Lucent Sky AVM 支援的弱點類別清單

2024/12/4 |

這個文章說明了 Lucent Sky AVM 使用的弱點分類方式,以及列出可被 Lucent Sky AVM 檢測和修正的弱點類別清單。較早的 Lucent Sky AVM 版本可能沒有支援部分弱點類別。

Lucent Sky AVM 如何分類弱點

Lucent Sky AVM 使用 CWE ID 作為主要的分類方式。CWE 使用層疊式架構,也就是說一個弱點可能可以被歸類為好幾個不同的 CWE ID。對於這些弱點,Lucent Sky 團隊與外部專家以及相關人士合作來決定要使用哪個 CWE ID。

這麼做的目標是使用具有可識別且獨特定義的 CWE ID(例如選擇 CWE-201: Information Exposure Through Sent Data 而非 CWE-200: Exposure of Sensitive Information to an Unauthorized Actor),並避免讓掃描結果充滿數百個相似的 CWE DI(例如選擇 CWE-22: Path Traversal 而非 CWE-32: Path Traversal: '…' (Triple Dot))。

弱點類別清單

名稱 CWE ID OWASP Top 10 OWASP ASVS PCI DSS CWE Top 25 CWE/SANS Top 25
J2EE Misconfiguration: Data Transmission Without Encryption CWE5 2004 A10, 2010 A9, 2013 A6, 2017 A3, 2021 A2 L1     *
J2EE Misconfiguration: Insufficient Session-ID Length CWE6 2004 A10        
J2EE Misconfiguration: Missing Custom Error Page CWE7 2004 A7, 2004 A10, 2021 A5        
J2EE Misconfiguration: Entity Bean Declared Remote CWE8 2004 A10, 2021 A1        
J2EE Misconfiguration: Weak Access Permissions for EJB Methods CWE9 2004 A2, 2004 A10, 2021 A4        
ASP.NET Misconfiguration: Creating Debug Binary CWE11 2004 A10, 2021 A5        
ASP.NET Misconfiguration: Missing Custom Error Page* CWE12 2004 A10, 2021 A5        
ASP.NET Misconfiguration: Password in Configuration File CWE13 2004 A10, 2021 A5        
Compiler Removal of Code to Clear Buffers CWE14 2004 A8        
External Control of System or Configuration Setting CWE15 2004 A1, 2021 A3, 2021 A4, 2021 A5 L1   * *
Improper Input Validation CWE20 2004 A1, 2014 M8, 2021 A3 L1   * *
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE22 2004 A2, 2007 A4, 2010 A4, 2013 A4, 2017 A5, 2021 A1 L1 v3.2.1 6.5.8, v4.0 6.2.4 * *
Relative Path Traversal CWE23 2004 A2, 2007 A4, 2010 A4, 2013 A4, 2017 A5, 2021 A1 L1   * *
Path Traversal: '../filedir'* CWE24 2021 A1        
Path Traversal: '/../filedir' CWE25 2021 A1        
Path Traversal: '/dir/../filename'* CWE26 2021 A1        
Path Traversal: 'dir/../../filename'* CWE27 2021 A1        
Path Traversal: '..\filedir' CWE28 2021 A1        
Path Traversal: '..\filename' CWE29 2021 A1        
Path Traversal: '\dir..\filename'* CWE30 2021 A1        
Path Traversal: 'dir....\filename' CWE31 2021 A1        
Path Traversal: '…' (Triple Dot) CWE32 2021 A1        
Path Traversal: '….' (Multiple Dot) CWE33 2021 A1        
Path Traversal: '….//' CWE34 2021 A1        
Path Traversal: '…/…//' CWE35 2021 A1        
Absolute Path Traversal CWE36 2004 A2, 2007 A4, 2010 A4, 2013 A4, 2017 A5, 2021 A1 L1   * *
Path Traversal: '/absolute/pathname/here'* CWE37          
Path Traversal: '\absolute\pathname\here'* CWE38          
Path Traversal: 'C:dirname'* CWE39          
Path Traversal: '\UNC\share\name' (Windows UNC Share) CWE40          
Improper Resolution of Path Equivalence* CWE41 2004 A2, 2013 A4, 2021 A1        
Path Equivalence: 'filename.' (Trailing Dot)* CWE42 2004 A2        
Path Equivalence: 'filename….' (Multiple Trailing Dot)* CWE43          
Path Equivalence: 'file.name' (Internal Dot)* CWE44 2004 A2        
Path Equivalence: 'file…name' (Multiple Internal Dot)* CWE45          
Path Equivalence: 'filename ' (Trailing Space)* CWE46 2004 A2        
Path Equivalence: ' filename' (Leading Space)* CWE47 2004 A2        
Path Equivalence: 'file name' (Internal Whitespace)* CWE48 2004 A2        
Path Equivalence: 'filename/' (Trailing Slash)* CWE49 2004 A2        
Path Equivalence: '//multiple/leading/slash' CWE50 2004 A2        
Path Equivalence: '/multiple//internal/slash'* CWE51 2004 A2        
Path Equivalence: '/multiple/trailing/slash//' CWE52 2004 A2        
Path Equivalence: '\multiple\internal\backslash' CWE53 2004 A2        
Path Equivalence: 'filedir' (Trailing Backslash)* CWE54 2004 A2        
Path Equivalence: '/./' (Single Dot Directory) CWE55 2004 A2        
Path Equivalence: 'filedir*' (Wildcard) CWE56 2004 A2        
Path Equivalence: 'fakedir/../realdir/filename' CWE57 2004 A2        
Path Equivalence: Windows 8.3 Filename CWE58 2004 A2        
Improper Link Resolution Before File Access ('Link Following')* CWE59 2013 A4, 2021 A1       *
UNIX Symbolic Link (Symlink) Following CWE61 2021 A1       *
UNIX Hard Link CWE62 2021 A1       *
Windows Shortcut Following (.LNK) CWE64 2021 A1       *
Windows Hard Link CWE65 2021 A1       *
Improper Handling of File Names that Identify Virtual Resources* CWE66 2013 A4, 2021 A1        
Improper Handling of Windows Device Names CWE67          
Improper Handling of Windows ::DATA Alternate Data Stream CWE69          
DEPRECATED: Apple '.DS_Store' CWE71          
Improper Handling of Apple HFS+ Alternate Data Stream Path CWE72          
External Control of File Name or Path CWE73 2004 A1, 2004 A2, 2021 A3, 2021 A4 L1   * *
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE74 2004 A6, 2013 A1, 2021 A3        
Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) CWE75 2004 A6, 2013 A1, 2021 A3        
Improper Neutralization of Equivalent Special Elements CWE76 2021 A3        
Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE77 2004 A1, 2004 A6, 2007 A2, 2013 A1, 2017 A1, 2019 API8, 2021 A3     *  
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE78 2004 A1, 2004 A6, 2007 A2, 2007 A3, 2010 A1, 2013 A1, 2017 A1, 2019 API8, 2021 A3 L1 v3.2.1 6.5.1, v4.0 6.2.4 * *
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE79 2004 A1, 2004 A4, 2004 A6, 2007 A1, 2010 A2, 2013 A1, 2013 A3, 2014 M7, 2017 A7, 2021 A3 L1 v3.2.1 6.5.7, v4.0 6.2.4 * *
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) CWE80 2004 A1, 2004 A4, 2007 A1, 2010 A2, 2013 A3, 2017 A7, 2021 A3 L1   * *
Improper Neutralization of Script in an Error Message Web Page CWE81 2004 A1, 2004 A4, 2007 A1, 2010 A2, 2013 A3, 2017 A7, 2021 A3 L1   * *
