
| C/C++ | 662 | The software utilizes multiple threads or processes to allow temporary access to a shared resource that can only be exclusive to one process at a time, but it does not properly synchronize these actions, which might cause simultaneous accesses of this resource by multiple threads or processes. |
| C/C++ | 663 | The software calls a non-reentrant function in a concurrent context in which a competing code sequence (e.g. thread or signal handler) may have an opportunity to call the same function or otherwise influence its state. |
| C/C++ | 664 | The software does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release. |
| C/C++ | 665 | The software does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used. |
| C/C++ | 666 | The software performs an operation on a resource at the wrong phase of the resource's lifecycle, which can lead to unexpected behaviors. |
| C/C++ | 667 | The software does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors. |
| C/C++ | 668 | The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource. |
| C/C++ | 669 | The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource. |
| C/C++ | 670 | The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated. |
| C/C++ | 671 | The product uses security features in a way that prevents the product's administrator from tailoring security settings to reflect the environment in which the product is being used. This introduces resultant weaknesses or prevents it from operating at a level of security that is desired by the administrator. |
| C/C++ | 672 | The software uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked. |
| C/C++ | 675 | The product performs the same operation on a resource two or more times, when the operation should only be applied once. |
| C/C++ | 676 | The program invokes a potentially dangerous function that could introduce a vulnerability if it is used incorrectly, but the function can also be used safely. |
| C/C++ | 680 | The product performs a calculation to determine how much memory to allocate, but an integer overflow can occur that causes less memory to be allocated than expected, leading to a buffer overflow. |
| C/C++ | 681 | When converting from one data type to another, such as long to integer, data can be omitted or translated in a way that produces unexpected values. If the resulting values are used in a sensitive context, then dangerous behaviors may occur. |
| C/C++ | 682 | The software performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management. |
| C/C++ | 683 | The software calls a function, procedure, or routine, but the caller specifies the arguments in an incorrect order, leading to resultant weaknesses. |
| C/C++ | 684 | The code does not function according to its published specifications, potentially leading to incorrect usage. |
| C/C++ | 685 | The software calls a function, procedure, or routine, but the caller specifies too many arguments, or too few arguments, which may lead to undefined behavior and resultant weaknesses. |
| C/C++ | 686 | The software calls a function, procedure, or routine, but the caller specifies an argument that is the wrong data type, which may lead to resultant weaknesses. |
| C/C++ | 687 | The software calls a function, procedure, or routine, but the caller specifies an argument that contains the wrong value, which may lead to resultant weaknesses. |
| C/C++ | 691 | The code does not sufficiently manage its control flow during execution, creating conditions in which the control flow can be modified in unexpected ways. |
| C/C++ | 693 | The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product. |
| C/C++ | 694 | The software uses multiple resources that can have the same identifier, in a context in which unique identifiers are required. |
| C/C++ | 696 | The product performs multiple related behaviors, but the behaviors are performed in the wrong order in ways which may produce resultant weaknesses. |
| C/C++ | 697 | The software compares two entities in a security-relevant context, but the comparison is incorrect, which may lead to resultant weaknesses. |
| C/C++ | 699 | This view organizes weaknesses around concepts that are frequently used or encountered in software development. This includes all aspects of the software development lifecycle including both architecture and implementation. Accordingly, this view can align closely with the perspectives of architects, developers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping. |
| C/C++ | 700 | This view (graph) organizes weaknesses using a hierarchical structure that is similar to that used by Seven Pernicious Kingdoms. |
| C/C++ | 703 | The software does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the software. |
| C/C++ | 704 | The software does not correctly convert an object, resource, or structure from one type to a different type. |
| C/C++ | 705 | The software does not properly return control flow to the proper location after it has completed a task or detected an unusual condition. |
| C/C++ | 706 | The software uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere. |
| C/C++ | 707 | The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component. |
| C/C++ | 710 | The software does not follow certain coding rules for development, which can lead to resultant weaknesses or increase the severity of the associated vulnerabilities. |
| C/C++ | 711 | CWE entries in this view (graph) are associated with the OWASP Top Ten, as released in 2004, and as required for compliance with PCI DSS version 1.1. This view is considered obsolete as a newer version of the OWASP Top Ten is available. |
| C/C++ | 713 | Weaknesses in this category are related to the A2 category in the OWASP Top Ten 2007. |
| C/C++ | 714 | Weaknesses in this category are related to the A3 category in the OWASP Top Ten 2007. |
| C/C++ | 715 | Weaknesses in this category are related to the A4 category in the OWASP Top Ten 2007. |
| C/C++ | 717 | Weaknesses in this category are related to the A6 category in the OWASP Top Ten 2007. |
| C/C++ | 718 | Weaknesses in this category are related to the A7 category in the OWASP Top Ten 2007. |
| C/C++ | 719 | Weaknesses in this category are related to the A8 category in the OWASP Top Ten 2007. |
| C/C++ | 720 | Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2007. |
| C/C++ | 721 | Weaknesses in this category are related to the A10 category in the OWASP Top Ten 2007. |
| C/C++ | 722 | Weaknesses in this category are related to the A1 category in the OWASP Top Ten 2004. |
| C/C++ | 723 | Weaknesses in this category are related to the A2 category in the OWASP Top Ten 2004. |
| C/C++ | 724 | Weaknesses in this category are related to the A3 category in the OWASP Top Ten 2004. |
| C/C++ | 725 | Weaknesses in this category are related to the A4 category in the OWASP Top Ten 2004. |
| C/C++ | 726 | Weaknesses in this category are related to the A5 category in the OWASP Top Ten 2004. |
| C/C++ | 727 | Weaknesses in this category are related to the A6 category in the OWASP Top Ten 2004. |
| C/C++ | 728 | Weaknesses in this category are related to the A7 category in the OWASP Top Ten 2004. |
| C/C++ | 729 | Weaknesses in this category are related to the A8 category in the OWASP Top Ten 2004. |
| C/C++ | 730 | Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2004. |
| C/C++ | 731 | Weaknesses in this category are related to the A10 category in the OWASP Top Ten 2004. |
| C/C++ | 732 | The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. |
| C/C++ | 734 | CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT C Secure Coding Standard" published in 2008. This view is considered obsolete, as a newer version of the coding standard is available. This view statically represents the coding rules as they were in 2008. |
| C/C++ | 735 | Weaknesses in this category are related to the rules and recommendations in the Preprocessor (PRE) chapter of the CERT C Secure Coding Standard (2008). |
| C/C++ | 736 | Weaknesses in this category are related to the rules and recommendations in the Declarations and Initialization (DCL) chapter of the CERT C Secure Coding Standard (2008). |
| C/C++ | 737 | Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) chapter of the CERT C Secure Coding Standard (2008). |
| C/C++ | 738 | Weaknesses in this category are related to the rules and recommendations in the Integers (INT) chapter of the CERT C Secure Coding Standard (2008). |
| C/C++ | 739 | Weaknesses in this category are related to the rules and recommendations in the Floating Point (FLP) chapter of the CERT C Secure Coding Standard (2008). |
| C/C++ | 740 | Weaknesses in this category are related to the rules and recommendations in the Arrays (ARR) chapter of the CERT C Secure Coding Standard (2008). |
| C/C++ | 741 | Weaknesses in this category are related to the rules and recommendations in the Characters and Strings (STR) chapter of the CERT C Secure Coding Standard (2008). |
| C/C++ | 742 | Weaknesses in this category are related to the rules and recommendations in the Memory Management (MEM) chapter of the CERT C Secure Coding Standard (2008). |
| C/C++ | 743 | Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) chapter of the CERT C Secure Coding Standard (2008). |
| C/C++ | 744 | Weaknesses in this category are related to the rules and recommendations in the Environment (ENV) chapter of the CERT C Secure Coding Standard (2008). |
| C/C++ | 745 | Weaknesses in this category are related to the rules and recommendations in the Signals (SIG) chapter of the CERT C Secure Coding Standard (2008). |
| C/C++ | 746 | Weaknesses in this category are related to the rules and recommendations in the Error Handling (ERR) chapter of the CERT C Secure Coding Standard (2008). |
| C/C++ | 747 | Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) chapter of the CERT C Secure Coding Standard (2008). |
| C/C++ | 748 | Weaknesses in this category are related to the rules and recommendations in the POSIX (POS) appendix of the CERT C Secure Coding Standard (2008). |
| C/C++ | 750 | CWE entries in this view (graph) are listed in the 2009 CWE/SANS Top 25 Programming Errors. This view is considered obsolete as a newer version of the Top 25 is available. |
| C/C++ | 751 | Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2009 CWE/SANS Top 25 Programming Errors. |
| C/C++ | 752 | Weaknesses in this category are listed in the "Risky Resource Management" section of the 2009 CWE/SANS Top 25 Programming Errors. |
| C/C++ | 753 | Weaknesses in this category are listed in the "Porous Defenses" section of the 2009 CWE/SANS Top 25 Programming Errors. |
| C/C++ | 754 | The software does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the software. |
| C/C++ | 755 | The software does not handle or incorrectly handles an exceptional condition. |
| C/C++ | 758 | The software uses an API function, data structure, or other entity in a way that relies on properties that are not always guaranteed to hold for that entity. |
| C/C++ | 759 | The software uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the software does not also use a salt as part of the input. |
| C/C++ | 760 | The software uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the software uses a predictable salt as part of the input. |
| C/C++ | 762 | The application attempts to return a memory resource to the system, but it calls a release function that is not compatible with the function that was originally used to allocate that resource. |
| C/C++ | 763 | The application attempts to return a memory resource to the system, but calls the wrong release function or calls the appropriate release function incorrectly. |
| C/C++ | 764 | The software locks a critical resource more times than intended, leading to an unexpected state in the system. |
| C/C++ | 765 | The software unlocks a critical resource more times than intended, leading to an unexpected state in the system. |
| C/C++ | 769 | This entry has been deprecated because it was a duplicate of CWE-774. All content has been transferred to CWE-774. |
| C/C++ | 770 | The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor. |
| C/C++ | 771 | The software does not properly maintain a reference to a resource that has been allocated, which prevents the resource from being reclaimed. |
| C/C++ | 772 | The software does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed. |
| C/C++ | 775 | The software does not release a file descriptor or handle after its effective lifetime has ended, i.e., after the file descriptor/handle is no longer needed. |
| C/C++ | 783 | The program uses an expression in which operator precedence causes incorrect logic to be used. |
| C/C++ | 786 | The software reads or writes to a buffer using an index or pointer that references a memory location prior to the beginning of the buffer. |
| C/C++ | 787 | The software writes data past the end, or before the beginning, of the intended buffer. |
| C/C++ | 788 | The software reads or writes to a buffer using an index or pointer that references a memory location after the end of the buffer. |
| C/C++ | 789 | The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated. |
| C/C++ | 798 | The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. |
| C/C++ | 800 | CWE entries in this view (graph) are listed in the 2010 CWE/SANS Top 25 Programming Errors. This view is considered obsolete as a newer version of the Top 25 is available. |
| C/C++ | 801 | Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2010 CWE/SANS Top 25 Programming Errors. |
| C/C++ | 802 | Weaknesses in this category are listed in the "Risky Resource Management" section of the 2010 CWE/SANS Top 25 Programming Errors. |
| C/C++ | 803 | Weaknesses in this category are listed in the "Porous Defenses" section of the 2010 CWE/SANS Top 25 Programming Errors. |
| C/C++ | 805 | The software uses a sequential operation to read or write a buffer, but it uses an incorrect length value that causes it to access memory that is outside of the bounds of the buffer. |
| C/C++ | 807 | The application uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism. |
| C/C++ | 808 | Weaknesses in this category are not part of the general Top 25, but they were part of the original nominee list from which the Top 25 was drawn. |
| C/C++ | 809 | CWE nodes in this view (graph) are associated with the OWASP Top Ten, as released in 2010. This view is considered obsolete as a newer version of the OWASP Top Ten is available. |
| C/C++ | 810 | Weaknesses in this category are related to the A1 category in the OWASP Top Ten 2010. |
| C/C++ | 812 | Weaknesses in this category are related to the A3 category in the OWASP Top Ten 2010. |
| C/C++ | 813 | Weaknesses in this category are related to the A4 category in the OWASP Top Ten 2010. |
| C/C++ | 815 | Weaknesses in this category are related to the A6 category in the OWASP Top Ten 2010. |
| C/C++ | 816 | Weaknesses in this category are related to the A7 category in the OWASP Top Ten 2010. |
| C/C++ | 817 | Weaknesses in this category are related to the A8 category in the OWASP Top Ten 2010. |
| C/C++ | 818 | Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2010. |
| C/C++ | 820 | The software utilizes a shared resource in a concurrent manner but does not attempt to synchronize access to the resource. |
| C/C++ | 823 | The program performs pointer arithmetic on a valid pointer, but it uses an offset that can point outside of the intended range of valid memory locations for the resulting pointer. |
| C/C++ | 825 | The program dereferences a pointer that contains a location for memory that was previously valid, but is no longer valid. |
| C/C++ | 828 | The software defines a signal handler that contains code sequences that are not asynchronous-safe, i.e., the functionality is not reentrant, or it can be interrupted. |
| C/C++ | 833 | The software contains multiple threads or executable segments that are waiting for each other to release a necessary lock, resulting in deadlock. |
| C/C++ | 834 | The software performs an iteration or loop without sufficiently limiting the number of times that the loop is executed. |
| C/C++ | 835 | The program contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop. |
| C/C++ | 840 | Weaknesses in this category identify some of the underlying problems that commonly allow attackers to manipulate the business logic of an application. Errors in business logic can be devastating to an entire application. They can be difficult to find automatically, since they typically involve legitimate use of the application's functionality. However, many business logic errors can exhibit patterns that are similar to well-understood implementation and design weaknesses. |
| C/C++ | 843 | The program allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type. |
| C/C++ | 844 | CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT Oracle Secure Coding Standard for Java" published in 2011. This view is considered obsolete as a newer version of the coding standard is available. |
| C/C++ | 845 | Weaknesses in this category are related to rules in the Input Validation and Data Sanitization (IDS) chapter of The CERT Oracle Secure Coding Standard for Java (2011). |
| C/C++ | 846 | Weaknesses in this category are related to rules in the Declarations and Initialization (DCL) chapter of The CERT Oracle Secure Coding Standard for Java (2011). |
| C/C++ | 847 | Weaknesses in this category are related to rules in the Expressions (EXP) chapter of The CERT Oracle Secure Coding Standard for Java (2011). |
| C/C++ | 848 | Weaknesses in this category are related to rules in the Numeric Types and Operations (NUM) chapter of The CERT Oracle Secure Coding Standard for Java (2011). |
| C/C++ | 849 | Weaknesses in this category are related to rules in the Object Orientation (OBJ) chapter of The CERT Oracle Secure Coding Standard for Java (2011). |
| C/C++ | 850 | Weaknesses in this category are related to rules in the Methods (MET) chapter of The CERT Oracle Secure Coding Standard for Java (2011). |
| C/C++ | 851 | Weaknesses in this category are related to rules in the Exceptional Behavior (ERR) chapter of The CERT Oracle Secure Coding Standard for Java (2011). |
| C/C++ | 852 | Weaknesses in this category are related to rules in the Visibility and Atomicity (VNA) chapter of The CERT Oracle Secure Coding Standard for Java (2011). |
| C/C++ | 853 | Weaknesses in this category are related to rules in the Locking (LCK) chapter of The CERT Oracle Secure Coding Standard for Java (2011). |
| C/C++ | 854 | Weaknesses in this category are related to rules in the Thread APIs (THI) chapter of The CERT Oracle Secure Coding Standard for Java (2011). |
| C/C++ | 857 | Weaknesses in this category are related to rules in the Input Output (FIO) chapter of The CERT Oracle Secure Coding Standard for Java (2011). |
| C/C++ | 858 | Weaknesses in this category are related to rules in the Serialization (SER) chapter of The CERT Oracle Secure Coding Standard for Java (2011). |
| C/C++ | 859 | Weaknesses in this category are related to rules in the Platform Security (SEC) chapter of The CERT Oracle Secure Coding Standard for Java (2011). |
| C/C++ | 860 | Weaknesses in this category are related to rules in the Runtime Environment (ENV) chapter of The CERT Oracle Secure Coding Standard for Java (2011). |
| C/C++ | 861 | Weaknesses in this category are related to rules in the Miscellaneous (MSC) chapter of The CERT Oracle Secure Coding Standard for Java (2011). |
| C/C++ | 862 | The software does not perform an authorization check when an actor attempts to access a resource or perform an action. |
| C/C++ | 864 | Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors. |
| C/C++ | 865 | Weaknesses in this category are listed in the "Risky Resource Management" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors. |
| C/C++ | 866 | Weaknesses in this category are listed in the "Porous Defenses" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors. |
| C/C++ | 867 | Weaknesses in this category are not part of the general Top 25, but they were part of the original nominee list from which the Top 25 was drawn. |
| C/C++ | 868 | CWE entries in this view (graph) are fully or partially eliminated by following the SEI CERT C++ Coding Standard, as published in 2016. This view is no longer being actively maintained, since it statically represents the coding rules as they were in 2016. |
| C/C++ | 871 | Weaknesses in this category are related to rules in the Expressions (EXP) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete. |
| C/C++ | 872 | Weaknesses in this category are related to rules in the Integers (INT) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete. |
| C/C++ | 873 | Weaknesses in this category are related to rules in the Floating Point Arithmetic (FLP) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete. |
| C/C++ | 874 | Weaknesses in this category are related to rules in the Arrays and the STL (ARR) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete. |
| C/C++ | 875 | Weaknesses in this category are related to rules in the Characters and Strings (STR) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete. |
| C/C++ | 876 | Weaknesses in this category are related to rules in the Memory Management (MEM) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete. |
| C/C++ | 877 | Weaknesses in this category are related to rules in the Input Output (FIO) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete. |
| C/C++ | 878 | Weaknesses in this category are related to rules in the Environment (ENV) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete. |
| C/C++ | 879 | Weaknesses in this category are related to rules in the Signals (SIG) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete. |
| C/C++ | 880 | Weaknesses in this category are related to rules in the Exceptions and Error Handling (ERR) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete. |
| C/C++ | 881 | Weaknesses in this category are related to rules in the Object Oriented Programming (OOP) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete. |
| C/C++ | 882 | Weaknesses in this category are related to rules in the Concurrency (CON) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete. |
| C/C++ | 883 | Weaknesses in this category are related to rules in the Miscellaneous (MSC) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete. |
| C/C++ | 884 | This view contains a selection of weaknesses that represent the variety of weaknesses that are captured in CWE, at a level of abstraction that is likely to be useful to most audiences. It can be used by researchers to determine how broad their theories, models, or tools are. It will also be used by the CWE content team in 2012 to focus quality improvement efforts for individual CWE entries. |
| C/C++ | 885 | This category identifies Software Fault Patterns (SFPs) within the Risky Values cluster (SFP1). |
| C/C++ | 886 | This category identifies Software Fault Patterns (SFPs) within the Unused entities cluster (SFP2). |
| C/C++ | 887 | This category identifies Software Fault Patterns (SFPs) within the API cluster (SFP3). |
| C/C++ | 888 | CWE identifiers in this view are associated with clusters of Software Fault Patterns (SFPs). |
| C/C++ | 889 | This category identifies Software Fault Patterns (SFPs) within the Exception Management cluster (SFP4, SFP5, SFP6). |
| C/C++ | 890 | This category identifies Software Fault Patterns (SFPs) within the Memory Access cluster (SFP7, SFP8). |
| C/C++ | 891 | This category identifies Software Fault Patterns (SFPs) within the Memory Management cluster (SFP38). |
| C/C++ | 892 | This category identifies Software Fault Patterns (SFPs) within the Resource Management cluster (SFP37). |
| C/C++ | 893 | This category identifies Software Fault Patterns (SFPs) within the Path Resolution cluster (SFP16, SFP17, SFP18). |
| C/C++ | 894 | This category identifies Software Fault Patterns (SFPs) within the Synchronization cluster (SFP19, SFP20, SFP21, SFP22). |
| C/C++ | 895 | This category identifies Software Fault Patterns (SFPs) within the Information Leak cluster (SFP23). |
| C/C++ | 896 | This category identifies Software Fault Patterns (SFPs) within the Tainted Input cluster (SFP24, SFP25, SFP26, SFP27). |
| C/C++ | 897 | This category identifies Software Fault Patterns (SFPs) within the Entry Points cluster (SFP28). |
| C/C++ | 898 | This category identifies Software Fault Patterns (SFPs) within the Authentication cluster (SFP29, SFP30, SFP31, SFP32, SFP33, SFP34). |
