List of vulnerability categories supported by Lucent Sky AVM

This article describes how Lucent Sky AVM categorizes vulnerabilities, as well as lists the vulnerability categories that can be identified and remediated by Lucent Sky AVM. Some vulnerability categories might not be supported in earlier versions of Lucent Sky AVM.

How Lucent Sky AVM categorizes vulnerabilities

Lucent Sky AVM uses CWE IDs as the primary categorization mechanism. CWE uses a cascading categorization scheme, meaning that some vulnerabilities can be categorized under more than one CWE IDs. For such vulnerabilities, the Lucent Sky team works with external experts and stakeholders in deciding which CWE ID should be used.

The goal is to use the CWE IDs with identifiable and unique definitions (for example, choosing CWE-201: Information Exposure Through Sent Data over CWE-200: Exposure of Sensitive Information to an Unauthorized Actor), while avoiding cluttering the scan results with hundreds of similar CWE IDs (for example, choosing CWE-22: Path Traversal over CWE-32: Path Traversal: '…' (Triple Dot)).

List of Vulnerability Categories

Name	CWE ID	OWASP Top 10	OWASP ASVS	PCI DSS	CWE Top 25	CWE/SANS Top 25
J2EE Misconfiguration: Data Transmission Without Encryption	CWE5	2004 A10, 2010 A9, 2013 A6, 2017 A3, 2021 A2	L1			*
J2EE Misconfiguration: Insufficient Session-ID Length	CWE6	2004 A10
J2EE Misconfiguration: Missing Custom Error Page	CWE7	2004 A7, 2004 A10, 2021 A5
J2EE Misconfiguration: Entity Bean Declared Remote	CWE8	2004 A10, 2021 A1
J2EE Misconfiguration: Weak Access Permissions for EJB Methods	CWE9	2004 A2, 2004 A10, 2021 A4
ASP.NET Misconfiguration: Creating Debug Binary	CWE11	2004 A10, 2021 A5
ASP.NET Misconfiguration: Missing Custom Error Page^*	CWE12	2004 A10, 2021 A5
ASP.NET Misconfiguration: Password in Configuration File	CWE13	2004 A10, 2021 A5
Compiler Removal of Code to Clear Buffers	CWE14	2004 A8
External Control of System or Configuration Setting	CWE15	2004 A1, 2021 A3, 2021 A4, 2021 A5	L1		*	*
Improper Input Validation	CWE20	2004 A1, 2014 M8, 2021 A3	L1		*	*
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')	CWE22	2004 A2, 2007 A4, 2010 A4, 2013 A4, 2017 A5, 2021 A1	L1	v3.2.1 6.5.8, v4.0 6.2.4	*	*
Relative Path Traversal	CWE23	2004 A2, 2007 A4, 2010 A4, 2013 A4, 2017 A5, 2021 A1	L1		*	*
Path Traversal: '../filedir'^*	CWE24	2021 A1
Path Traversal: '/../filedir'	CWE25	2021 A1
Path Traversal: '/dir/../filename'^*	CWE26	2021 A1
Path Traversal: 'dir/../../filename'^*	CWE27	2021 A1
Path Traversal: '..\filedir'	CWE28	2021 A1
Path Traversal: '..\filename'	CWE29	2021 A1
Path Traversal: '\dir..\filename'^*	CWE30	2021 A1
Path Traversal: 'dir....\filename'	CWE31	2021 A1
Path Traversal: '…' (Triple Dot)	CWE32	2021 A1
Path Traversal: '….' (Multiple Dot)	CWE33	2021 A1
Path Traversal: '….//'	CWE34	2021 A1
Path Traversal: '…/…//'	CWE35	2021 A1
Absolute Path Traversal	CWE36	2004 A2, 2007 A4, 2010 A4, 2013 A4, 2017 A5, 2021 A1	L1		*	*
Path Traversal: '/absolute/pathname/here'^*	CWE37
Path Traversal: '\absolute\pathname\here'^*	CWE38
Path Traversal: 'C:dirname'^*	CWE39
Path Traversal: '\UNC\share\name' (Windows UNC Share)	CWE40
Improper Resolution of Path Equivalence^*	CWE41	2004 A2, 2013 A4, 2021 A1
Path Equivalence: 'filename.' (Trailing Dot)^*	CWE42	2004 A2
Path Equivalence: 'filename….' (Multiple Trailing Dot)^*	CWE43
Path Equivalence: 'file.name' (Internal Dot)^*	CWE44	2004 A2
Path Equivalence: 'file…name' (Multiple Internal Dot)^*	CWE45
Path Equivalence: 'filename ' (Trailing Space)^*	CWE46	2004 A2
Path Equivalence: ' filename' (Leading Space)^*	CWE47	2004 A2
Path Equivalence: 'file name' (Internal Whitespace)^*	CWE48	2004 A2
Path Equivalence: 'filename/' (Trailing Slash)^*	CWE49	2004 A2
Path Equivalence: '//multiple/leading/slash'	CWE50	2004 A2
Path Equivalence: '/multiple//internal/slash'^*	CWE51	2004 A2
Path Equivalence: '/multiple/trailing/slash//'	CWE52	2004 A2
Path Equivalence: '\multiple\internal\backslash'	CWE53	2004 A2
Path Equivalence: 'filedir' (Trailing Backslash)^*	CWE54	2004 A2
Path Equivalence: '/./' (Single Dot Directory)	CWE55	2004 A2
Path Equivalence: 'filedir*' (Wildcard)	CWE56	2004 A2
Path Equivalence: 'fakedir/../realdir/filename'	CWE57	2004 A2
Path Equivalence: Windows 8.3 Filename	CWE58	2004 A2
Improper Link Resolution Before File Access ('Link Following')^*	CWE59	2013 A4, 2021 A1				*
UNIX Symbolic Link (Symlink) Following	CWE61	2021 A1				*
UNIX Hard Link	CWE62	2021 A1				*
Windows Shortcut Following (.LNK)	CWE64	2021 A1				*
Windows Hard Link	CWE65	2021 A1				*
Improper Handling of File Names that Identify Virtual Resources^*	CWE66	2013 A4, 2021 A1
Improper Handling of Windows Device Names	CWE67
Improper Handling of Windows ::DATA Alternate Data Stream	CWE69
DEPRECATED: Apple '.DS_Store'	CWE71
Improper Handling of Apple HFS+ Alternate Data Stream Path	CWE72
External Control of File Name or Path	CWE73	2004 A1, 2004 A2, 2021 A3, 2021 A4	L1		*	*
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')	CWE74	2004 A6, 2013 A1, 2021 A3
Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)	CWE75	2004 A6, 2013 A1, 2021 A3
Improper Neutralization of Equivalent Special Elements	CWE76	2021 A3
Improper Neutralization of Special Elements used in a Command ('Command Injection')	CWE77	2004 A1, 2004 A6, 2007 A2, 2013 A1, 2017 A1, 2019 API8, 2021 A3			*
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')	CWE78	2004 A1, 2004 A6, 2007 A2, 2007 A3, 2010 A1, 2013 A1, 2017 A1, 2019 API8, 2021 A3	L1	v3.2.1 6.5.1, v4.0 6.2.4	*	*
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')	CWE79	2004 A1, 2004 A4, 2004 A6, 2007 A1, 2010 A2, 2013 A1, 2013 A3, 2014 M7, 2017 A7, 2021 A3	L1	v3.2.1 6.5.7, v4.0 6.2.4	*	*
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)	CWE80	2004 A1, 2004 A4, 2007 A1, 2010 A2, 2013 A3, 2017 A7, 2021 A3	L1		*	*
Improper Neutralization of Script in an Error Message Web Page	CWE81	2004 A1, 2004 A4, 2007 A1, 2010 A2, 2013 A3, 2017 A7, 2021 A3	L1		*	*
Improper Neutralization of Script in Attributes of IMG Tags in a Web Page	CWE82	2021 A3
Improper Neutralization of Script in Attributes in a Web Page	CWE83	2004 A1, 2004 A4, 2007 A1, 2010 A2, 2013 A3, 2017 A7, 2021 A3	L1		*	*
Improper Neutralization of Encoded URI Schemes in a Web Page^*	CWE84	2004 A1, 2004 A4, 2007 A1, 2010 A2, 2013 A3, 2017 A7, 2021 A3	L1		*	*
Doubled Character XSS Manipulations	CWE85	2004 A1, 2004 A4, 2007 A1, 2010 A2, 2013 A3, 2017 A7, 2021 A3	L1		*	*
Improper Neutralization of Invalid Characters in Identifiers in Web Pages	CWE86	2004 A1, 2004 A4, 2007 A1, 2010 A2, 2013 A3, 2017 A7, 2021 A3	L1		*	*
Improper Neutralization of Alternate XSS Syntax	CWE87	2004 A1, 2004 A4, 2007 A1, 2010 A2, 2013 A3, 2017 A7, 2021 A3	L1		*	*
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')	CWE88	2004 A1, 2004 A6, 2007 A2, 2010 A1, 2013 A1, 2017 A1, 2019 API8, 2021 A3			*
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')	CWE89	2004 A1, 2004 A6, 2007 A2, 2010 A1, 2013 A1, 2014 M7, 2017 A1, 2019 API8, 2021 A3	L1	v3.2.1 6.5.1, v4.0 6.2.4	*	*
Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')	CWE90	2007 A2, 2010 A1, 2013 A1, 2017 A1, 2019 API8, 2021 A3	L1	v3.2.1 6.5.1, v4.0 6.2.4
XML Injection (aka Blind XPath Injection)	CWE91	2004 A6, 2007 A2, 2010 A1, 2013 A1, 2014 M7, 2017 A1, 2019 API8, 2021 A3		v3.2.1 6.5.1, v4.0 6.2.4
DEPRECATED: Improper Sanitization of Custom Special Characters	CWE92
Improper Neutralization of CRLF Sequences ('CRLF Injection')	CWE93	2004 A6, 2007 A2, 2013 A1, 2021 A3
Improper Control of Generation of Code ('Code Injection')	CWE94	2004 A6, 2013 A1, 2021 A1, 2021 A3	L1	v3.2.1 6.5.1, v4.0 6.2.4	*	*
Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')	CWE95	2004 A6, 2007 A3, 2021 A3	L1	v3.2.1 6.5.1, v4.0 6.2.4	*	*
Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')	CWE96	2021 A3	L1	v3.2.1 6.5.1, v4.0 6.2.4	*	*
Improper Neutralization of Server-Side Includes (SSI) Within a Web Page	CWE97	2021 A3		v3.2.1 6.5.1, v4.0 6.2.4
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')	CWE98	2004 A6, 2007 A3, 2010 A4, 2013 A4, 2021 A1, 2021 A3, 2021 A8	L1	v3.2.1 6.5.1, v4.0 6.2.4		*
Improper Control of Resource Identifiers ('Resource Injection')^*	CWE99	2004 A6, 2010 A4, 2013 A1, 2013 A4, 2021 A3
Struts: Duplicate Validation Forms^*	CWE102	2004 A1, 2021 A3, 2021 A4	L1		*	*
Struts: Incomplete validate() Method Definition^*	CWE103	2004 A1, 2021 A3	L1		*	*
Struts: Form Bean Does Not Extend Validation Class^*	CWE104	2004 A1, 2021 A3	L1		*	*
Struts: Form Field Without Validator^*	CWE105	2004 A1, 2021 A3, 2021 A4	L1		*	*
Struts: Plug-in Framework not in Use	CWE106	2004 A1, 2021 A3, 2021 A4	L1		*	*
Struts: Unused Validation Form^*	CWE107	2004 A1, 2021 A3	L1		*	*
Struts: Unvalidated Action Form^*	CWE108	2004 A1, 2021 A3, 2021 A4	L1		*	*