Improper Neutralization of Script in Attributes of IMG Tags in a Web Page CWE82 2021 A3        
Improper Neutralization of Script in Attributes in a Web Page CWE83 2004 A1, 2004 A4, 2007 A1, 2010 A2, 2013 A3, 2017 A7, 2021 A3 L1   * *
Improper Neutralization of Encoded URI Schemes in a Web Page* CWE84 2004 A1, 2004 A4, 2007 A1, 2010 A2, 2013 A3, 2017 A7, 2021 A3 L1   * *
Doubled Character XSS Manipulations CWE85 2004 A1, 2004 A4, 2007 A1, 2010 A2, 2013 A3, 2017 A7, 2021 A3 L1   * *
Improper Neutralization of Invalid Characters in Identifiers in Web Pages CWE86 2004 A1, 2004 A4, 2007 A1, 2010 A2, 2013 A3, 2017 A7, 2021 A3 L1   * *
Improper Neutralization of Alternate XSS Syntax CWE87 2004 A1, 2004 A4, 2007 A1, 2010 A2, 2013 A3, 2017 A7, 2021 A3 L1   * *
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') CWE88 2004 A1, 2004 A6, 2007 A2, 2010 A1, 2013 A1, 2017 A1, 2019 API8, 2021 A3     *  
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE89 2004 A1, 2004 A6, 2007 A2, 2010 A1, 2013 A1, 2014 M7, 2017 A1, 2019 API8, 2021 A3 L1 v3.2.1 6.5.1, v4.0 6.2.4 * *
Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') CWE90 2007 A2, 2010 A1, 2013 A1, 2017 A1, 2019 API8, 2021 A3 L1 v3.2.1 6.5.1, v4.0 6.2.4    
XML Injection (aka Blind XPath Injection) CWE91 2004 A6, 2007 A2, 2010 A1, 2013 A1, 2014 M7, 2017 A1, 2019 API8, 2021 A3   v3.2.1 6.5.1, v4.0 6.2.4    
DEPRECATED: Improper Sanitization of Custom Special Characters CWE92          
Improper Neutralization of CRLF Sequences ('CRLF Injection') CWE93 2004 A6, 2007 A2, 2013 A1, 2021 A3        
Improper Control of Generation of Code ('Code Injection') CWE94 2004 A6, 2013 A1, 2021 A1, 2021 A3 L1 v3.2.1 6.5.1, v4.0 6.2.4 * *
Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') CWE95 2004 A6, 2007 A3, 2021 A3 L1 v3.2.1 6.5.1, v4.0 6.2.4 * *
Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') CWE96 2021 A3 L1 v3.2.1 6.5.1, v4.0 6.2.4 * *
Improper Neutralization of Server-Side Includes (SSI) Within a Web Page CWE97 2021 A3   v3.2.1 6.5.1, v4.0 6.2.4    
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') CWE98 2004 A6, 2007 A3, 2010 A4, 2013 A4, 2021 A1, 2021 A3, 2021 A8 L1 v3.2.1 6.5.1, v4.0 6.2.4   *
Improper Control of Resource Identifiers ('Resource Injection')* CWE99 2004 A6, 2010 A4, 2013 A1, 2013 A4, 2021 A3        
Struts: Duplicate Validation Forms* CWE102 2004 A1, 2021 A3, 2021 A4 L1   * *
Struts: Incomplete validate() Method Definition* CWE103 2004 A1, 2021 A3 L1   * *
Struts: Form Bean Does Not Extend Validation Class* CWE104 2004 A1, 2021 A3 L1   * *
Struts: Form Field Without Validator* CWE105 2004 A1, 2021 A3, 2021 A4 L1   * *
Struts: Plug-in Framework not in Use CWE106 2004 A1, 2021 A3, 2021 A4 L1   * *
Struts: Unused Validation Form* CWE107 2004 A1, 2021 A3 L1   * *
Struts: Unvalidated Action Form* CWE108 2004 A1, 2021 A3, 2021 A4 L1   * *
Struts: Validator Turned Off* CWE109 2004 A1, 2021 A3, 2021 A4 L1   * *
Struts: Validator Without Form Field* CWE110 2004 A1, 2021 A3 L1   * *
Direct Use of Unsafe JNI* CWE111 2004 A1, 2021 A3 L1   * *
Missing XML Validation* CWE112 2004 A1, 2021 A3 L1   * *
Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') CWE113 2004 A1, 2007 A2, 2021 A3 L1   * *
Process Control* CWE114 2004 A1, 2004 A2, 2021 A3, 2021 A4 L1   * *
Misinterpretation of Input* CWE115   L2      
Improper Encoding or Escaping of Output* CWE116 2021 A3 L1     *
Improper Output Neutralization for Logs CWE117 2004 A1, 2004 A6, 2021 A3, 2021 A9 L1   * *
Incorrect Access of Indexable Resource ('Range Error')* CWE118          
Improper Restriction of Operations within the Bounds of a Memory Buffer CWE119 2004 A1, 2004 A5, 2021 A3 L1   * *
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CWE120 2004 A1, 2004 A5, 2021 A3 L1 v3.2.1 6.5.2, v4.0 6.2.4 * *
Stack-based Buffer Overflow* CWE121       *  
Heap-based Buffer Overflow* CWE122       *  
Write-what-where Condition* CWE123 2004 A5     * *
Buffer Underwrite ('Buffer Underflow')* CWE124       *  
Out-of-bounds Read* CWE125 2004 A5     * *
Buffer Over-read* CWE126       *  
Buffer Under-read* CWE127       *  
Wrap-around Error CWE128         *
Improper Validation of Array Index* CWE129 2004 A1, 2021 A3 L1   * *
Improper Handling of Length Parameter Inconsistency* CWE130 2004 A5     * *
Incorrect Calculation of Buffer Size CWE131         *
DEPRECATED: Miscalculated Null Termination* CWE132          
Use of Externally-Controlled Format String CWE134 2004 A1, 2004 A5, 2021 A1, 2021 A3 L1   * *
Incorrect Calculation of Multi-Byte String Length* CWE135         *
Improper Neutralization of Special Elements* CWE138 2021 A3 L1      
Improper Neutralization of Delimiters* CWE140 2021 A3 L1      
Improper Neutralization of Parameter/Argument Delimiters* CWE141          
Improper Neutralization of Value Delimiters* CWE142          
Improper Neutralization of Record Delimiters* CWE143          
Improper Neutralization of Line Delimiters* CWE144          
Improper Neutralization of Section Delimiters* CWE145          
Improper Neutralization of Expression/Command Delimiters* CWE146          
Improper Neutralization of Input Terminators* CWE147 2021 A3 L1      
Improper Neutralization of Input Leaders* CWE148 2021 A3 L1      
Improper Neutralization of Quoting Syntax* CWE149 2021 A3 L1      
Improper Neutralization of Escape, Meta, or Control Sequences* CWE150 2021 A3 L1      
Improper Neutralization of Comment Delimiters* CWE151 2021 A3 L1      
Improper Neutralization of Macro Symbols* CWE152 2021 A3 L1      
Improper Neutralization of Substitution Characters* CWE153 2021 A3 L1      
Improper Neutralization of Variable Name Delimiters* CWE154 2021 A3 L1      
Improper Neutralization of Wildcards or Matching Symbols* CWE155 2021 A3 L1      
Improper Neutralization of Whitespace* CWE156 2021 A3 L1      
Failure to Sanitize Paired Delimiters* CWE157 2021 A3 L1      