| C/C++ | 899 | This category identifies Software Fault Patterns (SFPs) within the Access Control cluster (SFP35). |
| C/C++ | 900 | CWE entries in this view (graph) are listed in the 2011 CWE/SANS Top 25 Most Dangerous Software Errors. |
| C/C++ | 901 | This category identifies Software Fault Patterns (SFPs) within the Privilege cluster (SFP36). |
| C/C++ | 902 | This category identifies Software Fault Patterns (SFPs) within the Channel cluster. |
| C/C++ | 903 | This category identifies Software Fault Patterns (SFPs) within the Cryptography cluster. |
| C/C++ | 905 | This category identifies Software Fault Patterns (SFPs) within the Predictability cluster. |
| C/C++ | 906 | This category identifies Software Fault Patterns (SFPs) within the UI cluster. |
| C/C++ | 907 | This category identifies Software Fault Patterns (SFPs) within the Other cluster. |
| C/C++ | 908 | The software uses or accesses a resource that has not been initialized. |
| C/C++ | 909 | The software does not initialize a critical resource. |
| C/C++ | 910 | The software uses or accesses a file descriptor after it has been closed. |
| C/C++ | 913 | The software does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements. |
| C/C++ | 916 | The software generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive. |
| C/C++ | 918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
| C/C++ | 922 | The software stores sensitive information without properly limiting read or write access by unauthorized actors. |
| C/C++ | 923 | The software establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that it is communicating with the correct endpoint. |
| C/C++ | 928 | CWE nodes in this view (graph) are associated with the OWASP Top Ten, as released in 2013. This view is considered obsolete as a newer version of the OWASP Top Ten is available. |
| C/C++ | 929 | Weaknesses in this category are related to the A1 category in the OWASP Top Ten 2013. |
| C/C++ | 930 | Weaknesses in this category are related to the A2 category in the OWASP Top Ten 2013. |
| C/C++ | 932 | Weaknesses in this category are related to the A4 category in the OWASP Top Ten 2013. |
| C/C++ | 933 | Weaknesses in this category are related to the A5 category in the OWASP Top Ten 2013. |
| C/C++ | 934 | Weaknesses in this category are related to the A6 category in the OWASP Top Ten 2013. |
| C/C++ | 935 | Weaknesses in this category are related to the A7 category in the OWASP Top Ten 2013. |
| C/C++ | 943 | The application generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query. |
| C/C++ | 944 | This category identifies Software Fault Patterns (SFPs) within the Access Management cluster. |
| C/C++ | 945 | This category identifies Software Fault Patterns (SFPs) within the Insecure Resource Access cluster (SFP35). |
| C/C++ | 946 | This category identifies Software Fault Patterns (SFPs) within the Insecure Resource Permissions cluster. |
| C/C++ | 947 | This category identifies Software Fault Patterns (SFPs) within the Authentication Bypass cluster. |
| C/C++ | 949 | This category identifies Software Fault Patterns (SFPs) within the Faulty Endpoint Authentication cluster (SFP29). |
| C/C++ | 950 | This category identifies Software Fault Patterns (SFPs) within the Hardcoded Sensitive Data cluster (SFP33). |
| C/C++ | 956 | This category identifies Software Fault Patterns (SFPs) within the Channel Attack cluster. |
| C/C++ | 957 | This category identifies Software Fault Patterns (SFPs) within the Protocol Error cluster. |
| C/C++ | 958 | This category identifies Software Fault Patterns (SFPs) within the Broken Cryptography cluster. |
| C/C++ | 959 | This category identifies Software Fault Patterns (SFPs) within the Weak Cryptography cluster. |
| C/C++ | 960 | This category identifies Software Fault Patterns (SFPs) within the Ambiguous Exception Type cluster (SFP5). |
| C/C++ | 961 | This category identifies Software Fault Patterns (SFPs) within the Incorrect Exception Behavior cluster (SFP6). |
| C/C++ | 962 | This category identifies Software Fault Patterns (SFPs) within the Unchecked Status Condition cluster (SFP4). |
| C/C++ | 963 | This category identifies Software Fault Patterns (SFPs) within the Exposed Data cluster (SFP23). |
| C/C++ | 964 | This category identifies Software Fault Patterns (SFPs) within the Exposure Temporary File cluster. |
| C/C++ | 966 | This category identifies Software Fault Patterns (SFPs) within the Other Exposures cluster. |
| C/C++ | 969 | This category identifies Software Fault Patterns (SFPs) within the Faulty Memory Release cluster (SFP12). |
| C/C++ | 970 | This category identifies Software Fault Patterns (SFPs) within the Faulty Buffer Access cluster (SFP8). |
| C/C++ | 971 | This category identifies Software Fault Patterns (SFPs) within the Faulty Pointer Use cluster (SFP7). |
| C/C++ | 973 | This category identifies Software Fault Patterns (SFPs) within the Improper NULL Termination cluster (SFP11). |
| C/C++ | 974 | This category identifies Software Fault Patterns (SFPs) within the Incorrect Buffer Length Computation cluster (SFP10). |
| C/C++ | 975 | This category identifies Software Fault Patterns (SFPs) within the Architecture cluster. |
| C/C++ | 977 | This category identifies Software Fault Patterns (SFPs) within the Design cluster. |
| C/C++ | 978 | This category identifies Software Fault Patterns (SFPs) within the Implementation cluster. |
| C/C++ | 979 | This category identifies Software Fault Patterns (SFPs) within the Failed Chroot Jail cluster (SFP17). |
| C/C++ | 980 | This category identifies Software Fault Patterns (SFPs) within the Link in Resource Name Resolution cluster (SFP18). |
| C/C++ | 981 | This category identifies Software Fault Patterns (SFPs) within the Path Traversal cluster (SFP16). |
| C/C++ | 982 | This category identifies Software Fault Patterns (SFPs) within the Failure to Release Resource cluster (SFP14). |
| C/C++ | 983 | This category identifies Software Fault Patterns (SFPs) within the Faulty Resource Use cluster (SFP15). |
| C/C++ | 984 | This category identifies Software Fault Patterns (SFPs) within the Life Cycle cluster. |
| C/C++ | 985 | This category identifies Software Fault Patterns (SFPs) within the Unrestricted Consumption cluster (SFP13). |
| C/C++ | 986 | This category identifies Software Fault Patterns (SFPs) within the Missing Lock cluster (SFP19). |
| C/C++ | 987 | This category identifies Software Fault Patterns (SFPs) within the Multiple Locks/Unlocks cluster (SFP21). |
| C/C++ | 988 | This category identifies Software Fault Patterns (SFPs) within the Race Condition Window cluster (SFP20). |
| C/C++ | 990 | This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Command cluster (SFP24). |
| C/C++ | 991 | This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Environment cluster (SFP27). |
| C/C++ | 992 | This category identifies Software Fault Patterns (SFPs) within the Faulty Input Transformation cluster. |
| C/C++ | 993 | This category identifies Software Fault Patterns (SFPs) within the Incorrect Input Handling cluster. |
| C/C++ | 994 | This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Variable cluster (SFP25). |
| C/C++ | 995 | This category identifies Software Fault Patterns (SFPs) within the Feature cluster. |
| C/C++ | 997 | This category identifies Software Fault Patterns (SFPs) within the Information Loss cluster. |
| C/C++ | 998 | This category identifies Software Fault Patterns (SFPs) within the Glitch in Computation cluster (SFP1). |
| C/C++ | 1000 | This view is intended to facilitate research into weaknesses, including their inter-dependencies, and can be leveraged to systematically identify theoretical gaps within CWE. It is mainly organized according to abstractions of behaviors instead of how they can be detected, where they appear in code, or when they are introduced in the development life cycle. By design, this view is expected to include every weakness within CWE. |
| C/C++ | 1001 | This category identifies Software Fault Patterns (SFPs) within the Use of an Improper API cluster (SFP3). |
| C/C++ | 1002 | This category identifies Software Fault Patterns (SFPs) within the Unexpected Entry Points cluster. |
| C/C++ | 1003 | CWE entries in this view (graph) may be used to categorize potential weaknesses within sources that handle public, third-party vulnerability information, such as the National Vulnerability Database (NVD). By design, this view is incomplete; it is limited to a small number of the most commonly-seen weaknesses, so that it is easier for humans to use. This view uses a shallow hierarchy of two levels in order to simplify the complex, category-oriented navigation of the entire CWE corpus. |
| C/C++ | 1005 | This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that exist when an application does not properly validate or represent input. According to the authors of the Seven Pernicious Kingdoms, "Input validation and representation problems are caused by metacharacters, alternate encodings and numeric representations. Security problems result from trusting input." |
| C/C++ | 1006 | Weaknesses in this category are related to coding practices that are deemed unsafe and increase the chances that an exploitable vulnerability will be present in the application. These weaknesses do not directly introduce a vulnerability, but indicate that the product has not been carefully developed or maintained. If a program is complex, difficult to maintain, not portable, or shows evidence of neglect, then there is a higher likelihood that weaknesses are buried in the code. |
| C/C++ | 1008 | This view organizes weaknesses according to common architectural security tactics. It is intended to assist architects in identifying potential mistakes that can be made when designing software. |
| C/C++ | 1009 | Weaknesses in this category are related to the design and architecture of audit-based components of the system. Frequently these deal with logging user activities in order to identify attackers and modifications to the system. The weaknesses in this category could lead to a degradation of the quality of the audit capability if they are not addressed when designing or implementing a secure architecture. |
| C/C++ | 1010 | Weaknesses in this category are related to the design and architecture of authentication components of the system. Frequently these deal with verifying the entity is indeed who it claims to be. The weaknesses in this category could lead to a degradation of the quality of authentication if they are not addressed when designing or implementing a secure architecture. |
| C/C++ | 1011 | Weaknesses in this category are related to the design and architecture of a system's authorization components. Frequently these deal with enforcing that agents have the required permissions before performing certain operations, such as modifying data. The weaknesses in this category could lead to a degradation of quality of the authorization capability if they are not addressed when designing or implementing a secure architecture. |
| C/C++ | 1012 | Weaknesses in this category are related to the design and architecture of multiple security tactics and how they affect a system. For example, information exposure can impact the Limit Access and Limit Exposure security tactics. The weaknesses in this category could lead to a degradation of the quality of many capabilities if they are not addressed when designing or implementing a secure architecture. |
| C/C++ | 1013 | Weaknesses in this category are related to the design and architecture of data confidentiality in a system. Frequently these deal with the use of encryption libraries. The weaknesses in this category could lead to a degradation of the quality data encryption if they are not addressed when designing or implementing a secure architecture. |
| C/C++ | 1014 | Weaknesses in this category are related to the design and architecture of a system's identification management components. Frequently these deal with verifying that external agents provide inputs into the system. The weaknesses in this category could lead to a degradation of the quality of identification management if they are not addressed when designing or implementing a secure architecture. |
| C/C++ | 1015 | Weaknesses in this category are related to the design and architecture of system resources. Frequently these deal with restricting the amount of resources that are accessed by actors, such as memory, network connections, CPU or access points. The weaknesses in this category could lead to a degradation of the quality of authentication if they are not addressed when designing or implementing a secure architecture. |
| C/C++ | 1016 | Weaknesses in this category are related to the design and architecture of the entry points to a system. Frequently these deal with minimizing the attack surface through designing the system with the least needed amount of entry points. The weaknesses in this category could lead to a degradation of a system's defenses if they are not addressed when designing or implementing a secure architecture. |
| C/C++ | 1019 | Weaknesses in this category are related to the design and architecture of a system's input validation components. Frequently these deal with sanitizing, neutralizing and validating any externally provided inputs to minimize malformed data from entering the system and preventing code injection in the input data. The weaknesses in this category could lead to a degradation of the quality of data flow in a system if they are not addressed when designing or implementing a secure architecture. |
| C/C++ | 1020 | Weaknesses in this category are related to the design and architecture of a system's data integrity components. Frequently these deal with ensuring integrity of data, such as messages, resource files, deployment files, and configuration files. The weaknesses in this category could lead to a degradation of data integrity quality if they are not addressed when designing or implementing a secure architecture. |
| C/C++ | 1026 | CWE nodes in this view (graph) are associated with the OWASP Top Ten, as released in 2017. |
| C/C++ | 1027 | Weaknesses in this category are related to the A1 category in the OWASP Top Ten 2017. |
| C/C++ | 1028 | Weaknesses in this category are related to the A2 category in the OWASP Top Ten 2017. |
| C/C++ | 1029 | Weaknesses in this category are related to the A3 category in the OWASP Top Ten 2017. |
| C/C++ | 1031 | Weaknesses in this category are related to the A5 category in the OWASP Top Ten 2017. |
| C/C++ | 1032 | Weaknesses in this category are related to the A6 category in the OWASP Top Ten 2017. |
| C/C++ | 1037 | The developer builds a security-critical protection mechanism into the software, but the processor optimizes the execution of the program such that the mechanism is removed or modified. |
| C/C++ | 1041 | The software has multiple functions, methods, procedures, macros, etc. that contain the same code. |
| C/C++ | 1045 | A parent class has a virtual destructor method, but the parent has a child class that does not have a virtual destructor. |
| C/C++ | 1055 | The software contains a class with inheritance from more than one concrete class. |
| C/C++ | 1059 | The product does not contain sufficient technical or engineering documentation (whether on paper or in electronic form) that contains descriptions of all the relevant software/hardware elements of the product, such as its usage, structure, architectural components, interfaces, design, implementation, configuration, operation, etc. |
| C/C++ | 1061 | The software does not sufficiently hide the internal representation and implementation details of data or methods, which might allow external components or modules to modify data unexpectedly, invoke unexpected functionality, or introduce dependencies that the programmer did not intend. |
| C/C++ | 1076 | The product's architecture, source code, design, documentation, or other artifact does not follow required conventions. |
| C/C++ | 1077 | The code performs a comparison such as an equality test between two float (floating point) values, but it uses comparison operators that do not account for the possibility of loss of precision. |
| C/C++ | 1078 | The source code does not follow desired style or formatting for indentation, white space, comments, etc. |
| C/C++ | 1079 | A parent class contains one or more child classes, but the parent class does not have a virtual destructor method. |
| C/C++ | 1095 | The software uses a loop with a control flow condition based on a value that is updated within the body of the loop. |
| C/C++ | 1108 | The code is structured in a way that relies too much on using or setting global variables throughout various points in the code, instead of preserving the associated information in a narrower, more local context. |
| C/C++ | 1109 | The code contains a callable, block, or other code element in which the same variable is used to control more than one unique task or store more than one instance of data. |
| C/C++ | 1113 | The source code uses comment styles or formats that are inconsistent or do not follow expected standards for the product. |
| C/C++ | 1114 | The source code contains whitespace that is inconsistent across the code or does not follow expected standards for the product. |
| C/C++ | 1126 | The source code declares a variable in one scope, but the variable is only used within a narrower scope. |
| C/C++ | 1128 | This view outlines the most important software quality issues as identified by the Consortium for Information & Software Quality (CISQ) Automated Quality Characteristic Measures, released in 2016. These measures are derived from Object Management Group (OMG) standards. |
| C/C++ | 1129 | Weaknesses in this category are related to the CISQ Quality Measures for Reliability, as documented in 2016 with the Automated Source Code CISQ Reliability Measure (ASCRM) Specification 1.0. Presence of these weaknesses could reduce the reliability of the software. |
| C/C++ | 1130 | Weaknesses in this category are related to the CISQ Quality Measures for Maintainability, as documented in 2016 with the Automated Source Code Maintainability Measure (ASCMM) Specification 1.0. Presence of these weaknesses could reduce the maintainability of the software. |
| C/C++ | 1131 | Weaknesses in this category are related to the CISQ Quality Measures for Security, as documented in 2016 with the Automated Source Code Security Measure (ASCSM) Specification 1.0. Presence of these weaknesses could reduce the security of the software. |
| C/C++ | 1133 | CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT Oracle Coding Standard for Java. |
| C/C++ | 1134 | Weaknesses in this category are related to the rules and recommendations in the Input Validation and Data Sanitization (IDS) section of the SEI CERT Oracle Secure Coding Standard for Java. |
| C/C++ | 1135 | Weaknesses in this category are related to the rules and recommendations in the Declarations and Initialization (DCL) section of the SEI CERT Oracle Secure Coding Standard for Java. |
| C/C++ | 1136 | Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) section of the SEI CERT Oracle Secure Coding Standard for Java. |
| C/C++ | 1137 | Weaknesses in this category are related to the rules and recommendations in the Numeric Types and Operations (NUM) section of the SEI CERT Oracle Secure Coding Standard for Java. |
| C/C++ | 1139 | Weaknesses in this category are related to the rules and recommendations in the Object Orientation (OBJ) section of the SEI CERT Oracle Secure Coding Standard for Java. |
| C/C++ | 1140 | Weaknesses in this category are related to the rules and recommendations in the Methods (MET) section of the SEI CERT Oracle Secure Coding Standard for Java. |
| C/C++ | 1141 | Weaknesses in this category are related to the rules and recommendations in the Exceptional Behavior (ERR) section of the SEI CERT Oracle Secure Coding Standard for Java. |
| C/C++ | 1142 | Weaknesses in this category are related to the rules and recommendations in the Visibility and Atomicity (VNA) section of the SEI CERT Oracle Secure Coding Standard for Java. |
| C/C++ | 1143 | Weaknesses in this category are related to the rules and recommendations in the Locking (LCK) section of the SEI CERT Oracle Secure Coding Standard for Java. |
| C/C++ | 1147 | Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) section of the SEI CERT Oracle Secure Coding Standard for Java. |
| C/C++ | 1148 | Weaknesses in this category are related to the rules and recommendations in the Serialization (SER) section of the SEI CERT Oracle Secure Coding Standard for Java. |
| C/C++ | 1149 | Weaknesses in this category are related to the rules and recommendations in the Platform Security (SEC) section of the SEI CERT Oracle Secure Coding Standard for Java. |
| C/C++ | 1150 | Weaknesses in this category are related to the rules and recommendations in the Runtime Environment (ENV) section of the SEI CERT Oracle Secure Coding Standard for Java. |
| C/C++ | 1152 | Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT Oracle Secure Coding Standard for Java. |
| C/C++ | 1154 | CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT C Coding Standard. |
| C/C++ | 1156 | Weaknesses in this category are related to the rules and recommendations in the Declarations and Initialization (DCL) section of the SEI CERT C Coding Standard. |
| C/C++ | 1157 | Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) section of the SEI CERT C Coding Standard. |
| C/C++ | 1158 | Weaknesses in this category are related to the rules and recommendations in the Integers (INT) section of the SEI CERT C Coding Standard. |
| C/C++ | 1159 | Weaknesses in this category are related to the rules and recommendations in the Floating Point (FLP) section of the SEI CERT C Coding Standard. |
| C/C++ | 1160 | Weaknesses in this category are related to the rules and recommendations in the Arrays (ARR) section of the SEI CERT C Coding Standard. |
| C/C++ | 1161 | Weaknesses in this category are related to the rules and recommendations in the Characters and Strings (STR) section of the SEI CERT C Coding Standard. |
| C/C++ | 1162 | Weaknesses in this category are related to the rules and recommendations in the Memory Management (MEM) section of the SEI CERT C Coding Standard. |
| C/C++ | 1163 | Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) section of the SEI CERT C Coding Standard. |
| C/C++ | 1164 | The program contains code that is not essential for execution, i.e. makes no state changes and has no side effects that alter data or control flow, such that removal of the code would have no impact to functionality or correctness. |
| C/C++ | 1165 | Weaknesses in this category are related to the rules and recommendations in the Environment (ENV) section of the SEI CERT C Coding Standard. |
| C/C++ | 1166 | Weaknesses in this category are related to the rules and recommendations in the Signals (SIG) section of the SEI CERT C Coding Standard. |
| C/C++ | 1167 | Weaknesses in this category are related to the rules and recommendations in the Error Handling (ERR) section of the SEI CERT C Coding Standard. |
| C/C++ | 1168 | Weaknesses in this category are related to the rules and recommendations in the Application Programming Interfaces (API) section of the SEI CERT C Coding Standard. |
| C/C++ | 1169 | Weaknesses in this category are related to the rules and recommendations in the Concurrency (CON) section of the SEI CERT C Coding Standard. |
| C/C++ | 1170 | Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT C Coding Standard. |
| C/C++ | 1171 | Weaknesses in this category are related to the rules and recommendations in the POSIX (POS) section of the SEI CERT C Coding Standard. |
| C/C++ | 1172 | Weaknesses in this category are related to the rules and recommendations in the Microsoft Windows (WIN) section of the SEI CERT C Coding Standard. |
| C/C++ | 1177 | The software uses a function, library, or third party component that has been explicitly prohibited, whether by the developer or the customer. |
| C/C++ | 1178 | CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT Perl Coding Standard. |
| C/C++ | 1179 | Weaknesses in this category are related to the rules and recommendations in the Input Validation and Data Sanitization (IDS) section of the SEI CERT Perl Coding Standard. |