Struts: Validator Turned Off^*	CWE109	2004 A1, 2021 A3, 2021 A4	L1		*	*
Struts: Validator Without Form Field^*	CWE110	2004 A1, 2021 A3	L1		*	*
Direct Use of Unsafe JNI^*	CWE111	2004 A1, 2021 A3	L1		*	*
Missing XML Validation^*	CWE112	2004 A1, 2021 A3	L1		*	*
Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')	CWE113	2004 A1, 2007 A2, 2021 A3	L1		*	*
Process Control^*	CWE114	2004 A1, 2004 A2, 2021 A3, 2021 A4	L1		*	*
Misinterpretation of Input^*	CWE115		L2
Improper Encoding or Escaping of Output^*	CWE116	2021 A3	L1			*
Improper Output Neutralization for Logs	CWE117	2004 A1, 2004 A6, 2021 A3, 2021 A9	L1		*	*
Incorrect Access of Indexable Resource ('Range Error')^*	CWE118
Improper Restriction of Operations within the Bounds of a Memory Buffer	CWE119	2004 A1, 2004 A5, 2021 A3	L1		*	*
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')	CWE120	2004 A1, 2004 A5, 2021 A3	L1	v3.2.1 6.5.2, v4.0 6.2.4	*	*
Stack-based Buffer Overflow^*	CWE121				*
Heap-based Buffer Overflow^*	CWE122				*
Write-what-where Condition^*	CWE123	2004 A5			*	*
Buffer Underwrite ('Buffer Underflow')^*	CWE124				*
Out-of-bounds Read^*	CWE125	2004 A5			*	*
Buffer Over-read^*	CWE126				*
Buffer Under-read^*	CWE127				*
Wrap-around Error	CWE128					*
Improper Validation of Array Index^*	CWE129	2004 A1, 2021 A3	L1		*	*
Improper Handling of Length Parameter Inconsistency^*	CWE130	2004 A5			*	*
Incorrect Calculation of Buffer Size	CWE131					*
DEPRECATED: Miscalculated Null Termination^*	CWE132
Use of Externally-Controlled Format String	CWE134	2004 A1, 2004 A5, 2021 A1, 2021 A3	L1		*	*
Incorrect Calculation of Multi-Byte String Length^*	CWE135					*
Improper Neutralization of Special Elements^*	CWE138	2021 A3	L1
Improper Neutralization of Delimiters^*	CWE140	2021 A3	L1
Improper Neutralization of Parameter/Argument Delimiters^*	CWE141
Improper Neutralization of Value Delimiters^*	CWE142
Improper Neutralization of Record Delimiters^*	CWE143
Improper Neutralization of Line Delimiters^*	CWE144
Improper Neutralization of Section Delimiters^*	CWE145
Improper Neutralization of Expression/Command Delimiters^*	CWE146
Improper Neutralization of Input Terminators^*	CWE147	2021 A3	L1
Improper Neutralization of Input Leaders^*	CWE148	2021 A3	L1
Improper Neutralization of Quoting Syntax^*	CWE149	2021 A3	L1
Improper Neutralization of Escape, Meta, or Control Sequences^*	CWE150	2021 A3	L1
Improper Neutralization of Comment Delimiters^*	CWE151	2021 A3	L1
Improper Neutralization of Macro Symbols^*	CWE152	2021 A3	L1
Improper Neutralization of Substitution Characters^*	CWE153	2021 A3	L1
Improper Neutralization of Variable Name Delimiters^*	CWE154	2021 A3	L1
Improper Neutralization of Wildcards or Matching Symbols^*	CWE155	2021 A3	L1
Improper Neutralization of Whitespace^*	CWE156	2021 A3	L1
Failure to Sanitize Paired Delimiters^*	CWE157	2021 A3	L1
Improper Neutralization of Null Byte or NUL Character	CWE158	2021 A3	L1
Improper Handling of Invalid Use of Special Elements^*	CWE159	2021 A3	L1
Improper Neutralization of Leading Special Elements^*	CWE160	2021 A3	L1
Improper Neutralization of Multiple Leading Special Elements^*	CWE161
Improper Neutralization of Trailing Special Elements^*	CWE162	2021 A3	L1
Improper Neutralization of Multiple Trailing Special Elements^*	CWE163
Improper Neutralization of Internal Special Elements^*	CWE164	2021 A3	L1
Improper Neutralization of Multiple Internal Special Elements^*	CWE165
Improper Handling of Missing Special Element^*	CWE166	2004 A1, 2004 A7	L1
Improper Handling of Additional Special Element^*	CWE167	2004 A1, 2004 A7	L1
Improper Handling of Inconsistent Special Elements^*	CWE168	2004 A7	L1
Improper Null Termination	CWE170	2004 A1, 2004 A9, 2021 A3	L1		*	*
Encoding Error^*	CWE172
Improper Handling of Alternate Encoding^*	CWE173		L1
Double Decoding of the Same Data^*	CWE174
Improper Handling of Mixed Encoding^*	CWE175
Improper Handling of Unicode Encoding	CWE176		L1
Improper Handling of URL Encoding (Hex Encoding)^*	CWE177
Improper Handling of Case Sensitivity^*	CWE178	2013 A4, 2021 A1
Incorrect Behavior Order: Early Validation^*	CWE179	2004 A1, 2021 A3	L1		*	*
Incorrect Behavior Order: Validate Before Canonicalize^*	CWE180	2004 A1
Incorrect Behavior Order: Validate Before Filter^*	CWE181	2004 A1
Collapse of Data into Unsafe Value^*	CWE182	2004 A1
Permissive List of Allowed Inputs^*	CWE183	2004 A1, 2021 A4
Incomplete List of Disallowed Inputs^*	CWE184	2021 A3
Incorrect Regular Expression	CWE185
Overly Restrictive Regular Expression^*	CWE186
Partial String Comparison^*	CWE187
Reliance on Data/Memory Layout^*	CWE188
Integer Overflow or Wraparound	CWE190	2004 A1, 2021 A3	L1		*	*
Integer Underflow (Wrap or Wraparound)^*	CWE191					*
Integer Coercion Error	CWE192					*
Off-by-one Error^*	CWE193					*
Unexpected Sign Extension^*	CWE194					*
Signed to Unsigned Conversion Error	CWE195					*
Unsigned to Signed Conversion Error^*	CWE196					*
Numeric Truncation Error	CWE197					*
Use of Incorrect Byte Ordering^*	CWE198
Exposure of Sensitive Information to an Unauthorized Actor	CWE200	2007 A6, 2021 A1	L1	v3.2.1 6.5.5, v4.0 6.2.4	*
Insertion of Sensitive Information Into Sent Data^*	CWE201	2007 A6, 2021 A1	L1		*
Exposure of Sensitive Information Through Data Queries^*	CWE202
Observable Discrepancy	CWE203	2004 A7, 2007 A6, 2021 A1	L1		*
Observable Response Discrepancy^*	CWE204	2004 A7, 2007 A6
Observable Behavioral Discrepancy^*	CWE205	2004 A7, 2007 A6
Observable Internal Behavioral Discrepancy^*	CWE206
Observable Behavioral Discrepancy With Equivalent Products^*	CWE207
Observable Timing Discrepancy^*	CWE208	2004 A7, 2007 A6
Generation of Error Message Containing Sensitive Information	CWE209	2004 A7, 2004 A10, 2007 A6, 2010 A6, 2013 A5, 2017 A6, 2021 A1, 2021 A4	L1	v3.2.1 6.5.5, v4.0 6.2.4	*	*
Self-generated Error Message Containing Sensitive Information^*	CWE210	2004 A7, 2004 A10, 2007 A6, 2010 A6, 2013 A5, 2017 A6, 2021 A4	L1			*
Externally-Generated Error Message Containing Sensitive Information	CWE211	2004 A7, 2004 A10, 2007 A6, 2010 A6, 2013 A5, 2017 A6, 2021 A4				*
Improper Removal of Sensitive Information Before Storage or Transfer	CWE212		L1			*
Exposure of Sensitive Information Due to Incompatible Policies	CWE213	2007 A6, 2019 API3, 2021 A1, 2021 A4	L1		*
Invocation of Process Using Visible Sensitive Information^*	CWE214	2021 A1	L1
Insertion of Sensitive Information Into Debugging Code	CWE215	2004 A10, 2007 A6, 2013 A5, 2021 A1	L1		*
DEPRECATED: Containment Errors (Container Errors)^*	CWE216
DEPRECATED: Failure to Protect Stored Data from Modification^*	CWE217
DEPRECATED: Failure to provide confidentiality for stored data^*	CWE218
Storage of File with Sensitive Data Under Web Root^*	CWE219	2004 A10, 2010 A6, 2021 A1	L1
Storage of File With Sensitive Data Under FTP Root^*	CWE220	2004 A10, 2010 A6, 2017 A3, 2021 A1	L1
Information Loss or Omission^*	CWE221
Truncation of Security-relevant Information^*	CWE222
Omission of Security-relevant Information^*	CWE223	2017 A10, 2019 API10, 2021 A9
Obscured Security-relevant Information by Alternate Name^*	CWE224
DEPRECATED: General Information Management Problems^*	CWE225
Sensitive Information in Resource Not Removed Before Reuse^*	CWE226	2004 A8, 2004 A10	L1			*
Improper Handling of Syntactically Invalid Structure^*	CWE228	2004 A7
Improper Handling of Values^*	CWE229	2004 A7
Improper Handling of Missing Values^*	CWE230
Improper Handling of Extra Values^*	CWE231
Improper Handling of Undefined Values^*	CWE232
Improper Handling of Parameters^*	CWE233	2004 A7	L2
Failure to Handle Missing Parameter^*	CWE234		L2
Improper Handling of Extra Parameters^*	CWE235	2021 A4	L1
Improper Handling of Undefined Parameters^*	CWE236		L2
Improper Handling of Structural Elements^*	CWE237	2004 A7
Improper Handling of Incomplete Structural Elements^*	CWE238
Failure to Handle Incomplete Element^*	CWE239
Improper Handling of Inconsistent Structural Elements^*	CWE240
Improper Handling of Unexpected Data Type^*	CWE241	2004 A7
Use of Inherently Dangerous Function	CWE242	2016 M1, 2016 M7		v3.2.1 6.5.6, v4.0 6.2.4
Creation of chroot Jail Without Changing Working Directory^*	CWE243
Improper Clearing of Heap Memory Before Release ('Heap Inspection')^*	CWE244	2004 A8	L2
J2EE Bad Practices: Direct Management of Connections^*	CWE245
J2EE Bad Practices: Direct Use of Sockets^*	CWE246
DEPRECATED: Reliance on DNS Lookups in a Security Decision^*	CWE247
Uncaught Exception^*	CWE248	2004 A9
DEPRECATED: Often Misused: Path Manipulation^*	CWE249
Execution with Unnecessary Privileges^*	CWE250	2010 A6, 2021 A4	L2		*	*
Unchecked Return Value	CWE252	2004 A7	L2			*
Incorrect Check of Function Return Value	CWE253		L2			*
Plaintext Storage of a Password^*	CWE256	2004 A3, 2007 A7, 2013 A2, 2017 A2, 2021 A4	L2		*
Storing Passwords in a Recoverable Format^*	CWE257	2004 A3, 2007 A7, 2013 A2, 2017 A2, 2021 A4			*