Improper Neutralization of Null Byte or NUL Character CWE158 2021 A3 L1      
Improper Handling of Invalid Use of Special Elements* CWE159 2021 A3 L1      
Improper Neutralization of Leading Special Elements* CWE160 2021 A3 L1      
Improper Neutralization of Multiple Leading Special Elements* CWE161          
Improper Neutralization of Trailing Special Elements* CWE162 2021 A3 L1      
Improper Neutralization of Multiple Trailing Special Elements* CWE163          
Improper Neutralization of Internal Special Elements* CWE164 2021 A3 L1      
Improper Neutralization of Multiple Internal Special Elements* CWE165          
Improper Handling of Missing Special Element* CWE166 2004 A1, 2004 A7 L1      
Improper Handling of Additional Special Element* CWE167 2004 A1, 2004 A7 L1      
Improper Handling of Inconsistent Special Elements* CWE168 2004 A7 L1      
Improper Null Termination CWE170 2004 A1, 2004 A9, 2021 A3 L1   * *
Encoding Error* CWE172          
Improper Handling of Alternate Encoding* CWE173   L1      
Double Decoding of the Same Data* CWE174          
Improper Handling of Mixed Encoding* CWE175          
Improper Handling of Unicode Encoding CWE176   L1      
Improper Handling of URL Encoding (Hex Encoding)* CWE177          
Improper Handling of Case Sensitivity* CWE178 2013 A4, 2021 A1        
Incorrect Behavior Order: Early Validation* CWE179 2004 A1, 2021 A3 L1   * *
Incorrect Behavior Order: Validate Before Canonicalize* CWE180 2004 A1        
Incorrect Behavior Order: Validate Before Filter* CWE181 2004 A1        
Collapse of Data into Unsafe Value* CWE182 2004 A1        
Permissive List of Allowed Inputs* CWE183 2004 A1, 2021 A4        
Incomplete List of Disallowed Inputs* CWE184 2021 A3        
Incorrect Regular Expression CWE185          
Overly Restrictive Regular Expression* CWE186          
Partial String Comparison* CWE187          
Reliance on Data/Memory Layout* CWE188          
Integer Overflow or Wraparound CWE190 2004 A1, 2021 A3 L1   * *
Integer Underflow (Wrap or Wraparound)* CWE191         *
Integer Coercion Error CWE192         *
Off-by-one Error* CWE193         *
Unexpected Sign Extension* CWE194         *
Signed to Unsigned Conversion Error CWE195         *
Unsigned to Signed Conversion Error* CWE196         *
Numeric Truncation Error CWE197         *
Use of Incorrect Byte Ordering* CWE198          
Exposure of Sensitive Information to an Unauthorized Actor CWE200 2007 A6, 2021 A1 L1 v3.2.1 6.5.5, v4.0 6.2.4 *  
Insertion of Sensitive Information Into Sent Data* CWE201 2007 A6, 2021 A1 L1   *  
Exposure of Sensitive Information Through Data Queries* CWE202          
Observable Discrepancy CWE203 2004 A7, 2007 A6, 2021 A1 L1   *  
Observable Response Discrepancy* CWE204 2004 A7, 2007 A6        
Observable Behavioral Discrepancy* CWE205 2004 A7, 2007 A6        
Observable Internal Behavioral Discrepancy* CWE206          
Observable Behavioral Discrepancy With Equivalent Products* CWE207          
Observable Timing Discrepancy* CWE208 2004 A7, 2007 A6        
Generation of Error Message Containing Sensitive Information CWE209 2004 A7, 2004 A10, 2007 A6, 2010 A6, 2013 A5, 2017 A6, 2021 A1, 2021 A4 L1 v3.2.1 6.5.5, v4.0 6.2.4 * *
Self-generated Error Message Containing Sensitive Information* CWE210 2004 A7, 2004 A10, 2007 A6, 2010 A6, 2013 A5, 2017 A6, 2021 A4 L1     *
Externally-Generated Error Message Containing Sensitive Information CWE211 2004 A7, 2004 A10, 2007 A6, 2010 A6, 2013 A5, 2017 A6, 2021 A4       *
Improper Removal of Sensitive Information Before Storage or Transfer CWE212   L1     *
Exposure of Sensitive Information Due to Incompatible Policies CWE213 2007 A6, 2019 API3, 2021 A1, 2021 A4 L1   *  
Invocation of Process Using Visible Sensitive Information* CWE214 2021 A1 L1      
Insertion of Sensitive Information Into Debugging Code CWE215 2004 A10, 2007 A6, 2013 A5, 2021 A1 L1   *  
DEPRECATED: Containment Errors (Container Errors)* CWE216          
DEPRECATED: Failure to Protect Stored Data from Modification* CWE217          
DEPRECATED: Failure to provide confidentiality for stored data* CWE218          
Storage of File with Sensitive Data Under Web Root* CWE219 2004 A10, 2010 A6, 2021 A1 L1      
Storage of File With Sensitive Data Under FTP Root* CWE220 2004 A10, 2010 A6, 2017 A3, 2021 A1 L1      
Information Loss or Omission* CWE221          
Truncation of Security-relevant Information* CWE222          
Omission of Security-relevant Information* CWE223 2017 A10, 2019 API10, 2021 A9        
Obscured Security-relevant Information by Alternate Name* CWE224          
DEPRECATED: General Information Management Problems* CWE225          
Sensitive Information in Resource Not Removed Before Reuse* CWE226 2004 A8, 2004 A10 L1     *
Improper Handling of Syntactically Invalid Structure* CWE228 2004 A7        
Improper Handling of Values* CWE229 2004 A7        
Improper Handling of Missing Values* CWE230          
Improper Handling of Extra Values* CWE231          
Improper Handling of Undefined Values* CWE232          
Improper Handling of Parameters* CWE233 2004 A7 L2      
Failure to Handle Missing Parameter* CWE234   L2      
Improper Handling of Extra Parameters* CWE235 2021 A4 L1      
Improper Handling of Undefined Parameters* CWE236   L2      
Improper Handling of Structural Elements* CWE237 2004 A7        
Improper Handling of Incomplete Structural Elements* CWE238          
Failure to Handle Incomplete Element* CWE239          
Improper Handling of Inconsistent Structural Elements* CWE240          
Improper Handling of Unexpected Data Type* CWE241 2004 A7        
Use of Inherently Dangerous Function CWE242 2016 M1, 2016 M7   v3.2.1 6.5.6, v4.0 6.2.4    
Creation of chroot Jail Without Changing Working Directory* CWE243          