| C/C++ | 1180 | Weaknesses in this category are related to the rules and recommendations in the Declarations and Initialization (DCL) section of the SEI CERT Perl Coding Standard. |
| C/C++ | 1181 | Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) section of the SEI CERT Perl Coding Standard. |
| C/C++ | 1182 | Weaknesses in this category are related to the rules and recommendations in the Integers (INT) section of the SEI CERT Perl Coding Standard. |
| C/C++ | 1185 | Weaknesses in this category are related to the rules and recommendations in the File Input and Output (FIO) section of the SEI CERT Perl Coding Standard. |
| C/C++ | 1186 | Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT Perl Coding Standard. |
| C/C++ | 1194 | This view organizes weaknesses around concepts that are frequently used or encountered in hardware design. Accordingly, this view can align closely with the perspectives of designers, manufacturers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping. |
| C/C++ | 1195 | Weaknesses in this category are root-caused to defects that arise in the semiconductor-manufacturing process or during the life cycle and supply chain. |
| C/C++ | 1198 | Weaknesses in this category are related to features and mechanisms providing hardware-based isolation and access control (e.g., identity, policy, locking control) of sensitive shared hardware resources such as registers and fuses. |
| C/C++ | 1200 | CWE entries in this view are listed in the 2019 CWE Top 25 Most Dangerous Software Errors. |
| C/C++ | 1202 | Weaknesses in this category are typically associated with memory (e.g., DRAM, SRAM) and storage technologies (e.g., NAND Flash, OTP, EEPROM, and eMMC). |
| C/C++ | 1205 | Weaknesses in this category are related to hardware implementations of cryptographic protocols and other hardware-security primitives such as physical unclonable functions (PUFs) and random number generators (RNGs). |
| C/C++ | 1208 | Weaknesses in this category can arise in multiple areas of hardware design or can apply to a wide cross-section of components. |
| C/C++ | 1210 | Weaknesses in this category are related to audit-based components of a software system. Frequently these deal with logging user activities in order to identify undesired access and modifications to the system. The weaknesses in this category could lead to a degradation of the quality of the audit capability if they are not addressed. |
| C/C++ | 1211 | Weaknesses in this category are related to authentication components of a system. Frequently these deal with the ability to verify that an entity is indeed who it claims to be. If not addressed when designing or implementing a software system, these weaknesses could lead to a degradation of the quality of the authentication capability. |
| C/C++ | 1212 | Weaknesses in this category are related to authorization components of a system. Frequently these deal with the ability to enforce that agents have the required permissions before performing certain operations, such as modifying data. If not addressed when designing or implementing a software system, these weaknesses could lead to a degradation of the quality of the authorization capability. |
| C/C++ | 1213 | Weaknesses in this category are related to a software system's random number generation. |
| C/C++ | 1215 | Weaknesses in this category are related to a software system's components for input validation, output validation, or other kinds of validation. Validation is a frequently-used technique for ensuring that data conforms to expectations before it is further processed as input or output. There are many varieties of validation (see CWE-20, which is just for input validation). Validation is distinct from other techniques that attempt to modify data before processing it, although developers may consider all attempts to product "safe" inputs or outputs as some kind of validation. Regardless, validation is a powerful tool that is often used to minimize malformed data from entering the system, or indirectly avoid code injection or other potentially-malicious patterns when generating output. The weaknesses in this category could lead to a degradation of the quality of data flow in a system if they are not addressed. |
| C/C++ | 1218 | Weaknesses in this category are related to the handling of memory buffers within a software system. |
| C/C++ | 1219 | Weaknesses in this category are related to the handling of files within a software system. Files, directories, and folders are so central to information technology that many different weaknesses and variants have been discovered. |
| C/C++ | 1226 | Weaknesses in this category are associated with things being overly complex. |
| C/C++ | 1228 | Weaknesses in this category are related to the use of built-in functions or external APIs. |
| C/C++ | 1237 | This category identifies Software Fault Patterns (SFPs) within the Faulty Resource Release cluster (SFP37). |
| C/C++ | 1238 | This category identifies Software Fault Patterns (SFPs) within the Failure to Release Memory cluster (SFP38). |
| C/C++ | 1241 | The device uses an algorithm that is predictable and generates a pseudo-random number. |
| C/C++ | 1305 | This view outlines the most important software quality issues as identified by the Consortium for Information & Software Quality (CISQ) Automated Quality Characteristic Measures, released in 2020. These measures are derived from Object Management Group (OMG) standards. |
| C/C++ | 1306 | Weaknesses in this category are related to the CISQ Quality Measures for Reliability. Presence of these weaknesses could reduce the reliability of the software. |
| C/C++ | 1307 | Weaknesses in this category are related to the CISQ Quality Measures for Maintainability. Presence of these weaknesses could reduce the maintainability of the software. |
| C/C++ | 1308 | Weaknesses in this category are related to the CISQ Quality Measures for Security. Presence of these weaknesses could reduce the security of the software. |
| C/C++ | 1309 | Weaknesses in this category are related to the CISQ Quality Measures for Efficiency. Presence of these weaknesses could reduce the efficiency of the software. |
| C/C++ | 1337 | CWE entries in this view are listed in the 2021 CWE Top 25 Most Dangerous Software Weaknesses. |
| C/C++ | 1340 | This view outlines the SMM representation of the Automated Source Code Data Protection Measurement specifications, as identified by the Consortium for Information & Software Quality (CISQ) Working Group. |
| C/C++ | 1344 | CWE entries in this view (graph) are associated with the OWASP Top Ten, as released in 2021. |
| C/C++ | 1345 | Weaknesses in this category are related to the A01 category "Broken Access Control" in the OWASP Top Ten 2021. |
| C/C++ | 1346 | Weaknesses in this category are related to the A02 category "Cryptographic Failures" in the OWASP Top Ten 2021. |
| C/C++ | 1347 | Weaknesses in this category are related to the A03 category "Injection" in the OWASP Top Ten 2021. |
| C/C++ | 1348 | Weaknesses in this category are related to the A04 "Insecure Design" category in the OWASP Top Ten 2021. |
| C/C++ | 1349 | Weaknesses in this category are related to the A05 category "Security Misconfiguration" in the OWASP Top Ten 2021. |
| C/C++ | 1350 | CWE entries in this view are listed in the 2020 CWE Top 25 Most Dangerous Software Weaknesses. |
| C/C++ | 1353 | Weaknesses in this category are related to the A07 category "Identification and Authentication Failures" in the OWASP Top Ten 2021. |
| C/C++ | 1355 | Weaknesses in this category are related to the A09 category "Security Logging and Monitoring Failures" in the OWASP Top Ten 2021. |
| C/C++ | 1356 | Weaknesses in this category are related to the A10 category "Server-Side Request Forgery (SSRF)" in the OWASP Top Ten 2021. |
| C/C++ | 1358 | CWE entries in this view (graph) are associated with the Categories of Security Vulnerabilities in ICS, as published by the Securing Energy Infrastructure Executive Task Force (SEI ETF) in March 2022. Weaknesses and categories in this view are focused on issues that affect ICS (Industrial Control Systems) but have not been traditionally covered by CWE in the past due to its earlier emphasis on enterprise IT software. Note: weaknesses in this view are based on "Nearest IT Neighbor" recommendations and other suggestions by the CWE team. These relationships are likely to change in future CWE versions. |
| C/C++ | 1359 | Weaknesses in this category are related to the "ICS Communications" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022. |
| C/C++ | 1360 | Weaknesses in this category are related to the "ICS Dependencies (& Architecture)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022. |
| C/C++ | 1361 | Weaknesses in this category are related to the "ICS Supply Chain" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022. |
| C/C++ | 1362 | Weaknesses in this category are related to the "ICS Engineering (Constructions/Deployment)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022. |
| C/C++ | 1363 | Weaknesses in this category are related to the "ICS Operations (& Maintenance)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022. |
| C/C++ | 1364 | Weaknesses in this category are related to the "Zone Boundary Failures" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022. Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. |
| C/C++ | 1366 | Weaknesses in this category are related to the "Frail Security in Protocols" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022. Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. |
| C/C++ | 1368 | Weaknesses in this category are related to the "External Digital Systems" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022. Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. |
| C/C++ | 1371 | Weaknesses in this category are related to the "Poorly Documented or Undocumented Features" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022. Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. |
| C/C++ | 1372 | Weaknesses in this category are related to the "OT Counterfeit and Malicious Corruption" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022. Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. |
| C/C++ | 1373 | Weaknesses in this category are related to the "Trust Model Problems" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022. Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. |
| C/C++ | 1376 | Weaknesses in this category are related to the "Security Gaps in Commissioning" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022. Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. |
| C/C++ | 1379 | Weaknesses in this category are related to the "Human factors in ICS environments" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022. Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. |
| C/C++ | 1382 | Weaknesses in this category are related to the "Emerging Energy Technologies" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022. Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. |
| C/C++ | 1383 | Weaknesses in this category are related to the "Compliance/Conformance with Regulatory Requirements" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022. Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. |
| C/C++ | 1387 | CWE entries in this view are listed in the 2022 CWE Top 25 Most Dangerous Software Weaknesses. |
| CUDA | 2 | This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that are typically introduced during unexpected environmental conditions. According to the authors of the Seven Pernicious Kingdoms, "This section includes everything that is outside of the source code but is still critical to the security of the product that is being created. Because the issues covered by this kingdom are not directly related to source code, we separated it from the rest of the kingdoms." |
| CUDA | 4 | This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. |
| CUDA | 5 | Information sent over a network can be compromised while in transit. An attacker may be able to read or modify the contents if the data are sent in plaintext or are weakly encrypted. |
| CUDA | 16 | Weaknesses in this category are typically introduced during the configuration of the software. |
| CUDA | 17 | This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. |
| CUDA | 18 | This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. |
| CUDA | 19 | Weaknesses in this category are typically found in functionality that processes data. Data processing is the manipulation of input to retrieve or save information. |
| CUDA | 20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
| CUDA | 21 | This category has been deprecated. It was originally used for organizing weaknesses involving file names, which enabled access to files outside of a restricted directory (path traversal) or to perform operations on files that would otherwise be restricted (path equivalence). Consider using either the File Handling Issues category (CWE-1219) or the class Use of Incorrectly-Resolved Name or Reference (CWE-706). |
| CUDA | 22 | The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
| CUDA | 23 | The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory. |
| CUDA | 36 | The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as "/abs/path" that can resolve to a location that is outside of that directory. |
| CUDA | 59 | The software attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource. |
| CUDA | 66 | The product does not handle or incorrectly handles a file name that identifies a "virtual" resource that is not directly specified within the directory that is associated with the file name, causing the product to perform file-based operations on a resource that is not a file. |
| CUDA | 67 | The software constructs pathnames from user input, but it does not handle or incorrectly handles a pathname containing a Windows device name such as AUX or CON. This typically leads to denial of service or an information exposure when the application attempts to process the pathname as a regular file. |
| CUDA | 68 | This category has been deprecated as it was found to be an unnecessary abstraction of platform specific details. Please refer to the category CWE-632 and weakness CWE-66 for relevant relationships. |
| CUDA | 74 | The software constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
| CUDA | 77 | The software constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CUDA | 78 | The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
| CUDA | 88 | The software constructs a string for a command to executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string. |
| CUDA | 89 | The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. |
| CUDA | 91 | The software does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system. |
| CUDA | 93 | The software uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs. |
| CUDA | 94 | The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
| CUDA | 99 | The software receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control. |
| CUDA | 113 | The software receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers. |
| CUDA | 116 | The software prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved. |
| CUDA | 117 | The software does not neutralize or incorrectly neutralizes output that is written to logs. |
| CUDA | 118 | The software does not restrict or incorrectly restricts operations within the boundaries of a resource that is accessed using an index or pointer, such as memory or files. |
| CUDA | 119 | The software performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer. |
| CUDA | 120 | The program copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow. |
| CUDA | 121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
| CUDA | 122 | A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). |
| CUDA | 123 | Any condition where the attacker has the ability to write an arbitrary value to an arbitrary location, often as the result of a buffer overflow. |
| CUDA | 124 | The software writes to a buffer using an index or pointer that references a memory location prior to the beginning of the buffer. |
| CUDA | 125 | The software reads data past the end, or before the beginning, of the intended buffer. |
| CUDA | 126 | The software reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations after the targeted buffer. |
| CUDA | 127 | The software reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations prior to the targeted buffer. |
| CUDA | 128 | Wrap around errors occur whenever a value is incremented past the maximum value for its type and therefore "wraps around" to a very small, negative, or undefined value. |
| CUDA | 129 | The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array. |
| CUDA | 130 | The software parses a formatted message or structure, but it does not handle or incorrectly handles a length field that is inconsistent with the actual length of the associated data. |
| CUDA | 131 | The software does not correctly calculate the size to be used when allocating a buffer, which could lead to a buffer overflow. |
| CUDA | 133 | Weaknesses in this category are related to the creation and modification of strings. |
| CUDA | 134 | The software uses a function that accepts a format string as an argument, but the format string originates from an external source. |
| CUDA | 135 | The software does not correctly calculate the length of strings that can contain wide or multi-byte characters. |
| CUDA | 136 | Weaknesses in this category are caused by improper data type transformation or improper handling of multiple data types. |
| CUDA | 137 | Weaknesses in this category are related to the creation or neutralization of data using an incorrect format. |
| CUDA | 138 | The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as control elements or syntactic markers when they are sent to a downstream component. |
| CUDA | 140 | The software does not neutralize or incorrectly neutralizes delimiters. |
| CUDA | 141 | The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as parameter or argument delimiters when they are sent to a downstream component. |
| CUDA | 142 | The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as value delimiters when they are sent to a downstream component. |
| CUDA | 143 | The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as record delimiters when they are sent to a downstream component. |
| CUDA | 146 | The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as expression or command delimiters when they are sent to a downstream component. |
| CUDA | 149 | Quotes injected into an application can be used to compromise a system. As data are parsed, an injected/absent/duplicate/malformed use of quotes may cause the process to take unexpected actions. |
| CUDA | 150 | The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component. |
| CUDA | 157 | The software does not properly handle the characters that are used to mark the beginning and ending of a group of entities, such as parentheses, brackets, and braces. |
| CUDA | 169 | This category has been deprecated. It was originally intended as a "catch-all" for input validation problems in technologies that did not have their own CWE, but introduces unnecessary depth to the hierarchy. |
| CUDA | 170 | The software does not terminate or incorrectly terminates a string or array with a null character or equivalent terminator. |
| CUDA | 171 | This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. Weaknesses in this category were related to improper handling of data within protection mechanisms that attempt to perform neutralization for untrusted data. These weaknesses can be found in other similar categories. |
| CUDA | 188 | The software makes invalid assumptions about how protocol data or memory is organized at a lower level, resulting in unintended program behavior. |
| CUDA | 189 | Weaknesses in this category are related to improper calculation or conversion of numbers. |
| CUDA | 190 | The software performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control. |
| CUDA | 192 | Integer coercion refers to a set of flaws pertaining to the type casting, extension, or truncation of primitive data types. |
| CUDA | 194 | The software performs an operation on a number that causes it to be sign extended when it is transformed into a larger data type. When the original number is negative, this can produce unexpected values that lead to resultant weaknesses. |
| CUDA | 195 | The software uses a signed primitive and performs a cast to an unsigned primitive, which can produce an unexpected value if the value of the signed primitive cannot be represented using an unsigned primitive. |
| CUDA | 197 | Truncation errors occur when a primitive is cast to a primitive of a smaller size and data is lost in the conversion. |
| CUDA | 198 | The software receives input from an upstream component, but it does not account for byte ordering (e.g. big-endian and little-endian) when processing the input, causing an incorrect number or value to be used. |
| CUDA | 199 | Weaknesses in this category are related to improper handling of sensitive information. |
| CUDA | 200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
| CUDA | 201 | The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor. |
| CUDA | 209 | The software generates an error message that includes sensitive information about its environment, users, or associated data. |
| CUDA | 210 | The software identifies an error condition and creates its own diagnostic or error messages that contain sensitive information. |
| CUDA | 211 | The application performs an operation that triggers an external diagnostic or error message that is not directly generated or controlled by the application, such as an error generated by the programming language interpreter that the software uses. The error can contain sensitive system information. |
| CUDA | 216 | This entry has been deprecated, as it was not effective as a weakness and was structured more like a category. In addition, the name is inappropriate, since the "container" term is widely understood by developers in different ways than originally intended by PLOVER, the original source for this entry. |
| CUDA | 221 | The software does not record, or improperly records, security-relevant information that leads to an incorrect decision or hampers later analysis. |
| CUDA | 226 | The product releases a resource such as memory or a file so that it can be made available for reuse, but it does not clear or "zeroize" the information contained in the resource before the product performs a critical state transition or makes the resource available for reuse by other entities. |
| CUDA | 227 | This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that involve the software using an API in a manner contrary to its intended use. According to the authors of the Seven Pernicious Kingdoms, "An API is a contract between a caller and a callee. The most common forms of API misuse occurs when the caller does not honor its end of this contract. For example, if a program does not call chdir() after calling chroot(), it violates the contract that specifies how to change the active root directory in a secure fashion. Another good example of library abuse is expecting the callee to return trustworthy DNS information to the caller. In this case, the caller misuses the callee API by making certain assumptions about its behavior (that the return value can be used for authentication purposes). One can also violate the caller-callee contract from the other side. For example, if a coder subclasses SecureRandom and returns a non-random value, the contract is violated." |
| CUDA | 228 | The product does not handle or incorrectly handles input that is not syntactically well-formed with respect to the associated specification. |
| CUDA | 237 | The software does not handle or incorrectly handles inputs that are related to complex structures. |
| CUDA | 240 | The software does not handle or incorrectly handles when two or more structural elements should be consistent, but are not. |
| CUDA | 241 | The software does not handle or incorrectly handles when a particular element is not the expected type, e.g. it expects a digit (0-9) but is provided with a letter (A-Z). |
| CUDA | 242 | The program calls a function that can never be guaranteed to work safely. |
| CUDA | 243 | The program uses the chroot() system call to create a jail, but does not change the working directory afterward. This does not prevent access to files outside of the jail. |