Empty Password in Configuration File^*	CWE258	2004 A3, 2021 A5, 2021 A7	L1
Use of Hard-coded Password	CWE259	2004 A3, 2010 A3, 2019 API2, 2021 A7	L2		*	*
Password in Configuration File^*	CWE260	2004 A3, 2007 A7, 2013 A2, 2017 A2, 2021 A4, 2021 A5			*
Weak Encoding for Password^*	CWE261	2004 A3, 2004 A8, 2007 A7, 2013 A2, 2017 A2, 2021 A2, 2021 A4			*
Not Using Password Aging^*	CWE262
Password Aging with Long Expiration^*	CWE263		L1
Incorrect Privilege Assignment^*	CWE266	2004 A2, 2021 A4			*
Privilege Defined With Unsafe Actions^*	CWE267	2021 A4			*
Privilege Chaining^*	CWE268	2004 A2, 2021 A4			*
Improper Privilege Management^*	CWE269	2004 A2, 2017 A5, 2019 API1, 2021 A1, 2021 A4	L2		*
Privilege Context Switching Error^*	CWE270	2021 A4			*
Privilege Dropping / Lowering Errors^*	CWE271	2021 A4			*
Least Privilege Violation^*	CWE272		L2
Improper Check for Dropped Privileges^*	CWE273		L2			*
Improper Handling of Insufficient Privileges^*	CWE274	2021 A4			*
Incorrect Default Permissions^*	CWE276	2010 A6, 2021 A1	L2		*	*
Insecure Inherited Permissions^*	CWE277	2010 A6	L2		*	*
Insecure Preserved Inherited Permissions^*	CWE278	2010 A6	L2		*	*
Incorrect Execution-Assigned Permissions^*	CWE279	2010 A6	L2		*	*
Improper Handling of Insufficient Permissions or Privileges ^*	CWE280	2021 A4
Improper Preservation of Permissions^*	CWE281	2010 A6	L2		*	*
Improper Ownership Management^*	CWE282	2004 A2, 2017 A5, 2019 API1, 2021 A1	L2
Unverified Ownership^*	CWE283	2004 A2
Improper Access Control	CWE284	2004 A2, 2014 M5, 2016 M4, 2017 A5, 2019 API1, 2021 A1	L2	v3.2.1 6.5.8, v3.2.1 6.5.10, v4.0 6.2.4
Improper Authorization^*	CWE285	2004 A2, 2007 A10, 2010 A8, 2013 A7, 2017 A5, 2019 API1, 2019 API5, 2021 A1	L1			*
Incorrect User Management^*	CWE286	2004 A2, 2017 A5, 2019 API1, 2021 A1	L2
Improper Authentication	CWE287	2004 A2, 2004 A3, 2007 A7, 2010 A3, 2013 A2, 2017 A2, 2017 A5, 2019 API1, 2021 A1, 2021 A7	L1	v3.2.1 6.5.10, v4.0 6.2.4	*
Authentication Bypass Using an Alternate Path or Channel^*	CWE288	2004 A2, 2007 A10, 2010 A3, 2017 A5, 2019 API1, 2021 A1, 2021 A7	L1		*	*
Authentication Bypass by Alternate Name^*	CWE289
Authentication Bypass by Spoofing^*	CWE290	2004 A3, 2007 A7, 2010 A3, 2013 A2, 2017 A2, 2021 A7	L1		*
Reliance on IP Address for Authentication^*	CWE291	2021 A3, 2021 A7	L2
DEPRECATED: Trusting Self-reported DNS Name^*	CWE292
Using Referer Field for Authentication^*	CWE293	2021 A7	L2
Authentication Bypass by Capture-replay^*	CWE294	2004 A3, 2007 A7, 2010 A3, 2013 A2, 2017 A2, 2021 A7	L1		*
Improper Certificate Validation	CWE295	2004 A3, 2004 A10, 2007 A7, 2010 A3, 2013 A2, 2014 M5, 2016 M4, 2017 A2, 2017 A3, 2021 A7	L1	v3.2.1 6.5.3, v3.2.1 6.5.4, v3.2.1 6.5.10, v4.0 6.2.4	*
Improper Following of a Certificate's Chain of Trust^*	CWE296	2004 A3, 2004 A10, 2017 A3, 2021 A2, 2021 A7	L2		*
Improper Validation of Certificate with Host Mismatch	CWE297	2004 A10, 2017 A3, 2021 A7	L2		*
Improper Validation of Certificate Expiration^*	CWE298	2004 A3, 2004 A10, 2017 A3, 2021 A7	L2		*	*
Improper Check for Certificate Revocation^*	CWE299	2004 A9, 2004 A10, 2017 A3, 2021 A7	L2		*	*
Channel Accessible by Non-Endpoint^*	CWE300	2021 A7	L2
Reflection Attack in an Authentication Protocol^*	CWE301	2007 A7
Authentication Bypass by Assumed-Immutable Data^*	CWE302	2004 A3, 2021 A4, 2021 A7				*
Incorrect Implementation of Authentication Algorithm^*	CWE303
Missing Critical Step in Authentication^*	CWE304	2004 A3, 2021 A7	L1
Authentication Bypass by Primary Weakness^*	CWE305
Missing Authentication for Critical Function^*	CWE306	2004 A3, 2007 A7, 2010 A3, 2013 A2, 2017 A2, 2021 A7	L1		*	*
Improper Restriction of Excessive Authentication Attempts^*	CWE307	2004 A3, 2007 A7, 2010 A3, 2013 A2, 2017 A2, 2019 API4, 2021 A4, 2021 A7	L1		*	*
Use of Single-factor Authentication^*	CWE308	2017 A2	L2
Use of Password System for Primary Authentication^*	CWE309	2004 A3
Missing Encryption of Sensitive Data	CWE311	2004 A8, 2007 A8, 2007 A9, 2010 A7, 2010 A9, 2013 A2, 2013 A6, 2017 A3, 2021 A4	L2	v3.2.1 6.5.3, v3.2.1 6.5.4, v3.2.1 6.5.10, v4.0 6.2.4		*
Cleartext Storage of Sensitive Information	CWE312	2004 A8, 2007 A8, 2007 A9, 2010 A7, 2010 A9, 2013 A2, 2013 A6, 2014 M2, 2016 M2, 2017 A3, 2021 A1, 2021 A4	L1			*
Cleartext Storage in a File or on Disk^*	CWE313	2010 A7, 2013 A6, 2017 A3, 2021 A4
Cleartext Storage in the Registry^*	CWE314	2010 A7, 2013 A6, 2017 A3, 2021 A4
Cleartext Storage of Sensitive Information in a Cookie	CWE315	2010 A7, 2013 A6, 2017 A3, 2021 A4, 2021 A5
Cleartext Storage of Sensitive Information in Memory^*	CWE316	2010 A7, 2013 A6, 2017 A3, 2021 A4
Cleartext Storage of Sensitive Information in GUI^*	CWE317	2010 A7, 2013 A6, 2017 A3, 2021 A4
Cleartext Storage of Sensitive Information in Executable^*	CWE318	2010 A7, 2013 A6, 2017 A3, 2021 A4
Cleartext Transmission of Sensitive Information	CWE319	2004 A8, 2007 A8, 2007 A9, 2010 A7, 2010 A9, 2013 A2, 2013 A6, 2014 M3, 2016 M3, 2017 A3, 2021 A2, 2021 A4	L1			*
Use of Hard-coded Cryptographic Key	CWE321	2004 A3, 2004 A8, 2007 A8, 2007 A9, 2010 A3, 2019 API2, 2021 A2, 2021 A7	L2		*	*
Key Exchange without Entity Authentication^*	CWE322	2010 A3, 2021 A2, 2021 A7	L1		*	*
Reusing a Nonce, Key Pair in Encryption^*	CWE323	2021 A2
Use of a Key Past its Expiration Date^*	CWE324	2021 A2				*
Missing Cryptographic Step^*	CWE325	2007 A8, 2007 A9, 2013 A6, 2017 A3, 2021 A2
Inadequate Encryption Strength	CWE326	2004 A8, 2007 A8, 2007 A9, 2010 A7, 2013 A6, 2014 M6, 2016 M5, 2017 A3, 2021 A2	L1	v3.2.1 6.5.3, v4.0 6.2.4
Use of a Broken or Risky Cryptographic Algorithm	CWE327	2004 A8, 2010 A7, 2013 A6, 2014 M6, 2016 M5, 2017 A3, 2021 A2	L2	v3.2.1 6.5.3, v4.0 6.2.4		*
Use of Weak Hash	CWE328	2004 A8, 2007 A8, 2007 A9, 2010 A7, 2013 A6, 2014 M6, 2016 M5, 2017 A3, 2021 A2	L1	v3.2.1 6.5.3, v4.0 6.2.4		*
Generation of Predictable IV with CBC Mode	CWE329	2021 A2		v3.2.1 6.5.3, v4.0 6.2.4
Use of Insufficiently Random Values	CWE330	2004 A2, 2021 A2	L1			*
Insufficient Entropy^*	CWE331	2004 A2, 2021 A2	L1			*
Insufficient Entropy in PRNG^*	CWE332	2021 A2	L1
Improper Handling of Insufficient Entropy in TRNG^*	CWE333	2021 A2	L1
Small Space of Random Values^*	CWE334	2004 A2, 2021 A2	L1			*
Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)^*	CWE335	2004 A2, 2021 A2	L1			*
Same Seed in Pseudo-Random Number Generator (PRNG)^*	CWE336	2021 A2
Predictable Seed in Pseudo-Random Number Generator (PRNG)^*	CWE337	2021 A2
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)^*	CWE338	2004 A2, 2021 A2	L1			*
Small Seed Space in PRNG^*	CWE339	2021 A2
Generation of Predictable Numbers or Identifiers^*	CWE340	2004 A2, 2021 A2	L1			*
Predictable from Observable State^*	CWE341	2021 A2
Predictable Exact Value from Previous Values^*	CWE342	2021 A2
Predictable Value Range from Previous Values^*	CWE343	2021 A2
Use of Invariant Value in Dynamically Changing Context^*	CWE344	2004 A2, 2021 A2	L1			*
Insufficient Verification of Data Authenticity^*	CWE345	2004 A3, 2021 A8	L2
Origin Validation Error^*	CWE346	2004 A2, 2004 A3, 2017 A5, 2019 API1, 2021 A1, 2021 A7, 2021 A8	L1
Improper Verification of Cryptographic Signature^*	CWE347	2004 A3, 2021 A2, 2021 A8	L2
Use of Less Trusted Source^*	CWE348	2004 A3, 2021 A8	L2
Acceptance of Extraneous Untrusted Data With Trusted Data^*	CWE349	2004 A3, 2021 A8	L2
Reliance on Reverse DNS Resolution for a Security-Critical Action^*	CWE350	2021 A4, 2021 A7	L1			*
Insufficient Type Distinction^*	CWE351	2004 A3, 2021 A8	L2
Cross-Site Request Forgery (CSRF)	CWE352	2004 A3, 2007 A5, 2010 A5, 2013 A8, 2021 A1, 2021 A8	L1	v3.2.1 6.5.9, v4.0 6.2.4	*	*
Missing Support for Integrity Check	CWE353	2004 A3, 2021 A8	L1
Improper Validation of Integrity Check Value^*	CWE354	2004 A3, 2021 A8	L2			*
Product UI does not Warn User of Unsafe Actions^*	CWE356
Insufficient UI Warning of Dangerous Operations^*	CWE357
Improperly Implemented Security Check for Standard^*	CWE358
Exposure of Private Personal Information to an Unauthorized Actor	CWE359	2007 A6, 2017 A3, 2021 A1	L1		*
Trust of System Event Data^*	CWE360	2004 A3, 2021 A8	L2
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')	CWE362		L2		*	*
Race Condition Enabling Link Following^*	CWE363		L2
Signal Handler Race Condition^*	CWE364		L2		*	*
DEPRECATED: Race Condition in Switch^*	CWE365
Race Condition within a Thread	CWE366		L2		*	*
Time-of-check Time-of-use (TOCTOU) Race Condition^*	CWE367		L2		*	*
Context Switching Race Condition^*	CWE368		L2		*	*
Divide By Zero	CWE369	2004 A9				*
Missing Check for Certificate Revocation after Initial Check^*	CWE370		L2
Incomplete Internal State Distinction^*	CWE372
DEPRECATED: State Synchronization Error^*	CWE373
Passing Mutable Objects to an Untrusted Method	CWE374	2021 A1
Returning a Mutable Object to an Untrusted Caller^*	CWE375	2021 A1