Improper Clearing of Heap Memory Before Release ('Heap Inspection')* CWE244 2004 A8 L2      
J2EE Bad Practices: Direct Management of Connections* CWE245          
J2EE Bad Practices: Direct Use of Sockets* CWE246          
DEPRECATED: Reliance on DNS Lookups in a Security Decision* CWE247          
Uncaught Exception* CWE248 2004 A9        
DEPRECATED: Often Misused: Path Manipulation* CWE249          
Execution with Unnecessary Privileges* CWE250 2010 A6, 2021 A4 L2   * *
Unchecked Return Value CWE252 2004 A7 L2     *
Incorrect Check of Function Return Value CWE253   L2     *
Plaintext Storage of a Password* CWE256 2004 A3, 2007 A7, 2013 A2, 2017 A2, 2021 A4 L2   *  
Storing Passwords in a Recoverable Format* CWE257 2004 A3, 2007 A7, 2013 A2, 2017 A2, 2021 A4     *  
Empty Password in Configuration File* CWE258 2004 A3, 2021 A5, 2021 A7 L1      
Use of Hard-coded Password CWE259 2004 A3, 2010 A3, 2019 API2, 2021 A7 L2   * *
Password in Configuration File* CWE260 2004 A3, 2007 A7, 2013 A2, 2017 A2, 2021 A4, 2021 A5     *  
Weak Encoding for Password* CWE261 2004 A3, 2004 A8, 2007 A7, 2013 A2, 2017 A2, 2021 A2, 2021 A4     *  
Not Using Password Aging* CWE262          
Password Aging with Long Expiration* CWE263   L1      
Incorrect Privilege Assignment* CWE266 2004 A2, 2021 A4     *  
Privilege Defined With Unsafe Actions* CWE267 2021 A4     *  
Privilege Chaining* CWE268 2004 A2, 2021 A4     *  
Improper Privilege Management* CWE269 2004 A2, 2017 A5, 2019 API1, 2021 A1, 2021 A4 L2   *  
Privilege Context Switching Error* CWE270 2021 A4     *  
Privilege Dropping / Lowering Errors* CWE271 2021 A4     *  
Least Privilege Violation* CWE272   L2      
Improper Check for Dropped Privileges* CWE273   L2     *
Improper Handling of Insufficient Privileges* CWE274 2021 A4     *  
Incorrect Default Permissions* CWE276 2010 A6, 2021 A1 L2   * *
Insecure Inherited Permissions* CWE277 2010 A6 L2   * *
Insecure Preserved Inherited Permissions* CWE278 2010 A6 L2   * *
Incorrect Execution-Assigned Permissions* CWE279 2010 A6 L2   * *
Improper Handling of Insufficient Permissions or Privileges * CWE280 2021 A4        
Improper Preservation of Permissions* CWE281 2010 A6 L2   * *
Improper Ownership Management* CWE282 2004 A2, 2017 A5, 2019 API1, 2021 A1 L2      
Unverified Ownership* CWE283 2004 A2        
Improper Access Control* CWE284 2004 A2, 2014 M5, 2016 M4, 2017 A5, 2019 API1, 2021 A1 L2 v3.2.1 6.5.8, v3.2.1 6.5.10, v4.0 6.2.4    
Improper Authorization* CWE285 2004 A2, 2007 A10, 2010 A8, 2013 A7, 2017 A5, 2019 API1, 2019 API5, 2021 A1 L1     *
Incorrect User Management* CWE286 2004 A2, 2017 A5, 2019 API1, 2021 A1 L2      
Improper Authentication* CWE287 2004 A2, 2004 A3, 2007 A7, 2010 A3, 2013 A2, 2017 A2, 2017 A5, 2019 API1, 2021 A1, 2021 A7 L1 v3.2.1 6.5.10, v4.0 6.2.4 *  
Authentication Bypass Using an Alternate Path or Channel* CWE288 2004 A2, 2007 A10, 2010 A3, 2017 A5, 2019 API1, 2021 A1, 2021 A7 L1   * *
Authentication Bypass by Alternate Name* CWE289          
Authentication Bypass by Spoofing* CWE290 2004 A3, 2007 A7, 2010 A3, 2013 A2, 2017 A2, 2021 A7 L1   *  
Reliance on IP Address for Authentication* CWE291 2021 A3, 2021 A7 L2      
DEPRECATED: Trusting Self-reported DNS Name* CWE292          
Using Referer Field for Authentication* CWE293 2021 A7 L2      
Authentication Bypass by Capture-replay* CWE294 2004 A3, 2007 A7, 2010 A3, 2013 A2, 2017 A2, 2021 A7 L1   *  
Improper Certificate Validation CWE295 2004 A3, 2004 A10, 2007 A7, 2010 A3, 2013 A2, 2014 M5, 2016 M4, 2017 A2, 2017 A3, 2021 A7 L1 v3.2.1 6.5.3, v3.2.1 6.5.4, v3.2.1 6.5.10, v4.0 6.2.4 *  
Improper Following of a Certificate's Chain of Trust* CWE296 2004 A3, 2004 A10, 2017 A3, 2021 A2, 2021 A7 L2   *  
Improper Validation of Certificate with Host Mismatch CWE297 2004 A10, 2017 A3, 2021 A7 L2   *  
Improper Validation of Certificate Expiration* CWE298 2004 A3, 2004 A10, 2017 A3, 2021 A7 L2   * *
Improper Check for Certificate Revocation* CWE299 2004 A9, 2004 A10, 2017 A3, 2021 A7 L2   * *
Channel Accessible by Non-Endpoint* CWE300 2021 A7 L2      
Reflection Attack in an Authentication Protocol* CWE301 2007 A7        
Authentication Bypass by Assumed-Immutable Data* CWE302 2004 A3, 2021 A4, 2021 A7       *
Incorrect Implementation of Authentication Algorithm* CWE303          
Missing Critical Step in Authentication* CWE304 2004 A3, 2021 A7 L1      
Authentication Bypass by Primary Weakness* CWE305          
Missing Authentication for Critical Function* CWE306 2004 A3, 2007 A7, 2010 A3, 2013 A2, 2017 A2, 2021 A7 L1   * *
Improper Restriction of Excessive Authentication Attempts* CWE307 2004 A3, 2007 A7, 2010 A3, 2013 A2, 2017 A2, 2019 API4, 2021 A4, 2021 A7 L1   * *
Use of Single-factor Authentication* CWE308 2017 A2 L2      
Use of Password System for Primary Authentication* CWE309 2004 A3        
Missing Encryption of Sensitive Data CWE311 2004 A8, 2007 A8, 2007 A9, 2010 A7, 2010 A9, 2013 A2, 2013 A6, 2017 A3, 2021 A4 L2 v3.2.1 6.5.3, v3.2.1 6.5.4, v3.2.1 6.5.10, v4.0 6.2.4   *
Cleartext Storage of Sensitive Information CWE312 2004 A8, 2007 A8, 2007 A9, 2010 A7, 2010 A9, 2013 A2, 2013 A6, 2014 M2, 2016 M2, 2017 A3, 2021 A1, 2021 A4 L1     *
Cleartext Storage in a File or on Disk* CWE313 2010 A7, 2013 A6, 2017 A3, 2021 A4        
Cleartext Storage in the Registry* CWE314 2010 A7, 2013 A6, 2017 A3, 2021 A4        
Cleartext Storage of Sensitive Information in a Cookie CWE315 2010 A7, 2013 A6, 2017 A3, 2021 A4, 2021 A5        
Cleartext Storage of Sensitive Information in Memory* CWE316 2010 A7, 2013 A6, 2017 A3, 2021 A4        
Cleartext Storage of Sensitive Information in GUI* CWE317 2010 A7, 2013 A6, 2017 A3, 2021 A4        
Cleartext Storage of Sensitive Information in Executable* CWE318 2010 A7, 2013 A6, 2017 A3, 2021 A4        