| CUDA | 247 | This entry has been deprecated because it was a duplicate of CWE-350. All content has been transferred to CWE-350. |
| CUDA | 248 | An exception is thrown from a function, but it is not caught. |
| CUDA | 249 | This entry has been deprecated because of name confusion and an accidental combination of multiple weaknesses. Most of its content has been transferred to CWE-785. This entry was deprecated for several reasons. The primary reason is over-loading of the "path manipulation" term and the description. The original description for this entry was the same as that for the "Often Misused: File System" item in the original Seven Pernicious Kingdoms paper. However, Seven Pernicious Kingdoms also has a "Path Manipulation" phrase that is for external control of pathnames (CWE-73), which is a factor in symbolic link following and path traversal, neither of which is explicitly mentioned in 7PK. Fortify uses the phrase "Often Misused: Path Manipulation" for a broader range of problems, generally for issues related to buffer management. Given the multiple conflicting uses of this term, there is a chance that CWE users may have incorrectly mapped to this entry. The second reason for deprecation is an implied combination of multiple weaknesses within buffer-handling functions. The focus of this entry was generally on the path-conversion functions and their association with buffer overflows. However, some of Fortify's Vulncat entries have the term "path manipulation" but describe a non-overflow weakness in which the buffer is not guaranteed to contain the entire pathname, i.e., there is information truncation (see CWE-222 for a similar concept). A new entry for this non-overflow weakness may be created in a future version of CWE. |
| CUDA | 252 | The software does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions. |
| CUDA | 253 | The software incorrectly checks a return value from a function, which prevents the software from detecting errors or exceptional conditions. |
| CUDA | 254 | Software security is not security software. Here we're concerned with topics like authentication, access control, confidentiality, cryptography, and privilege management. |
| CUDA | 255 | Weaknesses in this category are related to the management of credentials. |
| CUDA | 256 | Storing a password in plaintext may result in a system compromise. |
| CUDA | 257 | The storage of passwords in a recoverable format makes them subject to password reuse attacks by malicious users. In fact, it should be noted that recoverable encrypted passwords provide no significant benefit over plaintext passwords since they are subject not only to reuse by malicious attackers but also by malicious insiders. If a system administrator can recover a password directly, or use a brute force search on the available information, the administrator can use the password on other accounts. |
| CUDA | 259 | The software contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components. |
| CUDA | 264 | Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control. |
| CUDA | 265 | Weaknesses in this category occur with improper handling, assignment, or management of privileges. A privilege is a property of an agent, such as a user. It lets the agent do things that are not ordinarily allowed. For example, there are privileges which allow an agent to perform maintenance functions such as restart a computer. |
| CUDA | 269 | The software does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |
| CUDA | 271 | The software does not drop privileges before passing control of a resource to an actor that does not have those privileges. |
| CUDA | 272 | The elevated privilege level required to perform operations such as chroot() should be dropped immediately after the operation is performed. |
| CUDA | 273 | The software attempts to drop privileges but does not check or incorrectly checks to see if the drop succeeded. |
| CUDA | 275 | Weaknesses in this category are related to improper assignment or handling of permissions. |
| CUDA | 276 | During installation, installed file permissions are set to allow anyone to modify those files. |
| CUDA | 282 | The software assigns the wrong ownership, or does not properly verify the ownership, of an object or resource. |
| CUDA | 284 | The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
| CUDA | 285 | The software does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
| CUDA | 287 | When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct. |
| CUDA | 290 | This attack-focused weakness is caused by improperly implemented authentication schemes that are subject to spoofing attacks. |
| CUDA | 291 | The software uses an IP address for authentication. |
| CUDA | 293 | The referer field in HTTP requests can be easily modified and, as such, is not a valid means of message integrity checking. |
| CUDA | 300 | The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint. |
| CUDA | 310 | Weaknesses in this category are related to the design and implementation of data confidentiality and integrity. Frequently these deal with the use of encoding techniques, encryption libraries, and hashing algorithms. The weaknesses in this category could lead to a degradation of the quality data if they are not addressed. |
| CUDA | 311 | The software does not encrypt sensitive or critical information before storage or transmission. |
| CUDA | 312 | The application stores sensitive information in cleartext within a resource that might be accessible to another control sphere. |
| CUDA | 313 | The application stores sensitive information in cleartext in a file, or on disk. |
| CUDA | 314 | The application stores sensitive information in cleartext in the registry. |
| CUDA | 315 | The application stores sensitive information in cleartext in a cookie. |
| CUDA | 317 | The application stores sensitive information in cleartext within the GUI. |
| CUDA | 318 | The application stores sensitive information in cleartext in an executable. |
| CUDA | 319 | The software transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors. |
| CUDA | 320 | Weaknesses in this category are related to errors in the management of cryptographic keys. |
| CUDA | 321 | The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered. |
| CUDA | 326 | The software stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required. |
| CUDA | 327 | The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of sensitive information. |
| CUDA | 328 | The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (2nd preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack). |
| CUDA | 330 | The software uses insufficiently random numbers or values in a security context that depends on unpredictable numbers. |
| CUDA | 335 | The software uses a Pseudo-Random Number Generator (PRNG) but does not correctly manage seeds. |
| CUDA | 338 | The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong. |
| CUDA | 344 | The product uses a constant value, name, or reference, but this value can (or should) vary across different environments. |
| CUDA | 350 | The software performs reverse DNS resolution on an IP address to obtain the hostname and make a security decision, but it does not properly ensure that the IP address is truly associated with the hostname. |
| CUDA | 355 | Weaknesses in this category are related to or introduced in the User Interface (UI). |
| CUDA | 359 | The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected. |
| CUDA | 361 | This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses related to the improper management of time and state in an environment that supports simultaneous or near-simultaneous computation by multiple systems, processes, or threads. According to the authors of the Seven Pernicious Kingdoms, "Distributed computation is about time and state. That is, in order for more than one component to communicate, state must be shared, and all that takes time. Most programmers anthropomorphize their work. They think about one thread of control carrying out the entire program in the same way they would if they had to do the job themselves. Modern computers, however, switch between tasks very quickly, and in multi-core, multi-CPU, or distributed systems, two events may take place at exactly the same time. Defects rush to fill the gap between the programmer's model of how a program executes and what happens in reality. These defects are related to unexpected interactions between threads, processes, time, and information. These interactions happen through shared state: semaphores, variables, the file system, and, basically, anything that can store information." |
| CUDA | 362 | The program contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently. |
| CUDA | 363 | The software checks the status of a file or directory before accessing it, which produces a race condition in which the file can be replaced with a link before the access is performed, causing the software to access the wrong file. |
| CUDA | 364 | The software uses a signal handler that introduces a race condition. |
| CUDA | 366 | If two threads of execution use a resource simultaneously, there exists the possibility that resources may be used while invalid, in turn making the state of execution undefined. |
| CUDA | 367 | The software checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. This can cause the software to perform invalid actions when the resource is in an unexpected state. |
| CUDA | 369 | The product divides a value by zero. |
| CUDA | 376 | This category has been deprecated. It was originally used for organizing the Development View (CWE-699), but it introduced unnecessary complexity and depth to the resulting tree. Consider using the File Handling Issues category (CWE-1219). |
| CUDA | 377 | Creating and using insecure temporary files can leave application and system data vulnerable to attack. |
| CUDA | 379 | The software creates a temporary file in a directory whose permissions allow unintended actors to determine the file's existence or otherwise access that file. |
| CUDA | 387 | Weaknesses in this category are related to the improper handling of signals. |
| CUDA | 388 | This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that occur when an application does not properly handle errors that occur during processing. According to the authors of the Seven Pernicious Kingdoms, "Errors and error handling represent a class of API. Errors related to error handling are so common that they deserve a special kingdom of their own. As with 'API Abuse,' there are two ways to introduce an error-related security vulnerability: the most common one is handling errors poorly (or not at all). The second is producing errors that either give out too much information (to possible attackers) or are difficult to handle." |
| CUDA | 389 | This category includes weaknesses that occur if a function does not generate the correct return/status code, or if the application does not handle all possible return/status codes that could be generated by a function. This type of problem is most often found in conditions that are rarely encountered during the normal operation of the product. Presumably, most bugs related to common conditions are found and eliminated during development and testing. In some cases, the attacker can directly control or influence the environment to trigger the rare conditions. |
| CUDA | 391 | [PLANNED FOR DEPRECATION. SEE MAINTENANCE NOTES AND CONSIDER CWE-252, CWE-248, OR CWE-1069.] Ignoring exceptions and other error conditions may allow an attacker to induce unexpected behavior unnoticed. |
| CUDA | 393 | A function or operation returns an incorrect return value or status code that does not indicate an error, but causes the product to modify its behavior based on the incorrect result. |
| CUDA | 394 | The software does not properly check when a function or operation returns a value that is legitimate for the function, but is not expected by the software. |
| CUDA | 396 | Catching overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities. |
| CUDA | 397 | Throwing overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities. |
| CUDA | 398 | This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that do not directly introduce a weakness or vulnerability, but indicate that the product has not been carefully developed or maintained. According to the authors of the Seven Pernicious Kingdoms, "Poor code quality leads to unpredictable behavior. From a user's perspective that often manifests itself as poor usability. For an adversary it provides an opportunity to stress the system in unexpected ways." |
| CUDA | 399 | Weaknesses in this category are related to improper management of system resources. |
| CUDA | 400 | The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources. |
| CUDA | 401 | The software does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory. |
| CUDA | 404 | The program does not release or incorrectly releases a resource before it is made available for re-use. |
| CUDA | 411 | Weaknesses in this category are related to improper handling of locks that are used to control access to resources. |
| CUDA | 415 | The product calls free() twice on the same memory address, potentially leading to modification of unexpected memory locations. |
| CUDA | 416 | Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code. |
| CUDA | 429 | Weaknesses in this category are related to improper management of handlers. |
| CUDA | 435 | An interaction error occurs when two entities have correct behavior when running independently of each other, but when they are integrated as components in a larger system or process, they introduce incorrect behaviors that may cause resultant weaknesses. |
| CUDA | 438 | Weaknesses in this category are related to unexpected behaviors from code that an application uses. |
| CUDA | 441 | The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor. |
| CUDA | 442 | This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. |
| CUDA | 452 | Weaknesses in this category occur in behaviors that are used for initialization and breakdown. |
| CUDA | 456 | The software does not initialize critical variables, which causes the execution environment to use unexpected values. |
| CUDA | 457 | The code uses a variable that has not been initialized, leading to unpredictable or unintended results. |
| CUDA | 459 | The software does not properly "clean up" and remove temporary or supporting resources after they have been used. |
| CUDA | 461 | This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. |
| CUDA | 464 | The accidental addition of a data-structure sentinel can cause serious programming logic problems. |
| CUDA | 465 | Weaknesses in this category are related to improper handling of pointers. |
| CUDA | 467 | The code calls sizeof() on a malloced pointer type, which always returns the wordsize/8. This can produce an unexpected result if the programmer intended to determine how much memory has been allocated. |
| CUDA | 468 | In C and C++, one may often accidentally refer to the wrong memory due to the semantics of when math operations are implicitly scaled. |
| CUDA | 469 | The application subtracts one pointer from another in order to determine size, but this calculation can be incorrect if the pointers do not exist in the same memory chunk. |
| CUDA | 471 | The software does not properly protect an assumed-immutable element from being modified by an attacker. |
| CUDA | 475 | The behavior of this function is undefined unless its control parameter is set to a specific value. |
| CUDA | 476 | A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit. |
| CUDA | 477 | The code uses deprecated or obsolete functions, which suggests that the code has not been actively reviewed or maintained. |
| CUDA | 479 | The program defines a signal handler that calls a non-reentrant function. |
| CUDA | 480 | The programmer accidentally uses the wrong operator, which changes the application logic in security-relevant ways. |
| CUDA | 481 | The code uses an operator for assignment when the intention was to perform a comparison. |
| CUDA | 482 | The code uses an operator for comparison when the intention was to perform an assignment. |
| CUDA | 483 | The code does not explicitly delimit a block that is intended to contain 2 or more statements, creating a logic error. |
| CUDA | 484 | The program omits a break statement within a switch or similar construct, causing code associated with multiple conditions to execute. This can cause problems when the programmer only intended to execute code associated with one condition. |
| CUDA | 485 | This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that occur when the product does not sufficiently encapsulate critical data or functionality. According to the authors of the Seven Pernicious Kingdoms, "Encapsulation is about drawing strong boundaries. In a web browser that might mean ensuring that your mobile code cannot be abused by other mobile code. On the server it might mean differentiation between validated data and unvalidated data, between one user's data and another's, or between data users are allowed to see and data that they are not." |
| CUDA | 490 | This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. |
| CUDA | 493 | The product has a critical public variable that is not final, which allows the variable to be modified to contain unexpected values. |
| CUDA | 497 | The application does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the application does. |
| CUDA | 500 | An object contains a public static field that is not marked final, which might allow it to be modified in unexpected ways. |
| CUDA | 505 | This category has been deprecated as it was originally used for organizing the Development View (CWE-699), but it introduced unnecessary complexity and depth to the resulting tree. |
| CUDA | 522 | The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval. |
| CUDA | 523 | Login pages do not use adequate measures to protect the user name and password while they are in transit from the client to the server. |
| CUDA | 532 | Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information. |
| CUDA | 535 | A command shell error message indicates that there exists an unhandled exception in the web application code. In many cases, an attacker can leverage the conditions that cause these errors in order to gain unauthorized access to the system. |
| CUDA | 536 | A servlet error message indicates that there exists an unhandled exception in your web application code and may provide useful information to an attacker. |
| CUDA | 538 | The product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the sensitive information. |
| CUDA | 539 | The web application uses persistent cookies, but the cookies contain sensitive information. |
| CUDA | 547 | The program uses hard-coded constants instead of symbolic names for security-critical values, which increases the likelihood of mistakes during code maintenance or security policy change. |
| CUDA | 550 | Certain conditions, such as network failure, will cause a server error message to be displayed. |
| CUDA | 552 | The product makes files or directories accessible to unauthorized actors, even though they should not be. |
| CUDA | 557 | Weaknesses in this category are related to concurrent use of shared resources. |
| CUDA | 559 | This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. |
| CUDA | 561 | The software contains dead code, which can never be executed. |
| CUDA | 562 | A function returns the address of a stack variable, which will cause unintended program behavior, typically in the form of a crash. |
| CUDA | 563 | The variable's value is assigned but never used, making it a dead store. |
| CUDA | 566 | The software uses a database table that includes records that should not be accessible to an actor, but it executes a SQL statement with a primary key that can be controlled by that actor. |
| CUDA | 567 | The product does not properly synchronize shared data, such as static variables across threads, which can lead to undefined behavior and unpredictable data changes. |
| CUDA | 569 | Weaknesses in this category are related to incorrectly written expressions within code. |
| CUDA | 570 | The software contains an expression that will always evaluate to false. |
| CUDA | 571 | The software contains an expression that will always evaluate to true. |
| CUDA | 573 | The software does not follow or incorrectly follows the specifications as required by the implementation language, environment, framework, protocol, or platform. |
| CUDA | 590 | The application calls free() on a pointer to memory that was not allocated using associated heap allocation functions such as malloc(), calloc(), or realloc(). |
| CUDA | 592 | This weakness has been deprecated because it covered redundant concepts already described in CWE-287. |
| CUDA | 595 | The program compares object references instead of the contents of the objects themselves, preventing it from detecting equivalent objects. |
| CUDA | 597 | The product uses the wrong operator when comparing a string, such as using "==" when the .equals() method should be used instead. |
| CUDA | 606 | The product does not properly check inputs that are used for loop conditions, potentially leading to a denial of service or other consequences because of excessive looping. |
| CUDA | 610 | The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere. |
| CUDA | 617 | The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary. |
| CUDA | 628 | The product calls a function, procedure, or routine with arguments that are not correctly specified, leading to always-incorrect behavior and resultant weaknesses. |
| CUDA | 629 | CWE nodes in this view (graph) are associated with the OWASP Top Ten, as released in 2007. This view is considered obsolete as a newer version of the OWASP Top Ten is available. |
| CUDA | 632 | This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE. |
| CUDA | 633 | This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE. |
| CUDA | 634 | This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE. |
| CUDA | 635 | CWE nodes in this view (slice) were used by NIST to categorize vulnerabilities within NVD, from 2008 to 2016. This original version has been used by many other projects. |
| CUDA | 637 | The software uses a more complex mechanism than necessary, which could lead to resultant weaknesses when the mechanism is not correctly understood, modeled, configured, implemented, or used. |
| CUDA | 639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
| CUDA | 643 | The software uses external input to dynamically construct an XPath expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query. |
| CUDA | 644 | The application does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers, such as Flash. |
| CUDA | 657 | The product violates well-established principles for secure design. |
| CUDA | 662 | The software utilizes multiple threads or processes to allow temporary access to a shared resource that can only be exclusive to one process at a time, but it does not properly synchronize these actions, which might cause simultaneous accesses of this resource by multiple threads or processes. |
| CUDA | 663 | The software calls a non-reentrant function in a concurrent context in which a competing code sequence (e.g. thread or signal handler) may have an opportunity to call the same function or otherwise influence its state. |
| CUDA | 664 | The software does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release. |
| CUDA | 665 | The software does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used. |
| CUDA | 666 | The software performs an operation on a resource at the wrong phase of the resource's lifecycle, which can lead to unexpected behaviors. |
| CUDA | 667 | The software does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors. |
| CUDA | 668 | The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource. |
| CUDA | 669 | The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource. |
| CUDA | 670 | The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated. |
| CUDA | 671 | The product uses security features in a way that prevents the product's administrator from tailoring security settings to reflect the environment in which the product is being used. This introduces resultant weaknesses or prevents it from operating at a level of security that is desired by the administrator. |