Insecure Temporary File^*	CWE377	2021 A1
Creation of Temporary File With Insecure Permissions^*	CWE378	2021 A1
Creation of Temporary File in Directory with Insecure Permissions^*	CWE379	2021 A1
J2EE Bad Practices: Use of System.exit()	CWE382	2004 A9
J2EE Bad Practices: Direct Use of Threads^*	CWE383
Session Fixation^*	CWE384	2004 A3, 2013 A2, 2014 M9, 2017 A2, 2021 A3, 2021 A7	L1
Covert Timing Channel^*	CWE385		L3
Symbolic Name not Mapping to Correct Object^*	CWE386	2013 A4, 2021 A1
Detection of Error Condition Without Action^*	CWE390	2004 A7	L2
Unchecked Error Condition	CWE391	2004 A7	L2			*
Missing Report of Error Condition^*	CWE392
Return of Wrong Status Code^*	CWE393
Unexpected Status Code or Return Value^*	CWE394	2004 A7	L2			*
Use of NullPointerException Catch to Detect NULL Pointer Dereference^*	CWE395
Declaration of Catch for Generic Exception	CWE396
Declaration of Throws for Generic Exception^*	CWE397
Uncontrolled Resource Consumption	CWE400	2004 A9	L1		*
Missing Release of Memory after Effective Lifetime	CWE401	2004 A9			*	*
Transmission of Private Resources into a New Sphere ('Resource Leak')^*	CWE402	2021 A1
Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')^*	CWE403	2021 A1
Improper Resource Shutdown or Release	CWE404	2004 A9				*
Asymmetric Resource Consumption (Amplification)^*	CWE405	2004 A9	L1		*
Insufficient Control of Network Message Volume (Network Amplification)^*	CWE406	2004 A9
Inefficient Algorithmic Complexity^*	CWE407	2004 A9
Incorrect Behavior Order: Early Amplification^*	CWE408	2004 A9
Improper Handling of Highly Compressed Data (Data Amplification)^*	CWE409	2004 A9	L2
Insufficient Resource Pool^*	CWE410	2004 A9
Unrestricted Externally Accessible Lock^*	CWE412	2004 A9
Improper Resource Locking^*	CWE413
Missing Lock Check^*	CWE414
Double Free	CWE415					*
Use After Free	CWE416				*	*
Unprotected Primary Channel^*	CWE419	2021 A4	L1
Unprotected Alternate Channel^*	CWE420		L2
Race Condition During Access to Alternate Channel^*	CWE421		L2		*	*
Unprotected Windows Messaging Channel ('Shatter')^*	CWE422
DEPRECATED: Proxied Trusted Channel^*	CWE423
Improper Protection of Alternate Path^*	CWE424
Direct Request ('Forced Browsing')^*	CWE425	2004 A1, 2004 A2, 2007 A10, 2010 A4, 2010 A8, 2017 A5, 2021 A1, 2021 A7			*	*
Untrusted Search Path^*	CWE426	2021 A1, 2021 A4, 2021 A8			*	*
Uncontrolled Search Path Element^*	CWE427	2021 A1
Unquoted Search Path or Element^*	CWE428	2021 A1
Deployment of Wrong Handler^*	CWE430	2021 A4
Missing Handler^*	CWE431		L2
Dangerous Signal Handler not Disabled During Sensitive Operations^*	CWE432
Unparsed Raw Web Content Delivery^*	CWE433	2004 A10, 2010 A6, 2021 A1
Unrestricted Upload of File with Dangerous Type^*	CWE434	2007 A3, 2010 A4, 2021 A4	L1		*	*
Improper Interaction Between Multiple Correctly-Behaving Entities^*	CWE435
Interpretation Conflict^*	CWE436		L2
Incomplete Model of Endpoint Features^*	CWE437		L2
Behavioral Change in New Version or Environment^*	CWE439
Expected Behavior Violation	CWE440
Unintended Proxy or Intermediary ('Confused Deputy')^*	CWE441	2021 A1, 2021 A3
DEPRECATED: HTTP response splitting^*	CWE443
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')^*	CWE444	2021 A4	L2
UI Discrepancy for Security Feature^*	CWE446
Unimplemented or Unsupported Feature in UI^*	CWE447
Obsolete Feature in UI^*	CWE448
The UI Performs the Wrong Action^*	CWE449
Multiple Interpretations of UI Input^*	CWE450
User Interface (UI) Misrepresentation of Critical Information^*	CWE451	2021 A4
Insecure Default Variable Initialization^*	CWE453
External Initialization of Trusted Variables or Data Stores^*	CWE454					*
Non-exit on Failed Initialization^*	CWE455	2004 A7				*
Missing Initialization of a Variable^*	CWE456					*
Use of Uninitialized Variable	CWE457					*
DEPRECATED: Incorrect Initialization^*	CWE458
Incomplete Cleanup^*	CWE459	2004 A9, 2004 A10				*
Improper Cleanup on Thrown Exception^*	CWE460	2004 A10
Duplicate Key in Associative List (Alist)^*	CWE462
Deletion of Data Structure Sentinel^*	CWE463
Addition of Data Structure Sentinel^*	CWE464	2021 A3	L1
Return of Pointer Value Outside of Expected Range^*	CWE466	2004 A1, 2004 A5, 2021 A3	L1		*	*
Use of sizeof() on a Pointer Type	CWE467					*
Incorrect Pointer Scaling^*	CWE468					*
Use of Pointer Subtraction to Determine Size^*	CWE469					*
Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')	CWE470	2004 A1, 2021 A1, 2021 A3	L1	v3.2.1 6.5.1, v4.0 6.2.4	*	*
Modification of Assumed-Immutable Data (MAID)^*	CWE471	2021 A3
External Control of Assumed-Immutable Web Parameter^*	CWE472	2004 A1, 2007 A4, 2021 A3, 2021 A4				*
PHP External Variable Modification^*	CWE473	2021 A3
Use of Function with Inconsistent Implementations^*	CWE474
Undefined Behavior for Input to API	CWE475
NULL Pointer Dereference	CWE476	2004 A9	L2		*	*
Use of Obsolete Function	CWE477		L2
Missing Default Case in Multiple Condition Expression^*	CWE478
Signal Handler Use of a Non-reentrant Function^*	CWE479
Use of Incorrect Operator	CWE480
Assigning instead of Comparing	CWE481
Comparing instead of Assigning^*	CWE482
Incorrect Block Delimitation^*	CWE483
Omitted Break Statement in Switch	CWE484
Comparison of Classes by Name^*	CWE486
Reliance on Package-level Scope^*	CWE487
Exposure of Data Element to Wrong Session^*	CWE488	2021 A1
Active Debug Code^*	CWE489	2004 A10
Public cloneable() Method Without Final ('Object Hijack')^*	CWE491	2021 A1
Use of Inner Class Containing Sensitive Data^*	CWE492	2021 A1
Critical Public Variable Without Final Modifier	CWE493	2021 A1
Download of Code Without Integrity Check	CWE494	2004 A3, 2021 A8	L2			*
Private Data Structure Returned From A Public Method^*	CWE495
Public Data Assigned to Private Array-Typed Field^*	CWE496
Exposure of Sensitive System Information to an Unauthorized Control Sphere	CWE497	2007 A6, 2021 A1	L1	v3.2.1 6.5.5, v4.0 6.2.4	*
Cloneable Class Containing Sensitive Information^*	CWE498	2021 A1
Serializable Class Containing Sensitive Data^*	CWE499	2021 A1
Public Static Field Not Marked Final^*	CWE500
Trust Boundary Violation	CWE501	2021 A4
Deserialization of Untrusted Data	CWE502	2017 A8, 2021 A1, 2021 A8	L1		*
Embedded Malicious Code^*	CWE506
Trojan Horse^*	CWE507		L3
Non-Replicating Malicious Code^*	CWE508		L3
Replicating Malicious Code (Virus or Worm)^*	CWE509		L1
Trapdoor^*	CWE510
Logic/Time Bomb^*	CWE511		L3
Spyware^*	CWE512
Covert Channel^*	CWE514
Covert Storage Channel^*	CWE515
DEPRECATED: Covert Timing Channel^*	CWE516
.NET Misconfiguration: Use of Impersonation^*	CWE520	2004 A2, 2004 A10, 2021 A4, 2021 A5
Weak Password Requirements^*	CWE521	2004 A3, 2007 A7, 2010 A3, 2013 A2, 2017 A2, 2021 A7	L1		*
Insufficiently Protected Credentials^*	CWE522	2004 A3, 2007 A7, 2010 A3, 2013 A2, 2017 A2, 2021 A1, 2021 A4, 2021 A7	L1		*
Unprotected Transport of Credentials^*	CWE523	2004 A3, 2007 A7, 2013 A2, 2017 A2, 2021 A2, 2021 A4	L1		*
Use of Cache Containing Sensitive Information^*	CWE524	2021 A1	L2
Use of Web Browser Cache Containing Sensitive Information^*	CWE525	2004 A2, 2004 A3, 2021 A4	L1
Cleartext Storage of Sensitive Information in an Environment Variable^*	CWE526	2004 A10, 2010 A7, 2013 A6, 2017 A3, 2021 A4, 2021 A5
Exposure of Version-Control Repository to an Unauthorized Control Sphere^*	CWE527	2004 A10, 2010 A6, 2021 A1	L1
Exposure of Core Dump File to an Unauthorized Control Sphere^*	CWE528	2004 A10, 2010 A6, 2021 A1	L1
Exposure of Access Control List Files to an Unauthorized Control Sphere^*	CWE529	2004 A10, 2010 A6, 2021 A1	L1
Exposure of Backup File to an Unauthorized Control Sphere	CWE530	2004 A10, 2010 A6, 2021 A1	L1
Inclusion of Sensitive Information in Test Code^*	CWE531	2004 A10, 2021 A1
Insertion of Sensitive Information into Log File^*	CWE532	2004 A10, 2007 A6, 2010 A6, 2021 A1, 2021 A9	L1		*
DEPRECATED: Information Exposure Through Server Log Files^*	CWE533
DEPRECATED: Information Exposure Through Debug Log Files^*	CWE534
Exposure of Information Through Shell Error Message^*	CWE535
Servlet Runtime Error Message Containing Sensitive Information^*	CWE536
Java Runtime Error Message Containing Sensitive Information^*	CWE537	2021 A5
Insertion of Sensitive Information into Externally-Accessible File or Directory^*	CWE538	2007 A6, 2010 A6, 2021 A1	L1		*
Use of Persistent Cookies Containing Sensitive Information	CWE539	2004 A8, 2004 A10, 2010 A6, 2021 A1, 2021 A4	L1
Inclusion of Sensitive Information in Source Code^*	CWE540	2004 A10, 2010 A6, 2021 A1
Inclusion of Sensitive Information in an Include File^*	CWE541	2004 A10, 2021 A1, 2021 A5
DEPRECATED: Information Exposure Through Cleanup Log Files^*	CWE542
Use of Singleton Pattern Without Synchronization in a Multithreaded Context	CWE543
Missing Standardized Error Handling Mechanism^*	CWE544		L2
DEPRECATED: Use of Dynamic Class Loading^*	CWE545
Suspicious Comment^*	CWE546