Cleartext Transmission of Sensitive Information CWE319 2004 A8, 2007 A8, 2007 A9, 2010 A7, 2010 A9, 2013 A2, 2013 A6, 2014 M3, 2016 M3, 2017 A3, 2021 A2, 2021 A4 L1     *
Use of Hard-coded Cryptographic Key CWE321 2004 A3, 2004 A8, 2007 A8, 2007 A9, 2010 A3, 2019 API2, 2021 A2, 2021 A7 L2   * *
Key Exchange without Entity Authentication* CWE322 2010 A3, 2021 A2, 2021 A7 L1   * *
Reusing a Nonce, Key Pair in Encryption* CWE323 2021 A2        
Use of a Key Past its Expiration Date* CWE324 2021 A2       *
Missing Cryptographic Step* CWE325 2007 A8, 2007 A9, 2013 A6, 2017 A3, 2021 A2        
Inadequate Encryption Strength CWE326 2004 A8, 2007 A8, 2007 A9, 2010 A7, 2013 A6, 2014 M6, 2016 M5, 2017 A3, 2021 A2 L1 v3.2.1 6.5.3, v4.0 6.2.4    
Use of a Broken or Risky Cryptographic Algorithm CWE327 2004 A8, 2010 A7, 2013 A6, 2014 M6, 2016 M5, 2017 A3, 2021 A2 L2 v3.2.1 6.5.3, v4.0 6.2.4   *
Use of Weak Hash CWE328 2004 A8, 2007 A8, 2007 A9, 2010 A7, 2013 A6, 2014 M6, 2016 M5, 2017 A3, 2021 A2 L1 v3.2.1 6.5.3, v4.0 6.2.4   *
Generation of Predictable IV with CBC Mode CWE329 2021 A2   v3.2.1 6.5.3, v4.0 6.2.4    
Use of Insufficiently Random Values CWE330 2004 A2, 2021 A2 L1     *
Insufficient Entropy* CWE331 2004 A2, 2021 A2 L1     *
Insufficient Entropy in PRNG* CWE332 2021 A2 L1      
Improper Handling of Insufficient Entropy in TRNG* CWE333 2021 A2 L1      
Small Space of Random Values* CWE334 2004 A2, 2021 A2 L1     *
Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)* CWE335 2004 A2, 2021 A2 L1     *
Same Seed in Pseudo-Random Number Generator (PRNG)* CWE336 2021 A2        
Predictable Seed in Pseudo-Random Number Generator (PRNG)* CWE337 2021 A2        
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)* CWE338 2004 A2, 2021 A2 L1     *
Small Seed Space in PRNG* CWE339 2021 A2        
Generation of Predictable Numbers or Identifiers* CWE340 2004 A2, 2021 A2 L1     *
Predictable from Observable State* CWE341 2021 A2        
Predictable Exact Value from Previous Values* CWE342 2021 A2        
Predictable Value Range from Previous Values* CWE343 2021 A2        
Use of Invariant Value in Dynamically Changing Context* CWE344 2004 A2, 2021 A2 L1     *
Insufficient Verification of Data Authenticity* CWE345 2004 A3, 2021 A8 L2      
Origin Validation Error* CWE346 2004 A2, 2004 A3, 2017 A5, 2019 API1, 2021 A1, 2021 A7, 2021 A8 L1      
Improper Verification of Cryptographic Signature* CWE347 2004 A3, 2021 A2, 2021 A8 L2      
Use of Less Trusted Source* CWE348 2004 A3, 2021 A8 L2      
Acceptance of Extraneous Untrusted Data With Trusted Data* CWE349 2004 A3, 2021 A8 L2      
Reliance on Reverse DNS Resolution for a Security-Critical Action* CWE350 2021 A4, 2021 A7 L1     *
Insufficient Type Distinction* CWE351 2004 A3, 2021 A8 L2      
Cross-Site Request Forgery (CSRF) CWE352 2004 A3, 2007 A5, 2010 A5, 2013 A8, 2021 A1, 2021 A8 L1 v3.2.1 6.5.9, v4.0 6.2.4 * *
Missing Support for Integrity Check CWE353 2004 A3, 2021 A8 L1      
Improper Validation of Integrity Check Value* CWE354 2004 A3, 2021 A8 L2     *
Product UI does not Warn User of Unsafe Actions* CWE356          
Insufficient UI Warning of Dangerous Operations* CWE357          
Improperly Implemented Security Check for Standard* CWE358          
Exposure of Private Personal Information to an Unauthorized Actor CWE359 2007 A6, 2017 A3, 2021 A1 L1   *  
Trust of System Event Data* CWE360 2004 A3, 2021 A8 L2      
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') CWE362   L2   * *
Race Condition Enabling Link Following* CWE363   L2      
Signal Handler Race Condition* CWE364   L2   * *
DEPRECATED: Race Condition in Switch* CWE365          
Race Condition within a Thread CWE366   L2   * *
Time-of-check Time-of-use (TOCTOU) Race Condition* CWE367   L2   * *
Context Switching Race Condition* CWE368   L2   * *
Divide By Zero CWE369 2004 A9       *
Missing Check for Certificate Revocation after Initial Check* CWE370   L2      
Incomplete Internal State Distinction* CWE372          
DEPRECATED: State Synchronization Error* CWE373          
Passing Mutable Objects to an Untrusted Method CWE374 2021 A1        
Returning a Mutable Object to an Untrusted Caller* CWE375 2021 A1        
Insecure Temporary File* CWE377 2021 A1        
Creation of Temporary File With Insecure Permissions* CWE378 2021 A1        
Creation of Temporary File in Directory with Insecure Permissions* CWE379 2021 A1        
J2EE Bad Practices: Use of System.exit() CWE382 2004 A9        
J2EE Bad Practices: Direct Use of Threads* CWE383          
Session Fixation* CWE384 2004 A3, 2013 A2, 2014 M9, 2017 A2, 2021 A3, 2021 A7 L1      
Covert Timing Channel* CWE385   L3      
Symbolic Name not Mapping to Correct Object* CWE386 2013 A4, 2021 A1        
Detection of Error Condition Without Action* CWE390 2004 A7 L2      
Unchecked Error Condition CWE391 2004 A7 L2     *
Missing Report of Error Condition* CWE392          
Return of Wrong Status Code* CWE393          
Unexpected Status Code or Return Value* CWE394 2004 A7 L2     *
Use of NullPointerException Catch to Detect NULL Pointer Dereference* CWE395          
Declaration of Catch for Generic Exception CWE396          
Declaration of Throws for Generic Exception* CWE397          
Uncontrolled Resource Consumption CWE400 2004 A9 L1   *  
Missing Release of Memory after Effective Lifetime CWE401 2004 A9     * *
Transmission of Private Resources into a New Sphere ('Resource Leak')* CWE402 2021 A1        
Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')* CWE403 2021 A1        
Improper Resource Shutdown or Release CWE404 2004 A9       *
Asymmetric Resource Consumption (Amplification)* CWE405 2004 A9 L1   *  
Insufficient Control of Network Message Volume (Network Amplification)* CWE406 2004 A9        
Inefficient Algorithmic Complexity* CWE407 2004 A9        