| CUDA | 672 | The software uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked. |
| CUDA | 675 | The product performs the same operation on a resource two or more times, when the operation should only be applied once. |
| CUDA | 676 | The program invokes a potentially dangerous function that could introduce a vulnerability if it is used incorrectly, but the function can also be used safely. |
| CUDA | 680 | The product performs a calculation to determine how much memory to allocate, but an integer overflow can occur that causes less memory to be allocated than expected, leading to a buffer overflow. |
| CUDA | 681 | When converting from one data type to another, such as long to integer, data can be omitted or translated in a way that produces unexpected values. If the resulting values are used in a sensitive context, then dangerous behaviors may occur. |
| CUDA | 682 | The software performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management. |
| CUDA | 683 | The software calls a function, procedure, or routine, but the caller specifies the arguments in an incorrect order, leading to resultant weaknesses. |
| CUDA | 684 | The code does not function according to its published specifications, potentially leading to incorrect usage. |
| CUDA | 685 | The software calls a function, procedure, or routine, but the caller specifies too many arguments, or too few arguments, which may lead to undefined behavior and resultant weaknesses. |
| CUDA | 686 | The software calls a function, procedure, or routine, but the caller specifies an argument that is the wrong data type, which may lead to resultant weaknesses. |
| CUDA | 687 | The software calls a function, procedure, or routine, but the caller specifies an argument that contains the wrong value, which may lead to resultant weaknesses. |
| CUDA | 691 | The code does not sufficiently manage its control flow during execution, creating conditions in which the control flow can be modified in unexpected ways. |
| CUDA | 693 | The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product. |
| CUDA | 694 | The software uses multiple resources that can have the same identifier, in a context in which unique identifiers are required. |
| CUDA | 696 | The product performs multiple related behaviors, but the behaviors are performed in the wrong order in ways which may produce resultant weaknesses. |
| CUDA | 697 | The software compares two entities in a security-relevant context, but the comparison is incorrect, which may lead to resultant weaknesses. |
| CUDA | 699 | This view organizes weaknesses around concepts that are frequently used or encountered in software development. This includes all aspects of the software development lifecycle including both architecture and implementation. Accordingly, this view can align closely with the perspectives of architects, developers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping. |
| CUDA | 700 | This view (graph) organizes weaknesses using a hierarchical structure that is similar to that used by Seven Pernicious Kingdoms. |
| CUDA | 703 | The software does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the software. |
| CUDA | 704 | The software does not correctly convert an object, resource, or structure from one type to a different type. |
| CUDA | 705 | The software does not properly return control flow to the proper location after it has completed a task or detected an unusual condition. |
| CUDA | 706 | The software uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere. |
| CUDA | 707 | The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component. |
| CUDA | 710 | The software does not follow certain coding rules for development, which can lead to resultant weaknesses or increase the severity of the associated vulnerabilities. |
| CUDA | 711 | CWE entries in this view (graph) are associated with the OWASP Top Ten, as released in 2004, and as required for compliance with PCI DSS version 1.1. This view is considered obsolete as a newer version of the OWASP Top Ten is available. |
| CUDA | 713 | Weaknesses in this category are related to the A2 category in the OWASP Top Ten 2007. |
| CUDA | 714 | Weaknesses in this category are related to the A3 category in the OWASP Top Ten 2007. |
| CUDA | 715 | Weaknesses in this category are related to the A4 category in the OWASP Top Ten 2007. |
| CUDA | 717 | Weaknesses in this category are related to the A6 category in the OWASP Top Ten 2007. |
| CUDA | 718 | Weaknesses in this category are related to the A7 category in the OWASP Top Ten 2007. |
| CUDA | 719 | Weaknesses in this category are related to the A8 category in the OWASP Top Ten 2007. |
| CUDA | 720 | Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2007. |
| CUDA | 721 | Weaknesses in this category are related to the A10 category in the OWASP Top Ten 2007. |
| CUDA | 722 | Weaknesses in this category are related to the A1 category in the OWASP Top Ten 2004. |
| CUDA | 723 | Weaknesses in this category are related to the A2 category in the OWASP Top Ten 2004. |
| CUDA | 724 | Weaknesses in this category are related to the A3 category in the OWASP Top Ten 2004. |
| CUDA | 725 | Weaknesses in this category are related to the A4 category in the OWASP Top Ten 2004. |
| CUDA | 726 | Weaknesses in this category are related to the A5 category in the OWASP Top Ten 2004. |
| CUDA | 727 | Weaknesses in this category are related to the A6 category in the OWASP Top Ten 2004. |
| CUDA | 728 | Weaknesses in this category are related to the A7 category in the OWASP Top Ten 2004. |
| CUDA | 729 | Weaknesses in this category are related to the A8 category in the OWASP Top Ten 2004. |
| CUDA | 730 | Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2004. |
| CUDA | 731 | Weaknesses in this category are related to the A10 category in the OWASP Top Ten 2004. |
| CUDA | 732 | The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. |
| CUDA | 734 | CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT C Secure Coding Standard" published in 2008. This view is considered obsolete, as a newer version of the coding standard is available. This view statically represents the coding rules as they were in 2008. |
| CUDA | 735 | Weaknesses in this category are related to the rules and recommendations in the Preprocessor (PRE) chapter of the CERT C Secure Coding Standard (2008). |
| CUDA | 736 | Weaknesses in this category are related to the rules and recommendations in the Declarations and Initialization (DCL) chapter of the CERT C Secure Coding Standard (2008). |
| CUDA | 737 | Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) chapter of the CERT C Secure Coding Standard (2008). |
| CUDA | 738 | Weaknesses in this category are related to the rules and recommendations in the Integers (INT) chapter of the CERT C Secure Coding Standard (2008). |
| CUDA | 739 | Weaknesses in this category are related to the rules and recommendations in the Floating Point (FLP) chapter of the CERT C Secure Coding Standard (2008). |
| CUDA | 740 | Weaknesses in this category are related to the rules and recommendations in the Arrays (ARR) chapter of the CERT C Secure Coding Standard (2008). |
| CUDA | 741 | Weaknesses in this category are related to the rules and recommendations in the Characters and Strings (STR) chapter of the CERT C Secure Coding Standard (2008). |
| CUDA | 742 | Weaknesses in this category are related to the rules and recommendations in the Memory Management (MEM) chapter of the CERT C Secure Coding Standard (2008). |
| CUDA | 743 | Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) chapter of the CERT C Secure Coding Standard (2008). |
| CUDA | 744 | Weaknesses in this category are related to the rules and recommendations in the Environment (ENV) chapter of the CERT C Secure Coding Standard (2008). |
| CUDA | 745 | Weaknesses in this category are related to the rules and recommendations in the Signals (SIG) chapter of the CERT C Secure Coding Standard (2008). |
| CUDA | 746 | Weaknesses in this category are related to the rules and recommendations in the Error Handling (ERR) chapter of the CERT C Secure Coding Standard (2008). |
| CUDA | 747 | Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) chapter of the CERT C Secure Coding Standard (2008). |
| CUDA | 748 | Weaknesses in this category are related to the rules and recommendations in the POSIX (POS) appendix of the CERT C Secure Coding Standard (2008). |
| CUDA | 750 | CWE entries in this view (graph) are listed in the 2009 CWE/SANS Top 25 Programming Errors. This view is considered obsolete as a newer version of the Top 25 is available. |
| CUDA | 751 | Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2009 CWE/SANS Top 25 Programming Errors. |
| CUDA | 752 | Weaknesses in this category are listed in the "Risky Resource Management" section of the 2009 CWE/SANS Top 25 Programming Errors. |
| CUDA | 753 | Weaknesses in this category are listed in the "Porous Defenses" section of the 2009 CWE/SANS Top 25 Programming Errors. |
| CUDA | 754 | The software does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the software. |
| CUDA | 755 | The software does not handle or incorrectly handles an exceptional condition. |
| CUDA | 758 | The software uses an API function, data structure, or other entity in a way that relies on properties that are not always guaranteed to hold for that entity. |
| CUDA | 759 | The software uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the software does not also use a salt as part of the input. |
| CUDA | 760 | The software uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the software uses a predictable salt as part of the input. |
| CUDA | 762 | The application attempts to return a memory resource to the system, but it calls a release function that is not compatible with the function that was originally used to allocate that resource. |
| CUDA | 763 | The application attempts to return a memory resource to the system, but calls the wrong release function or calls the appropriate release function incorrectly. |
| CUDA | 764 | The software locks a critical resource more times than intended, leading to an unexpected state in the system. |
| CUDA | 765 | The software unlocks a critical resource more times than intended, leading to an unexpected state in the system. |
| CUDA | 769 | This entry has been deprecated because it was a duplicate of CWE-774. All content has been transferred to CWE-774. |
| CUDA | 770 | The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor. |
| CUDA | 771 | The software does not properly maintain a reference to a resource that has been allocated, which prevents the resource from being reclaimed. |
| CUDA | 772 | The software does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed. |
| CUDA | 775 | The software does not release a file descriptor or handle after its effective lifetime has ended, i.e., after the file descriptor/handle is no longer needed. |
| CUDA | 783 | The program uses an expression in which operator precedence causes incorrect logic to be used. |
| CUDA | 786 | The software reads or writes to a buffer using an index or pointer that references a memory location prior to the beginning of the buffer. |
| CUDA | 787 | The software writes data past the end, or before the beginning, of the intended buffer. |
| CUDA | 788 | The software reads or writes to a buffer using an index or pointer that references a memory location after the end of the buffer. |
| CUDA | 789 | The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated. |
| CUDA | 798 | The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. |
| CUDA | 800 | CWE entries in this view (graph) are listed in the 2010 CWE/SANS Top 25 Programming Errors. This view is considered obsolete as a newer version of the Top 25 is available. |
| CUDA | 801 | Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2010 CWE/SANS Top 25 Programming Errors. |
| CUDA | 802 | Weaknesses in this category are listed in the "Risky Resource Management" section of the 2010 CWE/SANS Top 25 Programming Errors. |
| CUDA | 803 | Weaknesses in this category are listed in the "Porous Defenses" section of the 2010 CWE/SANS Top 25 Programming Errors. |
| CUDA | 805 | The software uses a sequential operation to read or write a buffer, but it uses an incorrect length value that causes it to access memory that is outside of the bounds of the buffer. |
| CUDA | 807 | The application uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism. |
| CUDA | 808 | Weaknesses in this category are not part of the general Top 25, but they were part of the original nominee list from which the Top 25 was drawn. |
| CUDA | 809 | CWE nodes in this view (graph) are associated with the OWASP Top Ten, as released in 2010. This view is considered obsolete as a newer version of the OWASP Top Ten is available. |
| CUDA | 810 | Weaknesses in this category are related to the A1 category in the OWASP Top Ten 2010. |
| CUDA | 812 | Weaknesses in this category are related to the A3 category in the OWASP Top Ten 2010. |
| CUDA | 813 | Weaknesses in this category are related to the A4 category in the OWASP Top Ten 2010. |
| CUDA | 815 | Weaknesses in this category are related to the A6 category in the OWASP Top Ten 2010. |
| CUDA | 816 | Weaknesses in this category are related to the A7 category in the OWASP Top Ten 2010. |
| CUDA | 817 | Weaknesses in this category are related to the A8 category in the OWASP Top Ten 2010. |
| CUDA | 818 | Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2010. |
| CUDA | 820 | The software utilizes a shared resource in a concurrent manner but does not attempt to synchronize access to the resource. |
| CUDA | 823 | The program performs pointer arithmetic on a valid pointer, but it uses an offset that can point outside of the intended range of valid memory locations for the resulting pointer. |
| CUDA | 825 | The program dereferences a pointer that contains a location for memory that was previously valid, but is no longer valid. |
| CUDA | 828 | The software defines a signal handler that contains code sequences that are not asynchronous-safe, i.e., the functionality is not reentrant, or it can be interrupted. |
| CUDA | 833 | The software contains multiple threads or executable segments that are waiting for each other to release a necessary lock, resulting in deadlock. |
| CUDA | 834 | The software performs an iteration or loop without sufficiently limiting the number of times that the loop is executed. |
| CUDA | 835 | The program contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop. |
| CUDA | 840 | Weaknesses in this category identify some of the underlying problems that commonly allow attackers to manipulate the business logic of an application. Errors in business logic can be devastating to an entire application. They can be difficult to find automatically, since they typically involve legitimate use of the application's functionality. However, many business logic errors can exhibit patterns that are similar to well-understood implementation and design weaknesses. |
| CUDA | 843 | The program allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type. |
| CUDA | 844 | CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT Oracle Secure Coding Standard for Java" published in 2011. This view is considered obsolete as a newer version of the coding standard is available. |
| CUDA | 845 | Weaknesses in this category are related to rules in the Input Validation and Data Sanitization (IDS) chapter of The CERT Oracle Secure Coding Standard for Java (2011). |
| CUDA | 846 | Weaknesses in this category are related to rules in the Declarations and Initialization (DCL) chapter of The CERT Oracle Secure Coding Standard for Java (2011). |
| CUDA | 847 | Weaknesses in this category are related to rules in the Expressions (EXP) chapter of The CERT Oracle Secure Coding Standard for Java (2011). |
| CUDA | 848 | Weaknesses in this category are related to rules in the Numeric Types and Operations (NUM) chapter of The CERT Oracle Secure Coding Standard for Java (2011). |
| CUDA | 849 | Weaknesses in this category are related to rules in the Object Orientation (OBJ) chapter of The CERT Oracle Secure Coding Standard for Java (2011). |
| CUDA | 850 | Weaknesses in this category are related to rules in the Methods (MET) chapter of The CERT Oracle Secure Coding Standard for Java (2011). |
| CUDA | 851 | Weaknesses in this category are related to rules in the Exceptional Behavior (ERR) chapter of The CERT Oracle Secure Coding Standard for Java (2011). |
| CUDA | 852 | Weaknesses in this category are related to rules in the Visibility and Atomicity (VNA) chapter of The CERT Oracle Secure Coding Standard for Java (2011). |
| CUDA | 853 | Weaknesses in this category are related to rules in the Locking (LCK) chapter of The CERT Oracle Secure Coding Standard for Java (2011). |
| CUDA | 854 | Weaknesses in this category are related to rules in the Thread APIs (THI) chapter of The CERT Oracle Secure Coding Standard for Java (2011). |
| CUDA | 857 | Weaknesses in this category are related to rules in the Input Output (FIO) chapter of The CERT Oracle Secure Coding Standard for Java (2011). |
| CUDA | 858 | Weaknesses in this category are related to rules in the Serialization (SER) chapter of The CERT Oracle Secure Coding Standard for Java (2011). |
| CUDA | 859 | Weaknesses in this category are related to rules in the Platform Security (SEC) chapter of The CERT Oracle Secure Coding Standard for Java (2011). |
| CUDA | 860 | Weaknesses in this category are related to rules in the Runtime Environment (ENV) chapter of The CERT Oracle Secure Coding Standard for Java (2011). |
| CUDA | 861 | Weaknesses in this category are related to rules in the Miscellaneous (MSC) chapter of The CERT Oracle Secure Coding Standard for Java (2011). |
| CUDA | 862 | The software does not perform an authorization check when an actor attempts to access a resource or perform an action. |
| CUDA | 864 | Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors. |
| CUDA | 865 | Weaknesses in this category are listed in the "Risky Resource Management" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors. |
| CUDA | 866 | Weaknesses in this category are listed in the "Porous Defenses" section of the 2011 CWE/SANS Top 25 Most Dangerous Software Errors. |
| CUDA | 867 | Weaknesses in this category are not part of the general Top 25, but they were part of the original nominee list from which the Top 25 was drawn. |
| CUDA | 868 | CWE entries in this view (graph) are fully or partially eliminated by following the SEI CERT C++ Coding Standard, as published in 2016. This view is no longer being actively maintained, since it statically represents the coding rules as they were in 2016. |
| CUDA | 871 | Weaknesses in this category are related to rules in the Expressions (EXP) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete. |
| CUDA | 872 | Weaknesses in this category are related to rules in the Integers (INT) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete. |
| CUDA | 873 | Weaknesses in this category are related to rules in the Floating Point Arithmetic (FLP) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete. |
| CUDA | 874 | Weaknesses in this category are related to rules in the Arrays and the STL (ARR) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete. |
| CUDA | 875 | Weaknesses in this category are related to rules in the Characters and Strings (STR) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete. |
| CUDA | 876 | Weaknesses in this category are related to rules in the Memory Management (MEM) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete. |
| CUDA | 877 | Weaknesses in this category are related to rules in the Input Output (FIO) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete. |
| CUDA | 878 | Weaknesses in this category are related to rules in the Environment (ENV) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete. |
| CUDA | 879 | Weaknesses in this category are related to rules in the Signals (SIG) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete. |
| CUDA | 880 | Weaknesses in this category are related to rules in the Exceptions and Error Handling (ERR) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete. |
| CUDA | 881 | Weaknesses in this category are related to rules in the Object Oriented Programming (OOP) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete. |
| CUDA | 882 | Weaknesses in this category are related to rules in the Concurrency (CON) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete. |
| CUDA | 883 | Weaknesses in this category are related to rules in the Miscellaneous (MSC) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete. |
| CUDA | 884 | This view contains a selection of weaknesses that represent the variety of weaknesses that are captured in CWE, at a level of abstraction that is likely to be useful to most audiences. It can be used by researchers to determine how broad their theories, models, or tools are. It will also be used by the CWE content team in 2012 to focus quality improvement efforts for individual CWE entries. |
| CUDA | 885 | This category identifies Software Fault Patterns (SFPs) within the Risky Values cluster (SFP1). |
| CUDA | 886 | This category identifies Software Fault Patterns (SFPs) within the Unused entities cluster (SFP2). |
| CUDA | 887 | This category identifies Software Fault Patterns (SFPs) within the API cluster (SFP3). |
| CUDA | 888 | CWE identifiers in this view are associated with clusters of Software Fault Patterns (SFPs). |
| CUDA | 889 | This category identifies Software Fault Patterns (SFPs) within the Exception Management cluster (SFP4, SFP5, SFP6). |
| CUDA | 890 | This category identifies Software Fault Patterns (SFPs) within the Memory Access cluster (SFP7, SFP8). |
| CUDA | 891 | This category identifies Software Fault Patterns (SFPs) within the Memory Management cluster (SFP38). |
| CUDA | 892 | This category identifies Software Fault Patterns (SFPs) within the Resource Management cluster (SFP37). |
| CUDA | 893 | This category identifies Software Fault Patterns (SFPs) within the Path Resolution cluster (SFP16, SFP17, SFP18). |
| CUDA | 894 | This category identifies Software Fault Patterns (SFPs) within the Synchronization cluster (SFP19, SFP20, SFP21, SFP22). |
| CUDA | 895 | This category identifies Software Fault Patterns (SFPs) within the Information Leak cluster (SFP23). |
| CUDA | 896 | This category identifies Software Fault Patterns (SFPs) within the Tainted Input cluster (SFP24, SFP25, SFP26, SFP27). |
| CUDA | 897 | This category identifies Software Fault Patterns (SFPs) within the Entry Points cluster (SFP28). |
| CUDA | 898 | This category identifies Software Fault Patterns (SFPs) within the Authentication cluster (SFP29, SFP30, SFP31, SFP32, SFP33, SFP34). |
| CUDA | 899 | This category identifies Software Fault Patterns (SFPs) within the Access Control cluster (SFP35). |
| CUDA | 900 | CWE entries in this view (graph) are listed in the 2011 CWE/SANS Top 25 Most Dangerous Software Errors. |
| CUDA | 901 | This category identifies Software Fault Patterns (SFPs) within the Privilege cluster (SFP36). |
| CUDA | 902 | This category identifies Software Fault Patterns (SFPs) within the Channel cluster. |
| CUDA | 903 | This category identifies Software Fault Patterns (SFPs) within the Cryptography cluster. |
| CUDA | 905 | This category identifies Software Fault Patterns (SFPs) within the Predictability cluster. |
| CUDA | 906 | This category identifies Software Fault Patterns (SFPs) within the UI cluster. |
| CUDA | 907 | This category identifies Software Fault Patterns (SFPs) within the Other cluster. |
| CUDA | 908 | The software uses or accesses a resource that has not been initialized. |
| CUDA | 909 | The software does not initialize a critical resource. |
| CUDA | 910 | The software uses or accesses a file descriptor after it has been closed. |
| CUDA | 913 | The software does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements. |
| CUDA | 916 | The software generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive. |
| CUDA | 918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
| CUDA | 922 | The software stores sensitive information without properly limiting read or write access by unauthorized actors. |
| CUDA | 923 | The software establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that it is communicating with the correct endpoint. |