Use of Hard-coded, Security-relevant Constants^*	CWE547	2021 A5
Exposure of Information Through Directory Listing^*	CWE548	2004 A10, 2013 A5, 2017 A6, 2021 A1	L1
Missing Password Field Masking^*	CWE549	2004 A3, 2007 A7, 2013 A2, 2017 A2, 2021 A4			*
Server-generated Error Message Containing Sensitive Information^*	CWE550	2004 A7, 2004 A10, 2007 A6, 2010 A6, 2013 A5, 2017 A6, 2021 A4				*
Incorrect Behavior Order: Authorization Before Parsing and Canonicalization^*	CWE551	2004 A2, 2010 A4, 2010 A8, 2021 A1			*	*
Files or Directories Accessible to External Parties	CWE552	2004 A2, 2004 A10, 2007 A10, 2010 A6, 2010 A8, 2013 A7, 2017 A5, 2019 API1, 2019 API5, 2021 A1	L1			*
Command Shell in Externally Accessible Directory^*	CWE553	2004 A10, 2010 A6, 2021 A1	L1
ASP.NET Misconfiguration: Not Using Input Validation Framework^*	CWE554	2004 A10, 2021 A4
J2EE Misconfiguration: Plaintext Password in Configuration File^*	CWE555	2004 A10, 2021 A5
ASP.NET Misconfiguration: Use of Identity Impersonation^*	CWE556	2004 A2, 2004 A10, 2021 A4
Use of getlogin() in Multithreaded Application^*	CWE558
Use of umask() with chmod-style Argument^*	CWE560
Dead Code	CWE561
Return of Stack Variable Address	CWE562
Assignment to Variable without Use	CWE563
SQL Injection: Hibernate	CWE564	2004 A1, 2004 A6, 2007 A2, 2010 A1, 2013 A1, 2017 A1, 2019 API8, 2021 A3	L1		*	*
Reliance on Cookies without Validation and Integrity Checking^*	CWE565	2004 A1, 2021 A4, 2021 A8	L1			*
Authorization Bypass Through User-Controlled SQL Primary Key^*	CWE566	2004 A2, 2007 A4, 2010 A4, 2013 A4, 2017 A5, 2019 API1, 2021 A1	L1
Unsynchronized Access to Shared Data in a Multithreaded Context^*	CWE567
finalize() Method Without super.finalize()	CWE568	2004 A10
Expression is Always False	CWE570
Expression is Always True	CWE571
Call to Thread run() instead of start()	CWE572
Improper Following of Specification by Caller^*	CWE573
EJB Bad Practices: Use of Synchronization Primitives^*	CWE574
EJB Bad Practices: Use of AWT Swing^*	CWE575
EJB Bad Practices: Use of Java I/O^*	CWE576
EJB Bad Practices: Use of Sockets^*	CWE577
EJB Bad Practices: Use of Class Loader^*	CWE578
J2EE Bad Practices: Non-serializable Object Stored in Session	CWE579	2021 A4
clone() Method Without super.clone()	CWE580
Object Model Violation: Just One of Equals and Hashcode Defined^*	CWE581
Array Declared Public, Final, and Static^*	CWE582	2021 A1
finalize() Method Declared Public	CWE583	2021 A1
Return Inside Finally Block^*	CWE584
Empty Synchronized Block	CWE585
Explicit Call to Finalize()	CWE586
Assignment of a Fixed Address to a Pointer	CWE587
Attempt to Access Child of a Non-structure Pointer^*	CWE588
Call to Non-ubiquitous API^*	CWE589
Free of Memory not on the Heap	CWE590
Sensitive Data Storage in Improperly Locked Memory^*	CWE591	2004 A8
DEPRECATED: Authentication Bypass Issues^*	CWE592
Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created^*	CWE593
J2EE Framework: Saving Unserializable Objects to Disk^*	CWE594
Comparison of Object References Instead of Object Contents	CWE595
DEPRECATED: Incorrect Semantic Object Comparison^*	CWE596
Use of Wrong Operator in String Comparison	CWE597
Use of GET Request Method With Sensitive Query Strings^*	CWE598	2004 A8, 2021 A1, 2021 A4	L1
Missing Validation of OpenSSL Certificate^*	CWE599	2004 A10, 2017 A3, 2021 A7	L2		*
Uncaught Exception in Servlet ^*	CWE600	2004 A9
URL Redirection to Untrusted Site ('Open Redirect')	CWE601	2004 A1, 2010 A10, 2013 A10, 2021 A1, 2021 A3	L1			*
Client-Side Enforcement of Server-Side Security^*	CWE602	2004 A1, 2021 A4	L1			*
Use of Client-Side Authentication^*	CWE603	2004 A1, 2021 A4	L1			*
Multiple Binds to the Same Port^*	CWE605
Unchecked Input for Loop Condition^*	CWE606
Public Static Final Field References Mutable Object^*	CWE607	2021 A3
Struts: Non-private Field in ActionForm Class^*	CWE608	2021 A1
Double-Checked Locking	CWE609
Externally Controlled Reference to a Resource in Another Sphere^*	CWE610	2021 A3
Improper Restriction of XML External Entity Reference	CWE611	2017 A4, 2021 A3, 2021 A5	L1		*
Improper Authorization of Index Containing Sensitive Information^*	CWE612
Insufficient Session Expiration^*	CWE613	2004 A3, 2013 A2, 2014 M9, 2017 A2, 2021 A7	L1			*
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute	CWE614	2010 A9, 2013 A6, 2016 M3, 2017 A3, 2021 A2, 2021 A5	L1			*
Inclusion of Sensitive Information in Source Code Comments	CWE615	2004 A10, 2021 A1
Incomplete Identification of Uploaded File Variables (PHP)^*	CWE616	2004 A3, 2021 A8	L2
Reachable Assertion^*	CWE617
Exposed Unsafe ActiveX Method^*	CWE618		L1			*
Dangling Database Cursor ('Cursor Injection')^*	CWE619	2021 A1
Unverified Password Change^*	CWE620	2004 A3, 2013 A2, 2017 A2, 2021 A7	L1
Variable Extraction Error^*	CWE621
Improper Validation of Function Hook Arguments^*	CWE622	2004 A1, 2021 A3	L1		*	*
Unsafe ActiveX Control Marked Safe For Scripting^*	CWE623
Executable Regular Expression Error^*	CWE624	2004 A1, 2004 A6, 2007 A2, 2013 A1, 2017 A1, 2019 API8, 2021 A3			*
Permissive Regular Expression^*	CWE625
Null Byte Interaction Error (Poison Null Byte)^*	CWE626		L1
Dynamic Variable Evaluation^*	CWE627
Function Call with Incorrectly Specified Arguments	CWE628
Not Failing Securely ('Failing Open')^*	CWE636	2004 A7, 2021 A4
Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')^*	CWE637	2021 A4	L2
Not Using Complete Mediation^*	CWE638	2010 A4, 2010 A8, 2021 A1, 2021 A4			*	*
Authorization Bypass Through User-Controlled Key^*	CWE639	2004 A2, 2007 A4, 2010 A4, 2010 A8, 2013 A4, 2017 A5, 2019 API1, 2021 A1	L1		*	*
Weak Password Recovery Mechanism for Forgotten Password^*	CWE640	2004 A3, 2007 A7, 2010 A3, 2013 A2, 2017 A2, 2021 A7	L1		*
Improper Restriction of Names for Files and Other Resources^*	CWE641	2010 A4, 2013 A4, 2021 A3	L1
External Control of Critical State Data^*	CWE642	2021 A1, 2021 A4				*
Improper Neutralization of Data within XPath Expressions ('XPath Injection')	CWE643	2004 A6, 2007 A2, 2010 A1, 2013 A1, 2017 A1, 2019 API8, 2021 A3	L1	v3.2.1 6.5.1, v4.0 6.2.4
Improper Neutralization of HTTP Headers for Scripting Syntax^*	CWE644	2004 A4, 2021 A3	L1			*
Overly Restrictive Account Lockout Mechanism^*	CWE645	2004 A3, 2007 A7, 2010 A3, 2013 A2, 2017 A2, 2021 A7	L1		*
Reliance on File Name or Extension of Externally-Supplied File^*	CWE646	2004 A3, 2021 A4, 2021 A8	L2
Use of Non-Canonical URL Paths for Authorization Decisions^*	CWE647	2010 A4, 2010 A8, 2021 A1			*	*
Incorrect Use of Privileged APIs^*	CWE648	2021 A4			*
Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking^*	CWE649	2004 A3, 2021 A8	L2
Trusting HTTP Permission Methods on the Server Side^*	CWE650	2021 A4	L1
Exposure of WSDL File Containing Sensitive Information^*	CWE651	2010 A6, 2021 A1
Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')^*	CWE652	2004 A6, 2007 A2, 2010 A1, 2013 A1, 2017 A1, 2019 API8, 2021 A3
Improper Isolation or Compartmentalization^*	CWE653	2021 A4
Reliance on a Single Factor in a Security Decision^*	CWE654	2021 A4
Insufficient Psychological Acceptability^*	CWE655	2021 A4
Reliance on Security Through Obscurity^*	CWE656	2021 A4
Violation of Secure Design Principles^*	CWE657	2021 A4
Improper Synchronization^*	CWE662
Use of a Non-reentrant Function in a Concurrent Context^*	CWE663
Improper Control of a Resource Through its Lifetime	CWE664
Improper Initialization	CWE665					*
Operation on Resource in Wrong Phase of Lifetime^*	CWE666
Improper Locking	CWE667
Exposure of Resource to Wrong Sphere^*	CWE668	2021 A1
Incorrect Resource Transfer Between Spheres^*	CWE669
Always-Incorrect Control Flow Implementation^*	CWE670
Lack of Administrator Control over Security^*	CWE671	2021 A4
Operation on a Resource after Expiration or Release	CWE672					*
External Influence of Sphere Definition^*	CWE673
Uncontrolled Recursion	CWE674	2004 A9
Multiple Operations on Resource in Single-Operation Context^*	CWE675
Use of Potentially Dangerous Function	CWE676					*
Integer Overflow to Buffer Overflow^*	CWE680		L2		*	*
Incorrect Conversion between Numeric Types^*	CWE681					*
Incorrect Calculation	CWE682					*
Function Call With Incorrect Order of Arguments	CWE683
Incorrect Provision of Specified Functionality^*	CWE684
Function Call With Incorrect Number of Arguments	CWE685
Function Call With Incorrect Argument Type	CWE686
Function Call With Incorrectly Specified Argument Value	CWE687
Function Call With Incorrect Variable or Reference as Argument	CWE688
Permission Race Condition During Resource Copy^*	CWE689		L2		*	*
Unchecked Return Value to NULL Pointer Dereference^*	CWE690	2004 A7
Insufficient Control Flow Management^*	CWE691
Incomplete Denylist to Cross-Site Scripting^*	CWE692	2021 A3
Protection Mechanism Failure^*	CWE693
Use of Multiple Resources with Duplicate Identifier^*	CWE694	2010 A4, 2013 A4, 2021 A3