Incorrect Behavior Order: Early Amplification* CWE408 2004 A9        
Improper Handling of Highly Compressed Data (Data Amplification)* CWE409 2004 A9 L2      
Insufficient Resource Pool* CWE410 2004 A9        
Unrestricted Externally Accessible Lock* CWE412 2004 A9        
Improper Resource Locking* CWE413          
Missing Lock Check* CWE414          
Double Free CWE415         *
Use After Free CWE416       * *
Unprotected Primary Channel* CWE419 2021 A4 L1      
Unprotected Alternate Channel* CWE420   L2      
Race Condition During Access to Alternate Channel* CWE421   L2   * *
Unprotected Windows Messaging Channel ('Shatter')* CWE422          
DEPRECATED: Proxied Trusted Channel* CWE423          
Improper Protection of Alternate Path* CWE424          
Direct Request ('Forced Browsing')* CWE425 2004 A1, 2004 A2, 2007 A10, 2010 A4, 2010 A8, 2017 A5, 2021 A1, 2021 A7     * *
Untrusted Search Path* CWE426 2021 A1, 2021 A4, 2021 A8     * *
Uncontrolled Search Path Element* CWE427 2021 A1        
Unquoted Search Path or Element* CWE428 2021 A1        
Deployment of Wrong Handler* CWE430 2021 A4        
Missing Handler* CWE431   L2      
Dangerous Signal Handler not Disabled During Sensitive Operations* CWE432          
Unparsed Raw Web Content Delivery* CWE433 2004 A10, 2010 A6, 2021 A1        
Unrestricted Upload of File with Dangerous Type* CWE434 2007 A3, 2010 A4, 2021 A4 L1   * *
Improper Interaction Between Multiple Correctly-Behaving Entities* CWE435          
Interpretation Conflict* CWE436   L2      
Incomplete Model of Endpoint Features* CWE437   L2      
Behavioral Change in New Version or Environment* CWE439          
Expected Behavior Violation CWE440          
Unintended Proxy or Intermediary ('Confused Deputy')* CWE441 2021 A1, 2021 A3        
DEPRECATED: HTTP response splitting* CWE443          
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')* CWE444 2021 A4 L2      
UI Discrepancy for Security Feature* CWE446          
Unimplemented or Unsupported Feature in UI* CWE447          
Obsolete Feature in UI* CWE448          
The UI Performs the Wrong Action* CWE449          
Multiple Interpretations of UI Input* CWE450          
User Interface (UI) Misrepresentation of Critical Information* CWE451 2021 A4        
Insecure Default Variable Initialization* CWE453          
External Initialization of Trusted Variables or Data Stores* CWE454         *
Non-exit on Failed Initialization* CWE455 2004 A7       *
Missing Initialization of a Variable* CWE456         *
Use of Uninitialized Variable CWE457         *
DEPRECATED: Incorrect Initialization* CWE458          
Incomplete Cleanup* CWE459 2004 A9, 2004 A10       *
Improper Cleanup on Thrown Exception* CWE460 2004 A10        
Duplicate Key in Associative List (Alist)* CWE462          
Deletion of Data Structure Sentinel* CWE463          
Addition of Data Structure Sentinel* CWE464 2021 A3 L1      
Return of Pointer Value Outside of Expected Range* CWE466 2004 A1, 2004 A5, 2021 A3 L1   * *
Use of sizeof() on a Pointer Type CWE467         *
Incorrect Pointer Scaling* CWE468         *
Use of Pointer Subtraction to Determine Size* CWE469         *
Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') CWE470 2004 A1, 2021 A1, 2021 A3 L1 v3.2.1 6.5.1, v4.0 6.2.4 * *
Modification of Assumed-Immutable Data (MAID)* CWE471 2021 A3        
External Control of Assumed-Immutable Web Parameter* CWE472 2004 A1, 2007 A4, 2021 A3, 2021 A4       *
PHP External Variable Modification* CWE473 2021 A3        
Use of Function with Inconsistent Implementations* CWE474          
Undefined Behavior for Input to API CWE475          
NULL Pointer Dereference CWE476 2004 A9 L2   * *
Use of Obsolete Function CWE477   L2      
Missing Default Case in Multiple Condition Expression* CWE478          
Signal Handler Use of a Non-reentrant Function* CWE479          
Use of Incorrect Operator CWE480          
Assigning instead of Comparing CWE481          
Comparing instead of Assigning* CWE482          
Incorrect Block Delimitation* CWE483          
Omitted Break Statement in Switch CWE484          
Comparison of Classes by Name* CWE486          
Reliance on Package-level Scope* CWE487          
Exposure of Data Element to Wrong Session* CWE488 2021 A1        
Active Debug Code* CWE489 2004 A10        
Public cloneable() Method Without Final ('Object Hijack')* CWE491 2021 A1        
Use of Inner Class Containing Sensitive Data* CWE492 2021 A1        
Critical Public Variable Without Final Modifier CWE493 2021 A1        
Download of Code Without Integrity Check* CWE494 2004 A3, 2021 A8 L2     *
Private Data Structure Returned From A Public Method* CWE495          
Public Data Assigned to Private Array-Typed Field* CWE496          
Exposure of Sensitive System Information to an Unauthorized Control Sphere* CWE497 2007 A6, 2021 A1 L1 v3.2.1 6.5.5, v4.0 6.2.4 *  
Cloneable Class Containing Sensitive Information* CWE498 2021 A1        
Serializable Class Containing Sensitive Data* CWE499 2021 A1        
Public Static Field Not Marked Final* CWE500          
Trust Boundary Violation CWE501 2021 A4        
Deserialization of Untrusted Data CWE502 2017 A8, 2021 A1, 2021 A8 L1   *  
Embedded Malicious Code* CWE506          
Trojan Horse* CWE507   L3      
Non-Replicating Malicious Code* CWE508   L3      
Replicating Malicious Code (Virus or Worm)* CWE509   L1      
Trapdoor* CWE510          
Logic/Time Bomb* CWE511   L3      
Spyware* CWE512          
Covert Channel* CWE514          
Covert Storage Channel* CWE515          
DEPRECATED: Covert Timing Channel* CWE516          
.NET Misconfiguration: Use of Impersonation* CWE520 2004 A2, 2004 A10, 2021 A4, 2021 A5        
Weak Password Requirements* CWE521 2004 A3, 2007 A7, 2010 A3, 2013 A2, 2017 A2, 2021 A7 L1   *  