| CUDA | 928 | CWE nodes in this view (graph) are associated with the OWASP Top Ten, as released in 2013. This view is considered obsolete as a newer version of the OWASP Top Ten is available. |
| CUDA | 929 | Weaknesses in this category are related to the A1 category in the OWASP Top Ten 2013. |
| CUDA | 930 | Weaknesses in this category are related to the A2 category in the OWASP Top Ten 2013. |
| CUDA | 932 | Weaknesses in this category are related to the A4 category in the OWASP Top Ten 2013. |
| CUDA | 933 | Weaknesses in this category are related to the A5 category in the OWASP Top Ten 2013. |
| CUDA | 934 | Weaknesses in this category are related to the A6 category in the OWASP Top Ten 2013. |
| CUDA | 935 | Weaknesses in this category are related to the A7 category in the OWASP Top Ten 2013. |
| CUDA | 943 | The application generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query. |
| CUDA | 944 | This category identifies Software Fault Patterns (SFPs) within the Access Management cluster. |
| CUDA | 945 | This category identifies Software Fault Patterns (SFPs) within the Insecure Resource Access cluster (SFP35). |
| CUDA | 946 | This category identifies Software Fault Patterns (SFPs) within the Insecure Resource Permissions cluster. |
| CUDA | 947 | This category identifies Software Fault Patterns (SFPs) within the Authentication Bypass cluster. |
| CUDA | 949 | This category identifies Software Fault Patterns (SFPs) within the Faulty Endpoint Authentication cluster (SFP29). |
| CUDA | 950 | This category identifies Software Fault Patterns (SFPs) within the Hardcoded Sensitive Data cluster (SFP33). |
| CUDA | 956 | This category identifies Software Fault Patterns (SFPs) within the Channel Attack cluster. |
| CUDA | 957 | This category identifies Software Fault Patterns (SFPs) within the Protocol Error cluster. |
| CUDA | 958 | This category identifies Software Fault Patterns (SFPs) within the Broken Cryptography cluster. |
| CUDA | 959 | This category identifies Software Fault Patterns (SFPs) within the Weak Cryptography cluster. |
| CUDA | 960 | This category identifies Software Fault Patterns (SFPs) within the Ambiguous Exception Type cluster (SFP5). |
| CUDA | 961 | This category identifies Software Fault Patterns (SFPs) within the Incorrect Exception Behavior cluster (SFP6). |
| CUDA | 962 | This category identifies Software Fault Patterns (SFPs) within the Unchecked Status Condition cluster (SFP4). |
| CUDA | 963 | This category identifies Software Fault Patterns (SFPs) within the Exposed Data cluster (SFP23). |
| CUDA | 964 | This category identifies Software Fault Patterns (SFPs) within the Exposure Temporary File cluster. |
| CUDA | 966 | This category identifies Software Fault Patterns (SFPs) within the Other Exposures cluster. |
| CUDA | 969 | This category identifies Software Fault Patterns (SFPs) within the Faulty Memory Release cluster (SFP12). |
| CUDA | 970 | This category identifies Software Fault Patterns (SFPs) within the Faulty Buffer Access cluster (SFP8). |
| CUDA | 971 | This category identifies Software Fault Patterns (SFPs) within the Faulty Pointer Use cluster (SFP7). |
| CUDA | 973 | This category identifies Software Fault Patterns (SFPs) within the Improper NULL Termination cluster (SFP11). |
| CUDA | 974 | This category identifies Software Fault Patterns (SFPs) within the Incorrect Buffer Length Computation cluster (SFP10). |
| CUDA | 975 | This category identifies Software Fault Patterns (SFPs) within the Architecture cluster. |
| CUDA | 977 | This category identifies Software Fault Patterns (SFPs) within the Design cluster. |
| CUDA | 978 | This category identifies Software Fault Patterns (SFPs) within the Implementation cluster. |
| CUDA | 979 | This category identifies Software Fault Patterns (SFPs) within the Failed Chroot Jail cluster (SFP17). |
| CUDA | 980 | This category identifies Software Fault Patterns (SFPs) within the Link in Resource Name Resolution cluster (SFP18). |
| CUDA | 981 | This category identifies Software Fault Patterns (SFPs) within the Path Traversal cluster (SFP16). |
| CUDA | 982 | This category identifies Software Fault Patterns (SFPs) within the Failure to Release Resource cluster (SFP14). |
| CUDA | 983 | This category identifies Software Fault Patterns (SFPs) within the Faulty Resource Use cluster (SFP15). |
| CUDA | 984 | This category identifies Software Fault Patterns (SFPs) within the Life Cycle cluster. |
| CUDA | 985 | This category identifies Software Fault Patterns (SFPs) within the Unrestricted Consumption cluster (SFP13). |
| CUDA | 986 | This category identifies Software Fault Patterns (SFPs) within the Missing Lock cluster (SFP19). |
| CUDA | 987 | This category identifies Software Fault Patterns (SFPs) within the Multiple Locks/Unlocks cluster (SFP21). |
| CUDA | 988 | This category identifies Software Fault Patterns (SFPs) within the Race Condition Window cluster (SFP20). |
| CUDA | 990 | This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Command cluster (SFP24). |
| CUDA | 991 | This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Environment cluster (SFP27). |
| CUDA | 992 | This category identifies Software Fault Patterns (SFPs) within the Faulty Input Transformation cluster. |
| CUDA | 993 | This category identifies Software Fault Patterns (SFPs) within the Incorrect Input Handling cluster. |
| CUDA | 994 | This category identifies Software Fault Patterns (SFPs) within the Tainted Input to Variable cluster (SFP25). |
| CUDA | 997 | This category identifies Software Fault Patterns (SFPs) within the Information Loss cluster. |
| CUDA | 998 | This category identifies Software Fault Patterns (SFPs) within the Glitch in Computation cluster (SFP1). |
| CUDA | 1000 | This view is intended to facilitate research into weaknesses, including their inter-dependencies, and can be leveraged to systematically identify theoretical gaps within CWE. It is mainly organized according to abstractions of behaviors instead of how they can be detected, where they appear in code, or when they are introduced in the development life cycle. By design, this view is expected to include every weakness within CWE. |
| CUDA | 1001 | This category identifies Software Fault Patterns (SFPs) within the Use of an Improper API cluster (SFP3). |
| CUDA | 1002 | This category identifies Software Fault Patterns (SFPs) within the Unexpected Entry Points cluster. |
| CUDA | 1003 | CWE entries in this view (graph) may be used to categorize potential weaknesses within sources that handle public, third-party vulnerability information, such as the National Vulnerability Database (NVD). By design, this view is incomplete; it is limited to a small number of the most commonly-seen weaknesses, so that it is easier for humans to use. This view uses a shallow hierarchy of two levels in order to simplify the complex, category-oriented navigation of the entire CWE corpus. |
| CUDA | 1005 | This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that exist when an application does not properly validate or represent input. According to the authors of the Seven Pernicious Kingdoms, "Input validation and representation problems are caused by metacharacters, alternate encodings and numeric representations. Security problems result from trusting input." |
| CUDA | 1006 | Weaknesses in this category are related to coding practices that are deemed unsafe and increase the chances that an exploitable vulnerability will be present in the application. These weaknesses do not directly introduce a vulnerability, but indicate that the product has not been carefully developed or maintained. If a program is complex, difficult to maintain, not portable, or shows evidence of neglect, then there is a higher likelihood that weaknesses are buried in the code. |
| CUDA | 1008 | This view organizes weaknesses according to common architectural security tactics. It is intended to assist architects in identifying potential mistakes that can be made when designing software. |
| CUDA | 1009 | Weaknesses in this category are related to the design and architecture of audit-based components of the system. Frequently these deal with logging user activities in order to identify attackers and modifications to the system. The weaknesses in this category could lead to a degradation of the quality of the audit capability if they are not addressed when designing or implementing a secure architecture. |
| CUDA | 1010 | Weaknesses in this category are related to the design and architecture of authentication components of the system. Frequently these deal with verifying the entity is indeed who it claims to be. The weaknesses in this category could lead to a degradation of the quality of authentication if they are not addressed when designing or implementing a secure architecture. |
| CUDA | 1011 | Weaknesses in this category are related to the design and architecture of a system's authorization components. Frequently these deal with enforcing that agents have the required permissions before performing certain operations, such as modifying data. The weaknesses in this category could lead to a degradation of quality of the authorization capability if they are not addressed when designing or implementing a secure architecture. |
| CUDA | 1012 | Weaknesses in this category are related to the design and architecture of multiple security tactics and how they affect a system. For example, information exposure can impact the Limit Access and Limit Exposure security tactics. The weaknesses in this category could lead to a degradation of the quality of many capabilities if they are not addressed when designing or implementing a secure architecture. |
| CUDA | 1013 | Weaknesses in this category are related to the design and architecture of data confidentiality in a system. Frequently these deal with the use of encryption libraries. The weaknesses in this category could lead to a degradation of the quality data encryption if they are not addressed when designing or implementing a secure architecture. |
| CUDA | 1014 | Weaknesses in this category are related to the design and architecture of a system's identification management components. Frequently these deal with verifying that external agents provide inputs into the system. The weaknesses in this category could lead to a degradation of the quality of identification management if they are not addressed when designing or implementing a secure architecture. |
| CUDA | 1015 | Weaknesses in this category are related to the design and architecture of system resources. Frequently these deal with restricting the amount of resources that are accessed by actors, such as memory, network connections, CPU or access points. The weaknesses in this category could lead to a degradation of the quality of authentication if they are not addressed when designing or implementing a secure architecture. |
| CUDA | 1016 | Weaknesses in this category are related to the design and architecture of the entry points to a system. Frequently these deal with minimizing the attack surface through designing the system with the least needed amount of entry points. The weaknesses in this category could lead to a degradation of a system's defenses if they are not addressed when designing or implementing a secure architecture. |
| CUDA | 1019 | Weaknesses in this category are related to the design and architecture of a system's input validation components. Frequently these deal with sanitizing, neutralizing and validating any externally provided inputs to minimize malformed data from entering the system and preventing code injection in the input data. The weaknesses in this category could lead to a degradation of the quality of data flow in a system if they are not addressed when designing or implementing a secure architecture. |
| CUDA | 1020 | Weaknesses in this category are related to the design and architecture of a system's data integrity components. Frequently these deal with ensuring integrity of data, such as messages, resource files, deployment files, and configuration files. The weaknesses in this category could lead to a degradation of data integrity quality if they are not addressed when designing or implementing a secure architecture. |
| CUDA | 1026 | CWE nodes in this view (graph) are associated with the OWASP Top Ten, as released in 2017. |
| CUDA | 1027 | Weaknesses in this category are related to the A1 category in the OWASP Top Ten 2017. |
| CUDA | 1028 | Weaknesses in this category are related to the A2 category in the OWASP Top Ten 2017. |
| CUDA | 1029 | Weaknesses in this category are related to the A3 category in the OWASP Top Ten 2017. |
| CUDA | 1031 | Weaknesses in this category are related to the A5 category in the OWASP Top Ten 2017. |
| CUDA | 1032 | Weaknesses in this category are related to the A6 category in the OWASP Top Ten 2017. |
| CUDA | 1037 | The developer builds a security-critical protection mechanism into the software, but the processor optimizes the execution of the program such that the mechanism is removed or modified. |
| CUDA | 1041 | The software has multiple functions, methods, procedures, macros, etc. that contain the same code. |
| CUDA | 1045 | A parent class has a virtual destructor method, but the parent has a child class that does not have a virtual destructor. |
| CUDA | 1055 | The software contains a class with inheritance from more than one concrete class. |
| CUDA | 1059 | The product does not contain sufficient technical or engineering documentation (whether on paper or in electronic form) that contains descriptions of all the relevant software/hardware elements of the product, such as its usage, structure, architectural components, interfaces, design, implementation, configuration, operation, etc. |
| CUDA | 1061 | The software does not sufficiently hide the internal representation and implementation details of data or methods, which might allow external components or modules to modify data unexpectedly, invoke unexpected functionality, or introduce dependencies that the programmer did not intend. |
| CUDA | 1076 | The product's architecture, source code, design, documentation, or other artifact does not follow required conventions. |
| CUDA | 1077 | The code performs a comparison such as an equality test between two float (floating point) values, but it uses comparison operators that do not account for the possibility of loss of precision. |
| CUDA | 1078 | The source code does not follow desired style or formatting for indentation, white space, comments, etc. |
| CUDA | 1079 | A parent class contains one or more child classes, but the parent class does not have a virtual destructor method. |
| CUDA | 1095 | The software uses a loop with a control flow condition based on a value that is updated within the body of the loop. |
| CUDA | 1108 | The code is structured in a way that relies too much on using or setting global variables throughout various points in the code, instead of preserving the associated information in a narrower, more local context. |
| CUDA | 1109 | The code contains a callable, block, or other code element in which the same variable is used to control more than one unique task or store more than one instance of data. |
| CUDA | 1113 | The source code uses comment styles or formats that are inconsistent or do not follow expected standards for the product. |
| CUDA | 1114 | The source code contains whitespace that is inconsistent across the code or does not follow expected standards for the product. |
| CUDA | 1126 | The source code declares a variable in one scope, but the variable is only used within a narrower scope. |
| CUDA | 1128 | This view outlines the most important software quality issues as identified by the Consortium for Information & Software Quality (CISQ) Automated Quality Characteristic Measures, released in 2016. These measures are derived from Object Management Group (OMG) standards. |
| CUDA | 1129 | Weaknesses in this category are related to the CISQ Quality Measures for Reliability, as documented in 2016 with the Automated Source Code CISQ Reliability Measure (ASCRM) Specification 1.0. Presence of these weaknesses could reduce the reliability of the software. |
| CUDA | 1130 | Weaknesses in this category are related to the CISQ Quality Measures for Maintainability, as documented in 2016 with the Automated Source Code Maintainability Measure (ASCMM) Specification 1.0. Presence of these weaknesses could reduce the maintainability of the software. |
| CUDA | 1131 | Weaknesses in this category are related to the CISQ Quality Measures for Security, as documented in 2016 with the Automated Source Code Security Measure (ASCSM) Specification 1.0. Presence of these weaknesses could reduce the security of the software. |
| CUDA | 1133 | CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT Oracle Coding Standard for Java. |
| CUDA | 1134 | Weaknesses in this category are related to the rules and recommendations in the Input Validation and Data Sanitization (IDS) section of the SEI CERT Oracle Secure Coding Standard for Java. |
| CUDA | 1135 | Weaknesses in this category are related to the rules and recommendations in the Declarations and Initialization (DCL) section of the SEI CERT Oracle Secure Coding Standard for Java. |
| CUDA | 1136 | Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) section of the SEI CERT Oracle Secure Coding Standard for Java. |
| CUDA | 1137 | Weaknesses in this category are related to the rules and recommendations in the Numeric Types and Operations (NUM) section of the SEI CERT Oracle Secure Coding Standard for Java. |
| CUDA | 1139 | Weaknesses in this category are related to the rules and recommendations in the Object Orientation (OBJ) section of the SEI CERT Oracle Secure Coding Standard for Java. |
| CUDA | 1140 | Weaknesses in this category are related to the rules and recommendations in the Methods (MET) section of the SEI CERT Oracle Secure Coding Standard for Java. |
| CUDA | 1141 | Weaknesses in this category are related to the rules and recommendations in the Exceptional Behavior (ERR) section of the SEI CERT Oracle Secure Coding Standard for Java. |
| CUDA | 1142 | Weaknesses in this category are related to the rules and recommendations in the Visibility and Atomicity (VNA) section of the SEI CERT Oracle Secure Coding Standard for Java. |
| CUDA | 1143 | Weaknesses in this category are related to the rules and recommendations in the Locking (LCK) section of the SEI CERT Oracle Secure Coding Standard for Java. |
| CUDA | 1147 | Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) section of the SEI CERT Oracle Secure Coding Standard for Java. |
| CUDA | 1148 | Weaknesses in this category are related to the rules and recommendations in the Serialization (SER) section of the SEI CERT Oracle Secure Coding Standard for Java. |
| CUDA | 1149 | Weaknesses in this category are related to the rules and recommendations in the Platform Security (SEC) section of the SEI CERT Oracle Secure Coding Standard for Java. |
| CUDA | 1150 | Weaknesses in this category are related to the rules and recommendations in the Runtime Environment (ENV) section of the SEI CERT Oracle Secure Coding Standard for Java. |
| CUDA | 1152 | Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT Oracle Secure Coding Standard for Java. |
| CUDA | 1154 | CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT C Coding Standard. |
| CUDA | 1156 | Weaknesses in this category are related to the rules and recommendations in the Declarations and Initialization (DCL) section of the SEI CERT C Coding Standard. |
| CUDA | 1157 | Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) section of the SEI CERT C Coding Standard. |
| CUDA | 1158 | Weaknesses in this category are related to the rules and recommendations in the Integers (INT) section of the SEI CERT C Coding Standard. |
| CUDA | 1159 | Weaknesses in this category are related to the rules and recommendations in the Floating Point (FLP) section of the SEI CERT C Coding Standard. |
| CUDA | 1160 | Weaknesses in this category are related to the rules and recommendations in the Arrays (ARR) section of the SEI CERT C Coding Standard. |
| CUDA | 1161 | Weaknesses in this category are related to the rules and recommendations in the Characters and Strings (STR) section of the SEI CERT C Coding Standard. |
| CUDA | 1162 | Weaknesses in this category are related to the rules and recommendations in the Memory Management (MEM) section of the SEI CERT C Coding Standard. |
| CUDA | 1163 | Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) section of the SEI CERT C Coding Standard. |
| CUDA | 1164 | The program contains code that is not essential for execution, i.e. makes no state changes and has no side effects that alter data or control flow, such that removal of the code would have no impact to functionality or correctness. |
| CUDA | 1165 | Weaknesses in this category are related to the rules and recommendations in the Environment (ENV) section of the SEI CERT C Coding Standard. |
| CUDA | 1166 | Weaknesses in this category are related to the rules and recommendations in the Signals (SIG) section of the SEI CERT C Coding Standard. |
| CUDA | 1167 | Weaknesses in this category are related to the rules and recommendations in the Error Handling (ERR) section of the SEI CERT C Coding Standard. |
| CUDA | 1168 | Weaknesses in this category are related to the rules and recommendations in the Application Programming Interfaces (API) section of the SEI CERT C Coding Standard. |
| CUDA | 1169 | Weaknesses in this category are related to the rules and recommendations in the Concurrency (CON) section of the SEI CERT C Coding Standard. |
| CUDA | 1170 | Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT C Coding Standard. |
| CUDA | 1171 | Weaknesses in this category are related to the rules and recommendations in the POSIX (POS) section of the SEI CERT C Coding Standard. |
| CUDA | 1172 | Weaknesses in this category are related to the rules and recommendations in the Microsoft Windows (WIN) section of the SEI CERT C Coding Standard. |
| CUDA | 1177 | The software uses a function, library, or third party component that has been explicitly prohibited, whether by the developer or the customer. |
| CUDA | 1178 | CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT Perl Coding Standard. |
| CUDA | 1179 | Weaknesses in this category are related to the rules and recommendations in the Input Validation and Data Sanitization (IDS) section of the SEI CERT Perl Coding Standard. |
| CUDA | 1180 | Weaknesses in this category are related to the rules and recommendations in the Declarations and Initialization (DCL) section of the SEI CERT Perl Coding Standard. |
| CUDA | 1181 | Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) section of the SEI CERT Perl Coding Standard. |
| CUDA | 1182 | Weaknesses in this category are related to the rules and recommendations in the Integers (INT) section of the SEI CERT Perl Coding Standard. |
| CUDA | 1185 | Weaknesses in this category are related to the rules and recommendations in the File Input and Output (FIO) section of the SEI CERT Perl Coding Standard. |
| CUDA | 1186 | Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT Perl Coding Standard. |
| CUDA | 1194 | This view organizes weaknesses around concepts that are frequently used or encountered in hardware design. Accordingly, this view can align closely with the perspectives of designers, manufacturers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping. |
| CUDA | 1195 | Weaknesses in this category are root-caused to defects that arise in the semiconductor-manufacturing process or during the life cycle and supply chain. |
| CUDA | 1198 | Weaknesses in this category are related to features and mechanisms providing hardware-based isolation and access control (e.g., identity, policy, locking control) of sensitive shared hardware resources such as registers and fuses. |
| CUDA | 1200 | CWE entries in this view are listed in the 2019 CWE Top 25 Most Dangerous Software Errors. |
| CUDA | 1202 | Weaknesses in this category are typically associated with memory (e.g., DRAM, SRAM) and storage technologies (e.g., NAND Flash, OTP, EEPROM, and eMMC). |
| CUDA | 1205 | Weaknesses in this category are related to hardware implementations of cryptographic protocols and other hardware-security primitives such as physical unclonable functions (PUFs) and random number generators (RNGs). |