Use of Low-Level Functionality^*	CWE695
Incorrect Behavior Order	CWE696
Incorrect Comparison^*	CWE697
Execution After Redirect (EAR)^*	CWE698
Improper Check or Handling of Exceptional Conditions	CWE703
Incorrect Type Conversion or Cast	CWE704
Incorrect Control Flow Scoping^*	CWE705
Use of Incorrectly-Resolved Name or Reference^*	CWE706	2013 A4, 2021 A1
Improper Neutralization^*	CWE707
Incorrect Ownership Assignment^*	CWE708	2004 A2
Improper Adherence to Coding Standards^*	CWE710
Incorrect Permission Assignment for Critical Resource	CWE732	2004 A2, 2007 A10, 2010 A6, 2010 A8, 2013 A7, 2017 A5, 2019 API1, 2019 API5, 2021 A1	L1		*	*
Compiler Optimization Removal or Modification of Security-critical Code^*	CWE733
Exposed Dangerous Method or Function	CWE749	2004 A2, 2017 A5, 2019 API1, 2021 A1	L1			*
Improper Check for Unusual or Exceptional Conditions^*	CWE754		L2			*
Improper Handling of Exceptional Conditions^*	CWE755
Missing Custom Error Page^*	CWE756	2021 A5
Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')^*	CWE757	2021 A2
Reliance on Undefined, Unspecified, or Implementation-Defined Behavior	CWE758
Use of a One-Way Hash without a Salt^*	CWE759	2010 A7, 2021 A2	L2			*
Use of a One-Way Hash with a Predictable Salt^*	CWE760	2021 A2	L2
Free of Pointer not at Start of Buffer^*	CWE761	2004 A9				*
Mismatched Memory Management Routines	CWE762	2004 A9				*
Release of Invalid Pointer or Reference^*	CWE763	2004 A9				*
Multiple Locks of a Critical Resource^*	CWE764
Multiple Unlocks of a Critical Resource^*	CWE765
Critical Data Element Declared Public^*	CWE766	2010 A6	L2		*	*
Access to Critical Private Variable via Public Method^*	CWE767	2021 A1
Incorrect Short Circuit Evaluation	CWE768
DEPRECATED: Uncontrolled File Descriptor Consumption^*	CWE769
Allocation of Resources Without Limits or Throttling^*	CWE770	2004 A9, 2019 API4	L1		*	*
Missing Reference to Active Allocated Resource	CWE771	2004 A9	L1		*
Missing Release of Resource after Effective Lifetime	CWE772	2004 A9			*	*
Missing Reference to Active File Descriptor or Handle^*	CWE773
Allocation of File Descriptors or Handles Without Limits or Throttling^*	CWE774	2019 API4	L1			*
Missing Release of File Descriptor or Handle after Effective Lifetime	CWE775	2004 A9			*	*
Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')^*	CWE776	2004 A9, 2017 A4, 2021 A5
Regular Expression without Anchors^*	CWE777
Insufficient Logging^*	CWE778	2017 A10, 2019 API10, 2021 A9	L2
Logging of Excessive Data^*	CWE779	2004 A9	L1		*
Use of RSA Algorithm without OAEP	CWE780	2004 A8, 2010 A7, 2013 A6, 2017 A3, 2021 A2	L2			*
Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code^*	CWE781
Exposed IOCTL with Insufficient Access Control^*	CWE782		L1			*
Operator Precedence Logic Error	CWE783
Reliance on Cookies without Validation and Integrity Checking in a Security Decision^*	CWE784	2021 A4, 2021 A8				*
Use of Path Manipulation Function without Maximum-sized Buffer^*	CWE785	2004 A1, 2004 A5, 2021 A3	L1		*	*
Access of Memory Location Before Start of Buffer	CWE786	2004 A5			*	*
Out-of-bounds Write^*	CWE787	2004 A5			*	*
Access of Memory Location After End of Buffer	CWE788	2004 A5			*	*
Memory Allocation with Excessive Size Value^*	CWE789	2019 API4	L1			*
Improper Filtering of Special Elements^*	CWE790	2021 A3	L1
Incomplete Filtering of Special Elements^*	CWE791
Incomplete Filtering of One or More Instances of Special Elements^*	CWE792
Only Filtering One Instance of a Special Element^*	CWE793
Incomplete Filtering of Multiple Instances of Special Elements^*	CWE794
Only Filtering Special Elements at a Specified Location^*	CWE795
Only Filtering Special Elements Relative to a Marker^*	CWE796
Only Filtering Special Elements at an Absolute Position^*	CWE797
Use of Hard-coded Credentials	CWE798	2004 A3, 2007 A7, 2010 A3, 2013 A2, 2014 M2, 2016 M2, 2017 A2, 2019 API2, 2021 A7	L1	v3.2.1 6.5.10, v4.0 6.2.4	*	*
Improper Control of Interaction Frequency^*	CWE799	2021 A4	L1			*
Guessable CAPTCHA^*	CWE804	2010 A4, 2010 A8, 2021 A1			*	*
Buffer Access with Incorrect Length Value^*	CWE805	2004 A5			*	*
Buffer Access Using Size of Source Buffer^*	CWE806					*
Reliance on Untrusted Inputs in a Security Decision	CWE807	2021 A4				*
Missing Synchronization^*	CWE820
Incorrect Synchronization^*	CWE821
Untrusted Pointer Dereference^*	CWE822	2004 A5			*	*
Use of Out-of-range Pointer Offset^*	CWE823	2004 A5			*	*
Access of Uninitialized Pointer^*	CWE824	2004 A5			*	*
Expired Pointer Dereference	CWE825	2004 A5			*	*
Premature Release of Resource During Expected Lifetime^*	CWE826
Improper Control of Document Type Definition^*	CWE827	2010 A4, 2013 A4, 2021 A1, 2021 A8	L1			*
Signal Handler with Functionality that is not Asynchronous-Safe^*	CWE828
Inclusion of Functionality from Untrusted Control Sphere^*	CWE829	2010 A4, 2021 A8	L1			*
Inclusion of Web Functionality from an Untrusted Source^*	CWE830	2010 A4, 2021 A8	L1			*
Signal Handler Function Associated with Multiple Signals^*	CWE831
Unlock of a Resource that is not Locked^*	CWE832
Deadlock	CWE833
Excessive Iteration	CWE834
Loop with Unreachable Exit Condition ('Infinite Loop')^*	CWE835
Use of Password Hash Instead of Password for Authentication^*	CWE836
Improper Enforcement of a Single, Unique Action^*	CWE837	2021 A4	L1			*
Inappropriate Encoding for Output Context^*	CWE838	2021 A3	L1			*
Numeric Range Comparison Without Minimum Check^*	CWE839
Improper Enforcement of Behavioral Workflow^*	CWE841	2021 A4	L1			*
Placement of User into Incorrect Group^*	CWE842
Access of Resource Using Incompatible Type ('Type Confusion')^*	CWE843
Missing Authorization^*	CWE862	2004 A2, 2007 A10, 2010 A4, 2010 A8, 2013 A7, 2017 A5, 2019 API1, 2019 API5, 2021 A1	L1		*	*
Incorrect Authorization^*	CWE863	2004 A2, 2007 A10, 2010 A4, 2010 A8, 2013 A7, 2017 A5, 2019 API1, 2019 API5, 2021 A1	L1		*	*
Use of Uninitialized Resource^*	CWE908					*
Missing Initialization of Resource^*	CWE909					*
Use of Expired File Descriptor	CWE910					*
Improper Update of Reference Count^*	CWE911
Hidden Functionality^*	CWE912
Improper Control of Dynamically-Managed Code Resources^*	CWE913	2021 A1
Improper Control of Dynamically-Identified Variables^*	CWE914	2010 A4, 2013 A4, 2021 A1, 2021 A3
Improperly Controlled Modification of Dynamically-Determined Object Attributes	CWE915	2019 API6, 2021 A1, 2021 A8	L1
Use of Password Hash With Insufficient Computational Effort^*	CWE916	2004 A8, 2010 A7, 2013 A6, 2017 A3, 2021 A2	L2			*
Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')^*	CWE917	2004 A1, 2004 A6, 2007 A2, 2013 A1, 2017 A1, 2019 API8, 2021 A3			*
Server-Side Request Forgery (SSRF)	CWE918	2021 A1, 2021 A3, 2021 A10	L1		*
Improper Restriction of Power Consumption^*	CWE920	2004 A9	L1		*
Storage of Sensitive Data in a Mechanism without Access Control	CWE921	2014 M2, 2014 M4, 2016 M2, 2021 A1	L1
Insecure Storage of Sensitive Information^*	CWE922	2021 A1	L1
Improper Restriction of Communication Channel to Intended Endpoints^*	CWE923	2004 A2, 2017 A5, 2019 API1, 2021 A1	L2
Improper Enforcement of Message Integrity During Transmission in a Communication Channel^*	CWE924	2004 A3, 2021 A8	L2
Improper Verification of Intent by Broadcast Receiver	CWE925	2016 M1, 2021 A7
Improper Export of Android Application Components^*	CWE926	2004 A2, 2007 A10, 2010 A8, 2013 A7, 2016 M1, 2017 A5, 2019 API1, 2019 API5, 2021 A1	L1			*
Use of Implicit Intent for Sensitive Communication	CWE927	2004 A2, 2007 A10, 2010 A8, 2013 A7, 2017 A5, 2019 API1, 2019 API5, 2021 A1, 2021 A4	L1			*
Improper Authorization in Handler for Custom URL Scheme^*	CWE939	2010 A4, 2010 A8, 2021 A1			*	*
Improper Verification of Source of a Communication Channel^*	CWE940	2021 A7	L1
Incorrectly Specified Destination in a Communication Channel^*	CWE941		L2
Permissive Cross-domain Policy with Untrusted Domains^*	CWE942	2004 A1, 2010 A4, 2010 A8, 2021 A1, 2021 A4, 2021 A5	L2		*	*
Improper Neutralization of Special Elements in Data Query Logic	CWE943	2004 A6, 2013 A1, 2017 A1, 2021 A3
Sensitive Cookie Without 'HttpOnly' Flag	CWE1004	2010 A6, 2021 A5	L1		*	*
Insufficient Visual Distinction of Homoglyphs Presented to User^*	CWE1007	2021 A4
Improper Restriction of Rendered UI Layers or Frames^*	CWE1021	2021 A1, 2021 A3, 2021 A4	L1
Use of Web Link to Untrusted Target with window.opener Access^*	CWE1022	2004 A2, 2021 A4
Incomplete Comparison with Missing Factors^*	CWE1023
Comparison of Incompatible Types^*	CWE1024
Comparison Using Wrong Factors^*	CWE1025
Processor Optimization Removal or Modification of Security-critical Code^*	CWE1037
Insecure Automated Optimizations^*	CWE1038
Automated Recognition Mechanism with Inadequate Detection or Handling of Adversarial Input Perturbations^*	CWE1039
Use of Redundant Code^*	CWE1041
Static Member Data Element outside of a Singleton Class Element^*	CWE1042