Insufficiently Protected Credentials* CWE522 2004 A3, 2007 A7, 2010 A3, 2013 A2, 2017 A2, 2021 A1, 2021 A4, 2021 A7 L1   *  
Unprotected Transport of Credentials* CWE523 2004 A3, 2007 A7, 2013 A2, 2017 A2, 2021 A2, 2021 A4 L1   *  
Use of Cache Containing Sensitive Information* CWE524 2021 A1 L2      
Use of Web Browser Cache Containing Sensitive Information* CWE525 2004 A2, 2004 A3, 2021 A4 L1      
Cleartext Storage of Sensitive Information in an Environment Variable* CWE526 2004 A10, 2010 A7, 2013 A6, 2017 A3, 2021 A4, 2021 A5        
Exposure of Version-Control Repository to an Unauthorized Control Sphere* CWE527 2004 A10, 2010 A6, 2021 A1 L1      
Exposure of Core Dump File to an Unauthorized Control Sphere* CWE528 2004 A10, 2010 A6, 2021 A1 L1      
Exposure of Access Control List Files to an Unauthorized Control Sphere* CWE529 2004 A10, 2010 A6, 2021 A1 L1      
Exposure of Backup File to an Unauthorized Control Sphere* CWE530 2004 A10, 2010 A6, 2021 A1 L1      
Inclusion of Sensitive Information in Test Code* CWE531 2004 A10, 2021 A1        
Insertion of Sensitive Information into Log File* CWE532 2004 A10, 2007 A6, 2010 A6, 2021 A1, 2021 A9 L1   *  
DEPRECATED: Information Exposure Through Server Log Files* CWE533          
DEPRECATED: Information Exposure Through Debug Log Files* CWE534          
Exposure of Information Through Shell Error Message* CWE535          
Servlet Runtime Error Message Containing Sensitive Information* CWE536          
Java Runtime Error Message Containing Sensitive Information* CWE537 2021 A5        
Insertion of Sensitive Information into Externally-Accessible File or Directory* CWE538 2007 A6, 2010 A6, 2021 A1 L1   *  
Use of Persistent Cookies Containing Sensitive Information CWE539 2004 A8, 2004 A10, 2010 A6, 2021 A1, 2021 A4 L1      
Inclusion of Sensitive Information in Source Code* CWE540 2004 A10, 2010 A6, 2021 A1        
Inclusion of Sensitive Information in an Include File* CWE541 2004 A10, 2021 A1, 2021 A5        
DEPRECATED: Information Exposure Through Cleanup Log Files* CWE542          
Use of Singleton Pattern Without Synchronization in a Multithreaded Context CWE543          
Missing Standardized Error Handling Mechanism* CWE544   L2      
DEPRECATED: Use of Dynamic Class Loading* CWE545          
Suspicious Comment* CWE546          
Use of Hard-coded, Security-relevant Constants* CWE547 2021 A5        
Exposure of Information Through Directory Listing* CWE548 2004 A10, 2013 A5, 2017 A6, 2021 A1 L1      
Missing Password Field Masking* CWE549 2004 A3, 2007 A7, 2013 A2, 2017 A2, 2021 A4     *  
Server-generated Error Message Containing Sensitive Information* CWE550 2004 A7, 2004 A10, 2007 A6, 2010 A6, 2013 A5, 2017 A6, 2021 A4       *
Incorrect Behavior Order: Authorization Before Parsing and Canonicalization* CWE551 2004 A2, 2010 A4, 2010 A8, 2021 A1     * *
Files or Directories Accessible to External Parties CWE552 2004 A2, 2004 A10, 2007 A10, 2010 A6, 2010 A8, 2013 A7, 2017 A5, 2019 API1, 2019 API5, 2021 A1 L1     *
Command Shell in Externally Accessible Directory* CWE553 2004 A10, 2010 A6, 2021 A1 L1      
ASP.NET Misconfiguration: Not Using Input Validation Framework* CWE554 2004 A10, 2021 A4        
J2EE Misconfiguration: Plaintext Password in Configuration File* CWE555 2004 A10, 2021 A5        
ASP.NET Misconfiguration: Use of Identity Impersonation* CWE556 2004 A2, 2004 A10, 2021 A4        
Use of getlogin() in Multithreaded Application* CWE558          
Use of umask() with chmod-style Argument* CWE560          
Dead Code CWE561          
Return of Stack Variable Address CWE562          
Assignment to Variable without Use CWE563          
SQL Injection: Hibernate CWE564 2004 A1, 2004 A6, 2007 A2, 2010 A1, 2013 A1, 2017 A1, 2019 API8, 2021 A3 L1   * *
Reliance on Cookies without Validation and Integrity Checking* CWE565 2004 A1, 2021 A4, 2021 A8 L1     *
Authorization Bypass Through User-Controlled SQL Primary Key* CWE566 2004 A2, 2007 A4, 2010 A4, 2013 A4, 2017 A5, 2019 API1, 2021 A1 L1      
Unsynchronized Access to Shared Data in a Multithreaded Context* CWE567          
finalize() Method Without super.finalize() CWE568 2004 A10        
Expression is Always False CWE570          
Expression is Always True CWE571          
Call to Thread run() instead of start() CWE572          
Improper Following of Specification by Caller* CWE573          
EJB Bad Practices: Use of Synchronization Primitives* CWE574          
EJB Bad Practices: Use of AWT Swing* CWE575          
EJB Bad Practices: Use of Java I/O* CWE576          
EJB Bad Practices: Use of Sockets* CWE577          
EJB Bad Practices: Use of Class Loader* CWE578          
J2EE Bad Practices: Non-serializable Object Stored in Session CWE579 2021 A4        
clone() Method Without super.clone() CWE580          
Object Model Violation: Just One of Equals and Hashcode Defined* CWE581          
Array Declared Public, Final, and Static* CWE582 2021 A1        
finalize() Method Declared Public CWE583 2021 A1        
Return Inside Finally Block* CWE584          
Empty Synchronized Block CWE585          
Explicit Call to Finalize() CWE586          
Assignment of a Fixed Address to a Pointer CWE587          
Attempt to Access Child of a Non-structure Pointer* CWE588          
Call to Non-ubiquitous API* CWE589          
Free of Memory not on the Heap CWE590          
Sensitive Data Storage in Improperly Locked Memory* CWE591 2004 A8        
DEPRECATED: Authentication Bypass Issues* CWE592          
Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created* CWE593          
J2EE Framework: Saving Unserializable Objects to Disk* CWE594          
Comparison of Object References Instead of Object Contents CWE595          
DEPRECATED: Incorrect Semantic Object Comparison* CWE596          
Use of Wrong Operator in String Comparison CWE597          