| CUDA | 1208 | Weaknesses in this category can arise in multiple areas of hardware design or can apply to a wide cross-section of components. |
| CUDA | 1210 | Weaknesses in this category are related to audit-based components of a software system. Frequently these deal with logging user activities in order to identify undesired access and modifications to the system. The weaknesses in this category could lead to a degradation of the quality of the audit capability if they are not addressed. |
| CUDA | 1211 | Weaknesses in this category are related to authentication components of a system. Frequently these deal with the ability to verify that an entity is indeed who it claims to be. If not addressed when designing or implementing a software system, these weaknesses could lead to a degradation of the quality of the authentication capability. |
| CUDA | 1212 | Weaknesses in this category are related to authorization components of a system. Frequently these deal with the ability to enforce that agents have the required permissions before performing certain operations, such as modifying data. If not addressed when designing or implementing a software system, these weaknesses could lead to a degradation of the quality of the authorization capability. |
| CUDA | 1213 | Weaknesses in this category are related to a software system's random number generation. |
| CUDA | 1215 | Weaknesses in this category are related to a software system's components for input validation, output validation, or other kinds of validation. Validation is a frequently-used technique for ensuring that data conforms to expectations before it is further processed as input or output. There are many varieties of validation (see CWE-20, which is just for input validation). Validation is distinct from other techniques that attempt to modify data before processing it, although developers may consider all attempts to product "safe" inputs or outputs as some kind of validation. Regardless, validation is a powerful tool that is often used to minimize malformed data from entering the system, or indirectly avoid code injection or other potentially-malicious patterns when generating output. The weaknesses in this category could lead to a degradation of the quality of data flow in a system if they are not addressed. |
| CUDA | 1218 | Weaknesses in this category are related to the handling of memory buffers within a software system. |
| CUDA | 1219 | Weaknesses in this category are related to the handling of files within a software system. Files, directories, and folders are so central to information technology that many different weaknesses and variants have been discovered. |
| CUDA | 1226 | Weaknesses in this category are associated with things being overly complex. |
| CUDA | 1228 | Weaknesses in this category are related to the use of built-in functions or external APIs. |
| CUDA | 1237 | This category identifies Software Fault Patterns (SFPs) within the Faulty Resource Release cluster (SFP37). |
| CUDA | 1238 | This category identifies Software Fault Patterns (SFPs) within the Failure to Release Memory cluster (SFP38). |
| CUDA | 1241 | The device uses an algorithm that is predictable and generates a pseudo-random number. |
| CUDA | 1305 | This view outlines the most important software quality issues as identified by the Consortium for Information & Software Quality (CISQ) Automated Quality Characteristic Measures, released in 2020. These measures are derived from Object Management Group (OMG) standards. |
| CUDA | 1306 | Weaknesses in this category are related to the CISQ Quality Measures for Reliability. Presence of these weaknesses could reduce the reliability of the software. |
| CUDA | 1307 | Weaknesses in this category are related to the CISQ Quality Measures for Maintainability. Presence of these weaknesses could reduce the maintainability of the software. |
| CUDA | 1308 | Weaknesses in this category are related to the CISQ Quality Measures for Security. Presence of these weaknesses could reduce the security of the software. |
| CUDA | 1309 | Weaknesses in this category are related to the CISQ Quality Measures for Efficiency. Presence of these weaknesses could reduce the efficiency of the software. |
| CUDA | 1337 | CWE entries in this view are listed in the 2021 CWE Top 25 Most Dangerous Software Weaknesses. |
| CUDA | 1340 | This view outlines the SMM representation of the Automated Source Code Data Protection Measurement specifications, as identified by the Consortium for Information & Software Quality (CISQ) Working Group. |
| CUDA | 1344 | CWE entries in this view (graph) are associated with the OWASP Top Ten, as released in 2021. |
| CUDA | 1345 | Weaknesses in this category are related to the A01 category "Broken Access Control" in the OWASP Top Ten 2021. |
| CUDA | 1346 | Weaknesses in this category are related to the A02 category "Cryptographic Failures" in the OWASP Top Ten 2021. |
| CUDA | 1347 | Weaknesses in this category are related to the A03 category "Injection" in the OWASP Top Ten 2021. |
| CUDA | 1348 | Weaknesses in this category are related to the A04 "Insecure Design" category in the OWASP Top Ten 2021. |
| CUDA | 1349 | Weaknesses in this category are related to the A05 category "Security Misconfiguration" in the OWASP Top Ten 2021. |
| CUDA | 1350 | CWE entries in this view are listed in the 2020 CWE Top 25 Most Dangerous Software Weaknesses. |
| CUDA | 1353 | Weaknesses in this category are related to the A07 category "Identification and Authentication Failures" in the OWASP Top Ten 2021. |
| CUDA | 1355 | Weaknesses in this category are related to the A09 category "Security Logging and Monitoring Failures" in the OWASP Top Ten 2021. |
| CUDA | 1356 | Weaknesses in this category are related to the A10 category "Server-Side Request Forgery (SSRF)" in the OWASP Top Ten 2021. |
| CUDA | 1358 | CWE entries in this view (graph) are associated with the Categories of Security Vulnerabilities in ICS, as published by the Securing Energy Infrastructure Executive Task Force (SEI ETF) in March 2022. Weaknesses and categories in this view are focused on issues that affect ICS (Industrial Control Systems) but have not been traditionally covered by CWE in the past due to its earlier emphasis on enterprise IT software. Note: weaknesses in this view are based on "Nearest IT Neighbor" recommendations and other suggestions by the CWE team. These relationships are likely to change in future CWE versions. |
| CUDA | 1359 | Weaknesses in this category are related to the "ICS Communications" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022. |
| CUDA | 1360 | Weaknesses in this category are related to the "ICS Dependencies (& Architecture)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022. |
| CUDA | 1361 | Weaknesses in this category are related to the "ICS Supply Chain" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022. |
| CUDA | 1362 | Weaknesses in this category are related to the "ICS Engineering (Constructions/Deployment)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022. |
| CUDA | 1363 | Weaknesses in this category are related to the "ICS Operations (& Maintenance)" super category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022. |
| CUDA | 1364 | Weaknesses in this category are related to the "Zone Boundary Failures" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022. Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. |
| CUDA | 1366 | Weaknesses in this category are related to the "Frail Security in Protocols" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022. Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. |
| CUDA | 1368 | Weaknesses in this category are related to the "External Digital Systems" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022. Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. |
| CUDA | 1371 | Weaknesses in this category are related to the "Poorly Documented or Undocumented Features" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022. Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. |
| CUDA | 1372 | Weaknesses in this category are related to the "OT Counterfeit and Malicious Corruption" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022. Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. |
| CUDA | 1373 | Weaknesses in this category are related to the "Trust Model Problems" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022. Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. |
| CUDA | 1376 | Weaknesses in this category are related to the "Security Gaps in Commissioning" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022. Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. |
| CUDA | 1382 | Weaknesses in this category are related to the "Emerging Energy Technologies" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022. Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. |
| CUDA | 1383 | Weaknesses in this category are related to the "Compliance/Conformance with Regulatory Requirements" category from the SEI ETF "Categories of Security Vulnerabilities in ICS" as published in March 2022. Note: members of this category include "Nearest IT Neighbor" recommendations from the report, as well as suggestions by the CWE team. These relationships are likely to change in future CWE versions. |
| CUDA | 1387 | CWE entries in this view are listed in the 2022 CWE Top 25 Most Dangerous Software Weaknesses. |
| Go | 2 | This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that are typically introduced during unexpected environmental conditions. According to the authors of the Seven Pernicious Kingdoms, "This section includes everything that is outside of the source code but is still critical to the security of the product that is being created. Because the issues covered by this kingdom are not directly related to source code, we separated it from the rest of the kingdoms." |
| Go | 4 | This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. |
| Go | 5 | Information sent over a network can be compromised while in transit. An attacker may be able to read or modify the contents if the data are sent in plaintext or are weakly encrypted. |
| Go | 16 | Weaknesses in this category are typically introduced during the configuration of the software. |
| Go | 17 | This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. |
| Go | 18 | This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. |
| Go | 19 | Weaknesses in this category are typically found in functionality that processes data. Data processing is the manipulation of input to retrieve or save information. |
| Go | 20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
| Go | 21 | This category has been deprecated. It was originally used for organizing weaknesses involving file names, which enabled access to files outside of a restricted directory (path traversal) or to perform operations on files that would otherwise be restricted (path equivalence). Consider using either the File Handling Issues category (CWE-1219) or the class Use of Incorrectly-Resolved Name or Reference (CWE-706). |
| Go | 22 | The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
| Go | 23 | The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory. |
| Go | 36 | The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as "/abs/path" that can resolve to a location that is outside of that directory. |
| Go | 74 | The software constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
| Go | 77 | The software constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| Go | 78 | The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
| Go | 79 | The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| Go | 80 | The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages. |
| Go | 82 | The web application does not neutralize or incorrectly neutralizes scripting elements within attributes of HTML IMG tags, such as the src attribute. |
| Go | 83 | The software does not neutralize or incorrectly neutralizes "javascript:" or other URIs from dangerous attributes within tags, such as onmouseover, onload, onerror, or style. |
| Go | 85 | The web application does not filter user-controlled input for executable script disguised using doubling of the involved characters. |
| Go | 86 | The software does not neutralize or incorrectly neutralizes invalid characters or byte sequences in the middle of tag names, URI schemes, and other identifiers. |
| Go | 87 | The software does not neutralize or incorrectly neutralizes user-controlled input for alternate script syntax. |
| Go | 88 | The software constructs a string for a command to executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string. |
| Go | 89 | The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. |
| Go | 91 | The software does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system. |
| Go | 93 | The software uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs. |
| Go | 94 | The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
| Go | 113 | The software receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers. |
| Go | 116 | The software prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved. |
| Go | 117 | The software does not neutralize or incorrectly neutralizes output that is written to logs. |
| Go | 118 | The software does not restrict or incorrectly restricts operations within the boundaries of a resource that is accessed using an index or pointer, such as memory or files. |
| Go | 119 | The software performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer. |
| Go | 137 | Weaknesses in this category are related to the creation or neutralization of data using an incorrect format. |
| Go | 138 | The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as control elements or syntactic markers when they are sent to a downstream component. |
| Go | 140 | The software does not neutralize or incorrectly neutralizes delimiters. |
| Go | 141 | The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as parameter or argument delimiters when they are sent to a downstream component. |
| Go | 142 | The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as value delimiters when they are sent to a downstream component. |
| Go | 143 | The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as record delimiters when they are sent to a downstream component. |
| Go | 146 | The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as expression or command delimiters when they are sent to a downstream component. |
| Go | 149 | Quotes injected into an application can be used to compromise a system. As data are parsed, an injected/absent/duplicate/malformed use of quotes may cause the process to take unexpected actions. |
| Go | 150 | The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component. |
| Go | 157 | The software does not properly handle the characters that are used to mark the beginning and ending of a group of entities, such as parentheses, brackets, and braces. |
| Go | 171 | This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. Weaknesses in this category were related to improper handling of data within protection mechanisms that attempt to perform neutralization for untrusted data. These weaknesses can be found in other similar categories. |
| Go | 183 | The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is too permissive - that is, it allows an input that is unsafe, leading to resultant weaknesses. |
| Go | 189 | Weaknesses in this category are related to improper calculation or conversion of numbers. |
| Go | 199 | Weaknesses in this category are related to improper handling of sensitive information. |
| Go | 200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
| Go | 201 | The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor. |
| Go | 209 | The software generates an error message that includes sensitive information about its environment, users, or associated data. |
| Go | 210 | The software identifies an error condition and creates its own diagnostic or error messages that contain sensitive information. |
| Go | 211 | The application performs an operation that triggers an external diagnostic or error message that is not directly generated or controlled by the application, such as an error generated by the programming language interpreter that the software uses. The error can contain sensitive system information. |
| Go | 221 | The software does not record, or improperly records, security-relevant information that leads to an incorrect decision or hampers later analysis. |
| Go | 223 | The application does not record or display information that would be important for identifying the source or nature of an attack, or determining if an action is safe. |
| Go | 226 | The product releases a resource such as memory or a file so that it can be made available for reuse, but it does not clear or "zeroize" the information contained in the resource before the product performs a critical state transition or makes the resource available for reuse by other entities. |
| Go | 227 | This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that involve the software using an API in a manner contrary to its intended use. According to the authors of the Seven Pernicious Kingdoms, "An API is a contract between a caller and a callee. The most common forms of API misuse occurs when the caller does not honor its end of this contract. For example, if a program does not call chdir() after calling chroot(), it violates the contract that specifies how to change the active root directory in a secure fashion. Another good example of library abuse is expecting the callee to return trustworthy DNS information to the caller. In this case, the caller misuses the callee API by making certain assumptions about its behavior (that the return value can be used for authentication purposes). One can also violate the caller-callee contract from the other side. For example, if a coder subclasses SecureRandom and returns a non-random value, the contract is violated." |
| Go | 249 | This entry has been deprecated because of name confusion and an accidental combination of multiple weaknesses. Most of its content has been transferred to CWE-785. This entry was deprecated for several reasons. The primary reason is over-loading of the "path manipulation" term and the description. The original description for this entry was the same as that for the "Often Misused: File System" item in the original Seven Pernicious Kingdoms paper. However, Seven Pernicious Kingdoms also has a "Path Manipulation" phrase that is for external control of pathnames (CWE-73), which is a factor in symbolic link following and path traversal, neither of which is explicitly mentioned in 7PK. Fortify uses the phrase "Often Misused: Path Manipulation" for a broader range of problems, generally for issues related to buffer management. Given the multiple conflicting uses of this term, there is a chance that CWE users may have incorrectly mapped to this entry. The second reason for deprecation is an implied combination of multiple weaknesses within buffer-handling functions. The focus of this entry was generally on the path-conversion functions and their association with buffer overflows. However, some of Fortify's Vulncat entries have the term "path manipulation" but describe a non-overflow weakness in which the buffer is not guaranteed to contain the entire pathname, i.e., there is information truncation (see CWE-222 for a similar concept). A new entry for this non-overflow weakness may be created in a future version of CWE. |
| Go | 252 | The software does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions. |
| Go | 253 | The software incorrectly checks a return value from a function, which prevents the software from detecting errors or exceptional conditions. |
| Go | 254 | Software security is not security software. Here we're concerned with topics like authentication, access control, confidentiality, cryptography, and privilege management. |
| Go | 255 | Weaknesses in this category are related to the management of credentials. |
| Go | 256 | Storing a password in plaintext may result in a system compromise. |
| Go | 257 | The storage of passwords in a recoverable format makes them subject to password reuse attacks by malicious users. In fact, it should be noted that recoverable encrypted passwords provide no significant benefit over plaintext passwords since they are subject not only to reuse by malicious attackers but also by malicious insiders. If a system administrator can recover a password directly, or use a brute force search on the available information, the administrator can use the password on other accounts. |
| Go | 259 | The software contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components. |
| Go | 264 | Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control. |
| Go | 265 | Weaknesses in this category occur with improper handling, assignment, or management of privileges. A privilege is a property of an agent, such as a user. It lets the agent do things that are not ordinarily allowed. For example, there are privileges which allow an agent to perform maintenance functions such as restart a computer. |
| Go | 275 | Weaknesses in this category are related to improper assignment or handling of permissions. |
| Go | 284 | The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
| Go | 285 | The software does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
| Go | 287 | When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct. |
| Go | 295 | The software does not validate, or incorrectly validates, a certificate. |
| Go | 300 | The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint. |
| Go | 304 | The software implements an authentication technique, but it skips a step that weakens the technique. |
| Go | 306 | The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
| Go | 310 | Weaknesses in this category are related to the design and implementation of data confidentiality and integrity. Frequently these deal with the use of encoding techniques, encryption libraries, and hashing algorithms. The weaknesses in this category could lead to a degradation of the quality data if they are not addressed. |
| Go | 311 | The software does not encrypt sensitive or critical information before storage or transmission. |
| Go | 312 | The application stores sensitive information in cleartext within a resource that might be accessible to another control sphere. |
| Go | 313 | The application stores sensitive information in cleartext in a file, or on disk. |
| Go | 314 | The application stores sensitive information in cleartext in the registry. |
| Go | 315 | The application stores sensitive information in cleartext in a cookie. |
| Go | 317 | The application stores sensitive information in cleartext within the GUI. |
| Go | 318 | The application stores sensitive information in cleartext in an executable. |
| Go | 319 | The software transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors. |
| Go | 320 | Weaknesses in this category are related to errors in the management of cryptographic keys. |
| Go | 321 | The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered. |
| Go | 326 | The software stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required. |
| Go | 327 | The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of sensitive information. |
| Go | 328 | The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (2nd preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack). |
| Go | 330 | The software uses insufficiently random numbers or values in a security context that depends on unpredictable numbers. |
| Go | 344 | The product uses a constant value, name, or reference, but this value can (or should) vary across different environments. |
| Go | 345 | The software does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data. |
| Go | 346 | The software does not properly verify that the source of data or communication is valid. |
| Go | 352 | The web application does not, or cannot, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request. |
| Go | 355 | Weaknesses in this category are related to or introduced in the User Interface (UI). |
| Go | 359 | The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected. |