Data Element Aggregating an Excessively Large Number of Non-Primitive Elements^*	CWE1043
Architecture with Number of Horizontal Layers Outside of Expected Range^*	CWE1044
Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor^*	CWE1045
Creation of Immutable Text Using String Concatenation^*	CWE1046
Modules with Circular Dependencies^*	CWE1047
Invokable Control Element with Large Number of Outward Calls^*	CWE1048
Excessive Data Query Operations in a Large Data Table^*	CWE1049
Excessive Platform Resource Consumption within a Loop^*	CWE1050	2004 A9
Initialization with Hard-Coded Network Resource Configuration Data^*	CWE1051
Excessive Use of Hard-Coded Literals in Initialization^*	CWE1052
Missing Documentation for Design^*	CWE1053	2019 API9	L2
Invocation of a Control Element at an Unnecessarily Deep Horizontal Layer^*	CWE1054
Multiple Inheritance from Concrete Classes^*	CWE1055
Invokable Control Element with Variadic Parameters^*	CWE1056
Data Access Operations Outside of Expected Data Manager Component^*	CWE1057
Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element^*	CWE1058
Insufficient Technical Documentation^*	CWE1059	2019 API9	L2
Excessive Number of Inefficient Server-Side Data Accesses^*	CWE1060
Insufficient Encapsulation^*	CWE1061
Parent Class with References to Child Class^*	CWE1062
Creation of Class Instance within a Static Code Block^*	CWE1063
Invokable Control Element with Signature Containing an Excessive Number of Parameters^*	CWE1064
Runtime Resource Management Control Element in a Component Built to Run on Application Servers^*	CWE1065
Missing Serialization Control Element^*	CWE1066
Excessive Execution of Sequential Searches of Data Resource^*	CWE1067
Inconsistency Between Implementation and Documented Design^*	CWE1068
Empty Exception Block^*	CWE1069
Serializable Data Element Containing non-Serializable Item Elements^*	CWE1070
Empty Code Block^*	CWE1071
Data Resource Access without Use of Connection Pooling^*	CWE1072	2004 A9
Non-SQL Invokable Control Element with Excessive Number of Data Resource Accesses^*	CWE1073	2004 A9
Class with Excessively Deep Inheritance^*	CWE1074
Unconditional Control Flow Transfer outside of Switch Block^*	CWE1075
Insufficient Adherence to Expected Conventions^*	CWE1076
Floating Point Comparison with Incorrect Operator^*	CWE1077
Inappropriate Source Code Style or Formatting^*	CWE1078
Parent Class without Virtual Destructor Method^*	CWE1079
Source Code File with Excessive Number of Lines of Code^*	CWE1080
Class Instance Self Destruction Control Element^*	CWE1082
Data Access from Outside Expected Data Manager Component^*	CWE1083
Invokable Control Element with Excessive File or Data Access Operations^*	CWE1084	2004 A9
Invokable Control Element with Excessive Volume of Commented-out Code^*	CWE1085
Class with Excessive Number of Child Classes^*	CWE1086
Class with Virtual Method without a Virtual Destructor^*	CWE1087
Synchronous Access of Remote Resource without Timeout^*	CWE1088
Large Data Table with Excessive Number of Indices^*	CWE1089	2004 A9
Method Containing Access of a Member Element from Another Class^*	CWE1090
Use of Object without Invoking Destructor Method^*	CWE1091				*	*
Use of Same Invokable Control Element in Multiple Architectural Layers^*	CWE1092
Excessively Complex Data Representation^*	CWE1093
Excessive Index Range Scan for a Data Resource^*	CWE1094	2004 A9
Loop Condition Value Update within the Loop^*	CWE1095
Singleton Class Instance Creation without Proper Locking or Synchronization^*	CWE1096
Persistent Storable Data Element without Associated Comparison Control Element^*	CWE1097
Data Element containing Pointer Item without Proper Copy Control Element^*	CWE1098
Inconsistent Naming Conventions for Identifiers^*	CWE1099
Insufficient Isolation of System-Dependent Functions^*	CWE1100
Reliance on Runtime Component in Generated Code^*	CWE1101
Reliance on Machine-Dependent Data Representation^*	CWE1102
Use of Platform-Dependent Third Party Components^*	CWE1103
Use of Unmaintained Third Party Components	CWE1104	2021 A6	L2
Insufficient Encapsulation of Machine-Dependent Functionality^*	CWE1105
Insufficient Use of Symbolic Constants^*	CWE1106
Insufficient Isolation of Symbolic Constant Definitions^*	CWE1107
Excessive Reliance on Global Variables^*	CWE1108
Use of Same Variable for Multiple Purposes^*	CWE1109
Incomplete Design Documentation^*	CWE1110	2019 API9	L2
Incomplete I/O Documentation^*	CWE1111	2019 API9	L2
Incomplete Documentation of Program Execution^*	CWE1112	2019 API9	L2
Inappropriate Comment Style^*	CWE1113
Inappropriate Whitespace Style^*	CWE1114
Source Code Element without Standard Prologue^*	CWE1115
Inaccurate Comments^*	CWE1116
Callable with Insufficient Behavioral Summary^*	CWE1117
Insufficient Documentation of Error Handling Techniques^*	CWE1118	2019 API9	L2
Excessive Use of Unconditional Branching^*	CWE1119
Excessive Code Complexity^*	CWE1120
Excessive McCabe Cyclomatic Complexity^*	CWE1121
Excessive Halstead Complexity^*	CWE1122
Excessive Use of Self-Modifying Code^*	CWE1123
Excessively Deep Nesting^*	CWE1124
Excessive Attack Surface^*	CWE1125
Declaration of Variable with Unnecessarily Wide Scope^*	CWE1126
Compilation with Insufficient Warnings or Errors^*	CWE1127
Irrelevant Code^*	CWE1164
Improper Use of Validation Framework^*	CWE1173	2004 A1, 2021 A3, 2021 A4	L1		*	*
ASP.NET Misconfiguration: Improper Model Validation^*	CWE1174	2021 A4, 2021 A5
Inefficient CPU Computation^*	CWE1176	2004 A9
Use of Prohibited Code^*	CWE1177
DEPRECATED: Use of Uninitialized Resource^*	CWE1187
Initialization of a Resource with an Insecure Default^*	CWE1188					*
Improper Isolation of Shared Resources on System-on-a-Chip (SoC)^*	CWE1189	2021 A1, 2021 A4
DMA Device Enabled Too Early in Boot Phase^*	CWE1190
On-Chip Debug and Test Interface With Improper Access Control^*	CWE1191	2004 A2, 2017 A5, 2019 API1, 2021 A1	L2
Improper Identifier for IP Block used in System-On-Chip (SOC)^*	CWE1192	2021 A4
Power-On of Untrusted Execution Core Before Enabling Fabric Access Control^*	CWE1193
Generation of Weak Initialization Vector (IV)^*	CWE1204	2004 A2, 2021 A2	L1			*
Failure to Disable Reserved Bits^*	CWE1209
Insufficient Granularity of Access Control^*	CWE1220	2004 A2, 2017 A5, 2019 API1, 2021 A1	L2
Incorrect Register Defaults or Module Parameters^*	CWE1221
Insufficient Granularity of Address Regions Protected by Register Locks^*	CWE1222
Race Condition for Write-Once Attributes^*	CWE1223		L2		*	*
Improper Restriction of Write-Once Bit Fields^*	CWE1224	2004 A2, 2017 A5, 2019 API1, 2021 A1	L2
Creation of Emergent Resource^*	CWE1229
Exposure of Sensitive Information Through Metadata^*	CWE1230	2004 A2, 2007 A10, 2010 A8, 2013 A7, 2017 A5, 2019 API1, 2019 API5, 2021 A1	L1			*
Improper Prevention of Lock Bit Modification^*	CWE1231	2004 A2, 2017 A5, 2019 API1, 2021 A1	L2
Improper Lock Behavior After Power State Transition^*	CWE1232
Security-Sensitive Hardware Controls with Missing Lock Bit Protection^*	CWE1233	2004 A2, 2017 A5, 2019 API1, 2021 A1	L2
Hardware Internal or Debug Modes Allow Override of Locks^*	CWE1234
Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations^*	CWE1235	2004 A9	L1		*
Improper Neutralization of Formula Elements in a CSV File^*	CWE1236	2004 A6, 2013 A1, 2021 A3
Improper Zeroization of Hardware Register^*	CWE1239	2004 A8	L2
Use of a Cryptographic Primitive with a Risky Implementation^*	CWE1240	2004 A8, 2010 A7, 2013 A6, 2017 A3, 2021 A2	L2			*
Use of Predictable Algorithm in Random Number Generator^*	CWE1241	2004 A2, 2021 A2	L1			*
Inclusion of Undocumented Features or Chicken Bits^*	CWE1242	2004 A2, 2017 A5, 2019 API1, 2021 A1	L2
Sensitive Non-Volatile Information Not Protected During Debug^*	CWE1243
Internal Asset Exposed to Unsafe Debug Access Level or State^*	CWE1244	2010 A4, 2010 A8, 2021 A1			*	*
Improper Finite State Machines (FSMs) in Hardware Logic^*	CWE1245
Improper Write Handling in Limited-write Non-Volatile Memories^*	CWE1246	2004 A9	L1		*
Improper Protection Against Voltage and Clock Glitches^*	CWE1247
Semiconductor Defects in Hardware Logic with Security-Sensitive Implications^*	CWE1248
Application-Level Admin Tool with Inconsistent View of Underlying Operating System^*	CWE1249
Improper Preservation of Consistency Between Independent Representations of Shared State^*	CWE1250
Mirrored Regions with Different Values^*	CWE1251
CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations^*	CWE1252	2004 A2, 2017 A5, 2019 API1, 2021 A1	L2
Incorrect Selection of Fuse Values^*	CWE1253
Incorrect Comparison Logic Granularity^*	CWE1254
Comparison Logic is Vulnerable to Power Side-Channel Attacks^*	CWE1255
Improper Restriction of Software Interfaces to Hardware Features^*	CWE1256	2004 A2, 2007 A10, 2010 A8, 2013 A7, 2017 A5, 2019 API1, 2019 API5, 2021 A1	L1			*
Improper Access Control Applied to Mirrored or Aliased Memory Regions^*	CWE1257	2004 A2, 2017 A5, 2019 API1, 2021 A1	L2
Exposure of Sensitive System Information Due to Uncleared Debug Information^*	CWE1258	2007 A6, 2021 A1	L1		*	*
Improper Restriction of Security Token Assignment^*	CWE1259	2004 A2, 2017 A5, 2019 API1, 2021 A1	L2
Improper Handling of Overlap Between Protected Memory Ranges^*	CWE1260	2004 A2, 2017 A5, 2019 API1, 2021 A1	L2
Improper Handling of Single Event Upsets^*	CWE1261
Improper Access Control for Register Interface^*	CWE1262	2004 A2, 2017 A5, 2019 API1, 2021 A1	L2
Improper Physical Access Control^*	CWE1263	2004 A2, 2017 A5, 2019 API1, 2021 A1	L2
Hardware Logic with Insecure De-Synchronization between Control and Data Channels^*	CWE1264
Unintended Reentrant Invocation of Non-reentrant Code Via Nested Calls^*	CWE1265
Improper Scrubbing of Sensitive Data from Decommissioned Device^*	CWE1266	2004 A9				*
Policy Uses Obsolete Encoding^*	CWE1267	2004 A2, 2017 A5, 2019 API1, 2021 A1	L2
Policy Privileges are not Assigned Consistently Between Control and Data Agents^*	CWE1268	2004 A2, 2017 A5, 2019 API1, 2021 A1	L2
Product Released in Non-Release Configuration^*	CWE1269
Generation of Incorrect Security Tokens^*	CWE1270	2004 A2, 2017 A5, 2019 API1, 2021 A1	L2
Uninitialized Value on Reset for Registers Holding Security Settings^*	CWE1271
Sensitive Information Uncleared Before Debug/Power State Transition^*	CWE1272	2004 A8	L2
Device Unlock Credential Sharing^*	CWE1273	2007 A6, 2021 A1	L1		*
Improper Access Control for Volatile Memory Containing Boot Code^*	CWE1274	2004 A2, 2017 A5, 2019 API1, 2021 A1	L2
Sensitive Cookie with Improper SameSite Attribute	CWE1275	2021 A1	L1
Hardware Child Block Incorrectly Connected to Parent System^*	CWE1276	2004 A2, 2017 A5, 2019 API1, 2021 A1	L2
Firmware Not Updateable^*	CWE1277
Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques^*	CWE1278
Cryptographic Operations are run Before Supporting Units are Ready^*	CWE1279					*
Access Control Check Implemented After Asset is Accessed^*	CWE1280	2004 A2, 2017 A5, 2019 API1, 2021 A1	L2
Sequence of Processor Instructions Leads to Unexpected Behavior^*	CWE1281
Assumed-Immutable Data is Stored in Writable Memory^*	CWE1282	2021 A1
Mutable Attestation or Measurement Reporting Data^*	CWE1283	2004 A2, 2017 A5, 2019 API1, 2021 A1	L2
Improper Validation of Specified Quantity in Input^*	CWE1284	2004 A1, 2021 A3	L1		*	*
Improper Validation of Specified Index, Position, or Offset in Input^*	CWE1285	2004 A1, 2021 A3	L1		*	*
Improper Validation of Syntactic Correctness of Input^*	CWE1286	2004 A1, 2021 A3	L1		*	*
Improper Validation of Specified Type of Input^*	CWE1287	2004 A1, 2021 A3	L1		*	*
Improper Validation of Consistency within Input^*	CWE1288	2004 A1, 2021 A3	L1		*	*
Improper Validation of Unsafe Equivalence in Input^*	CWE1289	2004 A1, 2021 A3	L1		*	*
Incorrect Decoding of Security Identifiers ^*	CWE1290	2004 A2, 2017 A5, 2019 API1, 2021 A1	L2
Public Key Re-Use for Signing both Debug and Production Code^*	CWE1291
Incorrect Conversion of Security Identifiers^*	CWE1292	2004 A2, 2017 A5, 2019 API1, 2021 A1	L2
Missing Source Correlation of Multiple Independent Data^*	CWE1293	2004 A3, 2021 A8	L2
Insecure Security Identifier Mechanism^*	CWE1294	2004 A2, 2017 A5, 2019 API1, 2021 A1	L2
Debug Messages Revealing Unnecessary Information^*	CWE1295	2007 A6, 2021 A1	L1		*
Incorrect Chaining or Granularity of Debug Components^*	CWE1296	2004 A2, 2017 A5, 2019 API1, 2021 A1	L2
Unprotected Confidential Information on Device is Accessible by OSAT Vendors^*	CWE1297	2004 A2, 2007 A10, 2010 A8, 2013 A7, 2017 A5, 2019 API1, 2019 API5, 2021 A1	L1			*
Hardware Logic Contains Race Conditions^*	CWE1298		L2		*	*
Missing Protection Mechanism for Alternate Hardware Interface^*	CWE1299	2007 A10, 2021 A7
Improper Protection of Physical Side Channels^*	CWE1300	2004 A7, 2007 A6
Insufficient or Incomplete Data Removal within Hardware Component^*	CWE1301	2004 A8	L2
Missing Source Identifier in Entity Transactions on a System-On-Chip (SOC)^*	CWE1302
Non-Transparent Sharing of Microarchitectural Resources^*	CWE1303	2004 A7, 2007 A6
Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation^*	CWE1304	2004 A2, 2017 A5, 2019 API1, 2021 A1	L2
Missing Ability to Patch ROM Code^*	CWE1310
Improper Translation of Security Attributes by Fabric Bridge^*	CWE1311	2004 A2, 2017 A5, 2019 API1, 2021 A1	L2
Missing Protection for Mirrored Regions in On-Chip Fabric Firewall^*	CWE1312	2004 A2, 2017 A5, 2019 API1, 2021 A1	L2
Hardware Allows Activation of Test or Debug Logic at Runtime^*	CWE1313	2004 A2, 2017 A5, 2019 API1, 2021 A1	L2
Missing Write Protection for Parametric Data Values^*	CWE1314	2010 A4, 2010 A8, 2021 A1			*	*
Improper Setting of Bus Controlling Capability in Fabric End-point^*	CWE1315	2004 A2, 2017 A5, 2019 API1, 2021 A1	L2
Fabric-Address Map Allows Programming of Unwarranted Overlaps of Protected and Unprotected Ranges^*	CWE1316	2004 A2, 2017 A5, 2019 API1, 2021 A1	L2
Improper Access Control in Fabric Bridge^*	CWE1317	2004 A2, 2017 A5, 2019 API1, 2021 A1	L2
Missing Support for Security Features in On-chip Fabrics or Buses^*	CWE1318
Improper Protection against Electromagnetic Fault Injection (EM-FI)^*	CWE1319
Improper Protection for Outbound Error Messages and Alert Signals^*	CWE1320	2004 A2, 2017 A5, 2019 API1, 2021 A1	L2
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')^*	CWE1321	2019 API6, 2021 A1, 2021 A8	L1
Use of Blocking Code in Single-threaded, Non-blocking Context^*	CWE1322
Improper Management of Sensitive Trace Data^*	CWE1323	2004 A2, 2017 A5, 2019 API1, 2021 A1	L2
DEPRECATED: Sensitive Information Accessible by Physical Probing of JTAG Interface^*	CWE1324
Improperly Controlled Sequential Memory Allocation^*	CWE1325	2019 API4	L1			*
Missing Immutable Root of Trust in Hardware^*	CWE1326
Binding to an Unrestricted IP Address^*	CWE1327	2021 A1
Security Version Number Mutable to Older Versions^*	CWE1328	2004 A2, 2007 A10, 2010 A8, 2013 A7, 2017 A5, 2019 API1, 2019 API5, 2021 A1	L1			*
Reliance on Component That is Not Updateable^*	CWE1329
Remanent Data Readable after Memory Erase^*	CWE1330
Improper Isolation of Shared Resources in Network On Chip (NoC)^*	CWE1331	2021 A1, 2021 A4
Improper Handling of Faults that Lead to Instruction Skips^*	CWE1332
Inefficient Regular Expression Complexity^*	CWE1333
Unauthorized Error Injection Can Degrade Hardware Redundancy^*	CWE1334	2004 A2, 2017 A5, 2019 API1, 2021 A1	L2
Incorrect Bitwise Shift of Integer^*	CWE1335					*
Improper Neutralization of Special Elements Used in a Template Engine^*	CWE1336	2021 A3	L1		*	*
Improper Protections Against Hardware Overheating^*	CWE1338
Insufficient Precision or Accuracy of a Real Number^*	CWE1339					*
Multiple Releases of Same Resource or Handle^*	CWE1341
Information Exposure through Microarchitectural State after Transient Execution^*	CWE1342	2004 A8	L2
Improper Handling of Hardware Behavior in Exceptionally Cold Environments^*	CWE1351
Reliance on Insufficiently Trustworthy Component^*	CWE1357
Improper Handling of Physical or Environmental Conditions^*	CWE1384
Missing Origin Validation in WebSockets^*	CWE1385	2021 A7	L1
Insecure Operation on Windows Junction / Mount Point^*	CWE1386	2021 A1				*
Incorrect Parsing of Numbers with Different Radices^*	CWE1389
Weak Authentication^*	CWE1390	2004 A3, 2007 A7, 2010 A3, 2013 A2, 2017 A2, 2021 A7	L1		*
Use of Weak Credentials^*	CWE1391
Use of Default Credentials^*	CWE1392
Use of Default Password^*	CWE1393
Use of Default Cryptographic Key^*	CWE1394
Dependency on Vulnerable Third-Party Component^*	CWE1395	2021 A4
Incorrect Initialization of Resource^*	CWE1419					*
Exposure of Sensitive Information during Transient Execution^*	CWE1420
Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution^*	CWE1421
Exposure of Sensitive Information caused by Incorrect Data Forwarding during Transient Execution^*	CWE1422
Exposure of Sensitive Information caused by Shared Microarchitectural Predictor State that Influences Transient Execution^*	CWE1423
Improper Validation of Generative AI Output^*	CWE1426

* The weakness or vulnerability is not included in the built-in rule package, but is a subset of another weakness in the built-in rule package, or supported through a custom rule package.

References

Names of vulnerability categories are according to the Common Weakness Enumeration List Version 4.14.
OWASP Top 10 lists are according to the OWASP Top Ten project.
OWASP ASVS list is according to OWASP Application Security Verification Standard 4.0.3.
CWE Top 25 list is according to CWE Top 25 Most Dangerous Software Errors.
CWE/SANS Top 25 list is according to SANS Top 25 Most Dangerous Software Errors Version 3.0.
PCI DSS list is according to Payment Card Industry (PCI) Data Security Standard, v4.0.