| Go | 361 | This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses related to the improper management of time and state in an environment that supports simultaneous or near-simultaneous computation by multiple systems, processes, or threads. According to the authors of the Seven Pernicious Kingdoms, "Distributed computation is about time and state. That is, in order for more than one component to communicate, state must be shared, and all that takes time. Most programmers anthropomorphize their work. They think about one thread of control carrying out the entire program in the same way they would if they had to do the job themselves. Modern computers, however, switch between tasks very quickly, and in multi-core, multi-CPU, or distributed systems, two events may take place at exactly the same time. Defects rush to fill the gap between the programmer's model of how a program executes and what happens in reality. These defects are related to unexpected interactions between threads, processes, time, and information. These interactions happen through shared state: semaphores, variables, the file system, and, basically, anything that can store information." |
| Go | 362 | The program contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently. |
| Go | 366 | If two threads of execution use a resource simultaneously, there exists the possibility that resources may be used while invalid, in turn making the state of execution undefined. |
| Go | 369 | The product divides a value by zero. |
| Go | 371 | Weaknesses in this category are related to improper management of system state. |
| Go | 388 | This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that occur when an application does not properly handle errors that occur during processing. According to the authors of the Seven Pernicious Kingdoms, "Errors and error handling represent a class of API. Errors related to error handling are so common that they deserve a special kingdom of their own. As with 'API Abuse,' there are two ways to introduce an error-related security vulnerability: the most common one is handling errors poorly (or not at all). The second is producing errors that either give out too much information (to possible attackers) or are difficult to handle." |
| Go | 389 | This category includes weaknesses that occur if a function does not generate the correct return/status code, or if the application does not handle all possible return/status codes that could be generated by a function. This type of problem is most often found in conditions that are rarely encountered during the normal operation of the product. Presumably, most bugs related to common conditions are found and eliminated during development and testing. In some cases, the attacker can directly control or influence the environment to trigger the rare conditions. |
| Go | 398 | This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that do not directly introduce a weakness or vulnerability, but indicate that the product has not been carefully developed or maintained. According to the authors of the Seven Pernicious Kingdoms, "Poor code quality leads to unpredictable behavior. From a user's perspective that often manifests itself as poor usability. For an adversary it provides an opportunity to stress the system in unexpected ways." |
| Go | 399 | Weaknesses in this category are related to improper management of system resources. |
| Go | 404 | The program does not release or incorrectly releases a resource before it is made available for re-use. |
| Go | 405 | Software that does not appropriately monitor or control resource consumption can lead to adverse system performance. |
| Go | 409 | The software does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output. |
| Go | 411 | Weaknesses in this category are related to improper handling of locks that are used to control access to resources. |
| Go | 417 | Weaknesses in this category are related to improper handling of communication channels and access paths. These weaknesses include problems in creating, managing, or removing alternate channels and alternate paths. Some of these can overlap virtual file problems and are commonly used in "bypass" attacks, such as those that exploit authentication errors. |
| Go | 435 | An interaction error occurs when two entities have correct behavior when running independently of each other, but when they are integrated as components in a larger system or process, they introduce incorrect behaviors that may cause resultant weaknesses. |
| Go | 436 | Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state. |
| Go | 438 | Weaknesses in this category are related to unexpected behaviors from code that an application uses. |
| Go | 441 | The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor. |
| Go | 442 | This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree. |
| Go | 452 | Weaknesses in this category occur in behaviors that are used for initialization and breakdown. |
| Go | 459 | The software does not properly "clean up" and remove temporary or supporting resources after they have been used. |
| Go | 465 | Weaknesses in this category are related to improper handling of pointers. |
| Go | 476 | A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit. |
| Go | 480 | The programmer accidentally uses the wrong operator, which changes the application logic in security-relevant ways. |
| Go | 485 | This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that occur when the product does not sufficiently encapsulate critical data or functionality. According to the authors of the Seven Pernicious Kingdoms, "Encapsulation is about drawing strong boundaries. In a web browser that might mean ensuring that your mobile code cannot be abused by other mobile code. On the server it might mean differentiation between validated data and unvalidated data, between one user's data and another's, or between data users are allowed to see and data that they are not." |
| Go | 497 | The application does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the application does. |
| Go | 502 | The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid. |
| Go | 505 | This category has been deprecated as it was originally used for organizing the Development View (CWE-699), but it introduced unnecessary complexity and depth to the resulting tree. |
| Go | 522 | The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval. |
| Go | 523 | Login pages do not use adequate measures to protect the user name and password while they are in transit from the client to the server. |
| Go | 532 | Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information. |
| Go | 536 | A servlet error message indicates that there exists an unhandled exception in your web application code and may provide useful information to an attacker. |
| Go | 538 | The product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the sensitive information. |
| Go | 539 | The web application uses persistent cookies, but the cookies contain sensitive information. |
| Go | 548 | A directory listing is inappropriately exposed, yielding potentially sensitive information to attackers. |
| Go | 550 | Certain conditions, such as network failure, will cause a server error message to be displayed. |
| Go | 552 | The product makes files or directories accessible to unauthorized actors, even though they should not be. |
| Go | 557 | Weaknesses in this category are related to concurrent use of shared resources. |
| Go | 561 | The software contains dead code, which can never be executed. |
| Go | 563 | The variable's value is assigned but never used, making it a dead store. |
| Go | 565 | The application relies on the existence or values of cookies when performing security-critical operations, but it does not properly ensure that the setting is valid for the associated user. |
| Go | 566 | The software uses a database table that includes records that should not be accessible to an actor, but it executes a SQL statement with a primary key that can be controlled by that actor. |
| Go | 567 | The product does not properly synchronize shared data, such as static variables across threads, which can lead to undefined behavior and unpredictable data changes. |
| Go | 569 | Weaknesses in this category are related to incorrectly written expressions within code. |
| Go | 573 | The software does not follow or incorrectly follows the specifications as required by the implementation language, environment, framework, protocol, or platform. |
| Go | 601 | A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks. |
| Go | 602 | The software is composed of a server that relies on the client to implement a mechanism that is intended to protect the server. |
| Go | 610 | The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere. |
| Go | 611 | The software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. |
| Go | 613 | According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization." |
| Go | 614 | The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session. |
| Go | 617 | The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary. |
| Go | 629 | CWE nodes in this view (graph) are associated with the OWASP Top Ten, as released in 2007. This view is considered obsolete as a newer version of the OWASP Top Ten is available. |
| Go | 632 | This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE. |
| Go | 633 | This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE. |
| Go | 634 | This category has been deprecated. It was not actively maintained, and it was not useful to stakeholders. It was originally created before CWE 1.0 as part of view CWE-631, which was a simple example of how views could be structured within CWE. |
| Go | 635 | CWE nodes in this view (slice) were used by NIST to categorize vulnerabilities within NVD, from 2008 to 2016. This original version has been used by many other projects. |
| Go | 639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
| Go | 642 | The software stores security-critical state information about its users, or the software itself, in a location that is accessible to unauthorized actors. |
| Go | 643 | The software uses external input to dynamically construct an XPath expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query. |
| Go | 644 | The application does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers, such as Flash. |
| Go | 657 | The product violates well-established principles for secure design. |
| Go | 662 | The software utilizes multiple threads or processes to allow temporary access to a shared resource that can only be exclusive to one process at a time, but it does not properly synchronize these actions, which might cause simultaneous accesses of this resource by multiple threads or processes. |
| Go | 664 | The software does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release. |
| Go | 666 | The software performs an operation on a resource at the wrong phase of the resource's lifecycle, which can lead to unexpected behaviors. |
| Go | 667 | The software does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors. |
| Go | 668 | The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource. |
| Go | 669 | The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource. |
| Go | 670 | The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated. |
| Go | 671 | The product uses security features in a way that prevents the product's administrator from tailoring security settings to reflect the environment in which the product is being used. This introduces resultant weaknesses or prevents it from operating at a level of security that is desired by the administrator. |
| Go | 672 | The software uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked. |
| Go | 674 | The product does not properly control the amount of recursion which takes place, consuming excessive resources, such as allocated memory or the program stack. |
| Go | 675 | The product performs the same operation on a resource two or more times, when the operation should only be applied once. |
| Go | 682 | The software performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management. |
| Go | 691 | The code does not sufficiently manage its control flow during execution, creating conditions in which the control flow can be modified in unexpected ways. |
| Go | 692 | The product uses a denylist-based protection mechanism to defend against XSS attacks, but the denylist is incomplete, allowing XSS variants to succeed. |
| Go | 693 | The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product. |
| Go | 697 | The software compares two entities in a security-relevant context, but the comparison is incorrect, which may lead to resultant weaknesses. |
| Go | 699 | This view organizes weaknesses around concepts that are frequently used or encountered in software development. This includes all aspects of the software development lifecycle including both architecture and implementation. Accordingly, this view can align closely with the perspectives of architects, developers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping. |
| Go | 700 | This view (graph) organizes weaknesses using a hierarchical structure that is similar to that used by Seven Pernicious Kingdoms. |
| Go | 703 | The software does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the software. |
| Go | 706 | The software uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere. |
| Go | 707 | The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component. |
| Go | 710 | The software does not follow certain coding rules for development, which can lead to resultant weaknesses or increase the severity of the associated vulnerabilities. |
| Go | 711 | CWE entries in this view (graph) are associated with the OWASP Top Ten, as released in 2004, and as required for compliance with PCI DSS version 1.1. This view is considered obsolete as a newer version of the OWASP Top Ten is available. |
| Go | 712 | Weaknesses in this category are related to the A1 category in the OWASP Top Ten 2007. |
| Go | 713 | Weaknesses in this category are related to the A2 category in the OWASP Top Ten 2007. |
| Go | 714 | Weaknesses in this category are related to the A3 category in the OWASP Top Ten 2007. |
| Go | 715 | Weaknesses in this category are related to the A4 category in the OWASP Top Ten 2007. |
| Go | 716 | Weaknesses in this category are related to the A5 category in the OWASP Top Ten 2007. |
| Go | 717 | Weaknesses in this category are related to the A6 category in the OWASP Top Ten 2007. |
| Go | 718 | Weaknesses in this category are related to the A7 category in the OWASP Top Ten 2007. |
| Go | 719 | Weaknesses in this category are related to the A8 category in the OWASP Top Ten 2007. |
| Go | 720 | Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2007. |
| Go | 721 | Weaknesses in this category are related to the A10 category in the OWASP Top Ten 2007. |
| Go | 722 | Weaknesses in this category are related to the A1 category in the OWASP Top Ten 2004. |
| Go | 723 | Weaknesses in this category are related to the A2 category in the OWASP Top Ten 2004. |
| Go | 724 | Weaknesses in this category are related to the A3 category in the OWASP Top Ten 2004. |
| Go | 725 | Weaknesses in this category are related to the A4 category in the OWASP Top Ten 2004. |
| Go | 726 | Weaknesses in this category are related to the A5 category in the OWASP Top Ten 2004. |
| Go | 727 | Weaknesses in this category are related to the A6 category in the OWASP Top Ten 2004. |
| Go | 728 | Weaknesses in this category are related to the A7 category in the OWASP Top Ten 2004. |
| Go | 729 | Weaknesses in this category are related to the A8 category in the OWASP Top Ten 2004. |
| Go | 730 | Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2004. |
| Go | 731 | Weaknesses in this category are related to the A10 category in the OWASP Top Ten 2004. |
| Go | 732 | The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. |
| Go | 734 | CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT C Secure Coding Standard" published in 2008. This view is considered obsolete, as a newer version of the coding standard is available. This view statically represents the coding rules as they were in 2008. |
| Go | 737 | Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) chapter of the CERT C Secure Coding Standard (2008). |
| Go | 738 | Weaknesses in this category are related to the rules and recommendations in the Integers (INT) chapter of the CERT C Secure Coding Standard (2008). |
| Go | 739 | Weaknesses in this category are related to the rules and recommendations in the Floating Point (FLP) chapter of the CERT C Secure Coding Standard (2008). |
| Go | 740 | Weaknesses in this category are related to the rules and recommendations in the Arrays (ARR) chapter of the CERT C Secure Coding Standard (2008). |
| Go | 741 | Weaknesses in this category are related to the rules and recommendations in the Characters and Strings (STR) chapter of the CERT C Secure Coding Standard (2008). |
| Go | 742 | Weaknesses in this category are related to the rules and recommendations in the Memory Management (MEM) chapter of the CERT C Secure Coding Standard (2008). |
| Go | 743 | Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) chapter of the CERT C Secure Coding Standard (2008). |
| Go | 744 | Weaknesses in this category are related to the rules and recommendations in the Environment (ENV) chapter of the CERT C Secure Coding Standard (2008). |
| Go | 745 | Weaknesses in this category are related to the rules and recommendations in the Signals (SIG) chapter of the CERT C Secure Coding Standard (2008). |
| Go | 746 | Weaknesses in this category are related to the rules and recommendations in the Error Handling (ERR) chapter of the CERT C Secure Coding Standard (2008). |
| Go | 747 | Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) chapter of the CERT C Secure Coding Standard (2008). |
| Go | 748 | Weaknesses in this category are related to the rules and recommendations in the POSIX (POS) appendix of the CERT C Secure Coding Standard (2008). |
| Go | 749 | The software provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted. |
| Go | 750 | CWE entries in this view (graph) are listed in the 2009 CWE/SANS Top 25 Programming Errors. This view is considered obsolete as a newer version of the Top 25 is available. |
| Go | 751 | Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2009 CWE/SANS Top 25 Programming Errors. |
| Go | 752 | Weaknesses in this category are listed in the "Risky Resource Management" section of the 2009 CWE/SANS Top 25 Programming Errors. |
| Go | 753 | Weaknesses in this category are listed in the "Porous Defenses" section of the 2009 CWE/SANS Top 25 Programming Errors. |
| Go | 754 | The software does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the software. |
| Go | 755 | The software does not handle or incorrectly handles an exceptional condition. |
| Go | 764 | The software locks a critical resource more times than intended, leading to an unexpected state in the system. |
| Go | 765 | The software unlocks a critical resource more times than intended, leading to an unexpected state in the system. |
| Go | 776 | The software uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities. |
| Go | 778 | When a security-critical event occurs, the software either does not record the event or omits important details about the event when logging it. |
| Go | 783 | The program uses an expression in which operator precedence causes incorrect logic to be used. |
| Go | 798 | The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. |
| Go | 800 | CWE entries in this view (graph) are listed in the 2010 CWE/SANS Top 25 Programming Errors. This view is considered obsolete as a newer version of the Top 25 is available. |
| Go | 801 | Weaknesses in this category are listed in the "Insecure Interaction Between Components" section of the 2010 CWE/SANS Top 25 Programming Errors. |
| Go | 802 | Weaknesses in this category are listed in the "Risky Resource Management" section of the 2010 CWE/SANS Top 25 Programming Errors. |
| Go | 803 | Weaknesses in this category are listed in the "Porous Defenses" section of the 2010 CWE/SANS Top 25 Programming Errors. |
| Go | 808 | Weaknesses in this category are not part of the general Top 25, but they were part of the original nominee list from which the Top 25 was drawn. |
| Go | 809 | CWE nodes in this view (graph) are associated with the OWASP Top Ten, as released in 2010. This view is considered obsolete as a newer version of the OWASP Top Ten is available. |
| Go | 810 | Weaknesses in this category are related to the A1 category in the OWASP Top Ten 2010. |
| Go | 811 | Weaknesses in this category are related to the A2 category in the OWASP Top Ten 2010. |
| Go | 812 | Weaknesses in this category are related to the A3 category in the OWASP Top Ten 2010. |
| Go | 813 | Weaknesses in this category are related to the A4 category in the OWASP Top Ten 2010. |
| Go | 814 | Weaknesses in this category are related to the A5 category in the OWASP Top Ten 2010. |
| Go | 815 | Weaknesses in this category are related to the A6 category in the OWASP Top Ten 2010. |
| Go | 816 | Weaknesses in this category are related to the A7 category in the OWASP Top Ten 2010. |
| Go | 817 | Weaknesses in this category are related to the A8 category in the OWASP Top Ten 2010. |
| Go | 818 | Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2010. |
| Go | 819 | Weaknesses in this category are related to the A10 category in the OWASP Top Ten 2010. |
| Go | 820 | The software utilizes a shared resource in a concurrent manner but does not attempt to synchronize access to the resource. |
| Go | 833 | The software contains multiple threads or executable segments that are waiting for each other to release a necessary lock, resulting in deadlock. |
| Go | 834 | The software performs an iteration or loop without sufficiently limiting the number of times that the loop is executed. |
| Go | 835 | The program contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop. |
| Go | 840 | Weaknesses in this category identify some of the underlying problems that commonly allow attackers to manipulate the business logic of an application. Errors in business logic can be devastating to an entire application. They can be difficult to find automatically, since they typically involve legitimate use of the application's functionality. However, many business logic errors can exhibit patterns that are similar to well-understood implementation and design weaknesses. |
| Go | 844 | CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT Oracle Secure Coding Standard for Java" published in 2011. This view is considered obsolete as a newer version of the coding standard is available. |
| Go | 845 | Weaknesses in this category are related to rules in the Input Validation and Data Sanitization (IDS) chapter of The CERT Oracle Secure Coding Standard for Java (2011). |
| Go | 847 | Weaknesses in this category are related to rules in the Expressions (EXP) chapter of The CERT Oracle Secure Coding Standard for Java (2011). |
| Go | 848 | Weaknesses in this category are related to rules in the Numeric Types and Operations (NUM) chapter of The CERT Oracle Secure Coding Standard for Java (2011). |
| Go | 850 | Weaknesses in this category are related to rules in the Methods (MET) chapter of The CERT Oracle Secure Coding Standard for Java (2011). |
| Go | 851 | Weaknesses in this category are related to rules in the Exceptional Behavior (ERR) chapter of The CERT Oracle Secure Coding Standard for Java (2011). |
| Go | 852 | Weaknesses in this category are related to rules in the Visibility and Atomicity (VNA) chapter of The CERT Oracle Secure Coding Standard for Java (2011). |
| Go | 853 | Weaknesses in this category are related to rules in the Locking (LCK) chapter of The CERT Oracle Secure Coding Standard for Java (2011). |
| Go | 855 | Weaknesses in this category are related to rules in the Thread Pools (TPS) chapter of The CERT Oracle Secure Coding Standard for Java (2011). |
| Go | 857 | Weaknesses in this category are related to rules in the Input Output (FIO) chapter of The CERT Oracle Secure Coding Standard for Java (2011). |
| Go | 858 | Weaknesses in this category are related to rules in the Serialization (SER) chapter of The CERT Oracle Secure Coding Standard for Java (2011). |
| Go | 859 | Weaknesses in this category are related to rules in the Platform Security (SEC) chapter of The CERT Oracle Secure Coding Standard for Java (2011). |
| Go | 860 | Weaknesses in this category are related to rules in the Runtime Environment (ENV) chapter of The CERT Oracle Secure Coding Standard for Java (2011). |
| Go | 861 | Weaknesses in this category are |