Use of GET Request Method With Sensitive Query Strings* CWE598 2004 A8, 2021 A1, 2021 A4 L1      
Missing Validation of OpenSSL Certificate* CWE599 2004 A10, 2017 A3, 2021 A7 L2   *  
Uncaught Exception in Servlet * CWE600 2004 A9        
URL Redirection to Untrusted Site ('Open Redirect') CWE601 2004 A1, 2010 A10, 2013 A10, 2021 A1, 2021 A3 L1     *
Client-Side Enforcement of Server-Side Security* CWE602 2004 A1, 2021 A4 L1     *
Use of Client-Side Authentication* CWE603 2004 A1, 2021 A4 L1     *
Multiple Binds to the Same Port* CWE605          
Unchecked Input for Loop Condition* CWE606          
Public Static Final Field References Mutable Object* CWE607 2021 A3        
Struts: Non-private Field in ActionForm Class* CWE608 2021 A1        
Double-Checked Locking CWE609          
Externally Controlled Reference to a Resource in Another Sphere* CWE610 2021 A3        
Improper Restriction of XML External Entity Reference CWE611 2017 A4, 2021 A3, 2021 A5 L1   *  
Improper Authorization of Index Containing Sensitive Information* CWE612          
Insufficient Session Expiration* CWE613 2004 A3, 2013 A2, 2014 M9, 2017 A2, 2021 A7 L1     *
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute CWE614 2010 A9, 2013 A6, 2016 M3, 2017 A3, 2021 A2, 2021 A5 L1     *
Inclusion of Sensitive Information in Source Code Comments* CWE615 2004 A10, 2021 A1        
Incomplete Identification of Uploaded File Variables (PHP)* CWE616 2004 A3, 2021 A8 L2      
Reachable Assertion* CWE617          
Exposed Unsafe ActiveX Method* CWE618   L1     *
Dangling Database Cursor ('Cursor Injection')* CWE619 2021 A1        
Unverified Password Change* CWE620 2004 A3, 2013 A2, 2017 A2, 2021 A7 L1      
Variable Extraction Error* CWE621          
Improper Validation of Function Hook Arguments* CWE622 2004 A1, 2021 A3 L1   * *
Unsafe ActiveX Control Marked Safe For Scripting* CWE623          
Executable Regular Expression Error* CWE624 2004 A1, 2004 A6, 2007 A2, 2013 A1, 2017 A1, 2019 API8, 2021 A3     *  
Permissive Regular Expression* CWE625          
Null Byte Interaction Error (Poison Null Byte)* CWE626   L1      
Dynamic Variable Evaluation* CWE627          
Function Call with Incorrectly Specified Arguments CWE628          
Not Failing Securely ('Failing Open')* CWE636 2004 A7, 2021 A4        
Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')* CWE637 2021 A4 L2      
Not Using Complete Mediation* CWE638 2010 A4, 2010 A8, 2021 A1, 2021 A4     * *
Authorization Bypass Through User-Controlled Key* CWE639 2004 A2, 2007 A4, 2010 A4, 2010 A8, 2013 A4, 2017 A5, 2019 API1, 2021 A1 L1   * *
Weak Password Recovery Mechanism for Forgotten Password* CWE640 2004 A3, 2007 A7, 2010 A3, 2013 A2, 2017 A2, 2021 A7 L1   *  
Improper Restriction of Names for Files and Other Resources* CWE641 2010 A4, 2013 A4, 2021 A3 L1      
External Control of Critical State Data* CWE642 2021 A1, 2021 A4       *
Improper Neutralization of Data within XPath Expressions ('XPath Injection') CWE643 2004 A6, 2007 A2, 2010 A1, 2013 A1, 2017 A1, 2019 API8, 2021 A3 L1 v3.2.1 6.5.1, v4.0 6.2.4    
Improper Neutralization of HTTP Headers for Scripting Syntax* CWE644 2004 A4, 2021 A3 L1     *
Overly Restrictive Account Lockout Mechanism* CWE645 2004 A3, 2007 A7, 2010 A3, 2013 A2, 2017 A2, 2021 A7 L1   *  
Reliance on File Name or Extension of Externally-Supplied File* CWE646 2004 A3, 2021 A4, 2021 A8 L2      
Use of Non-Canonical URL Paths for Authorization Decisions* CWE647 2010 A4, 2010 A8, 2021 A1     * *
Incorrect Use of Privileged APIs* CWE648 2021 A4     *  
Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking* CWE649 2004 A3, 2021 A8 L2      
Trusting HTTP Permission Methods on the Server Side* CWE650 2021 A4 L1      
Exposure of WSDL File Containing Sensitive Information* CWE651 2010 A6, 2021 A1        
Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')* CWE652 2004 A6, 2007 A2, 2010 A1, 2013 A1, 2017 A1, 2019 API8, 2021 A3        
Improper Isolation or Compartmentalization* CWE653 2021 A4        
Reliance on a Single Factor in a Security Decision* CWE654 2021 A4        
Insufficient Psychological Acceptability* CWE655 2021 A4        
Reliance on Security Through Obscurity* CWE656 2021 A4        
Violation of Secure Design Principles* CWE657 2021 A4        
Improper Synchronization* CWE662          
Use of a Non-reentrant Function in a Concurrent Context* CWE663          
Improper Control of a Resource Through its Lifetime CWE664          
Improper Initialization CWE665         *
Operation on Resource in Wrong Phase of Lifetime* CWE666          
Improper Locking CWE667          
Exposure of Resource to Wrong Sphere* CWE668 2021 A1        
Incorrect Resource Transfer Between Spheres* CWE669          
Always-Incorrect Control Flow Implementation* CWE670          
Lack of Administrator Control over Security* CWE671 2021 A4        
Operation on a Resource after Expiration or Release CWE672         *
External Influence of Sphere Definition* CWE673          
Uncontrolled Recursion CWE674 2004 A9        
Multiple Operations on Resource in Single-Operation Context* CWE675          
Use of Potentially Dangerous Function CWE676         *
Integer Overflow to Buffer Overflow* CWE680   L2   * *
Incorrect Conversion between Numeric Types* CWE681         *
Incorrect Calculation CWE682         *
Function Call With Incorrect Order of Arguments CWE683          
Incorrect Provision of Specified Functionality* CWE684          
Function Call With Incorrect Number of Arguments CWE685          
Function Call With Incorrect Argument Type CWE686          
Function Call With Incorrectly Specified Argument Value CWE687          
Function Call With Incorrect Variable or Reference as Argument CWE688          
Permission Race Condition During Resource Copy* CWE689   L2   * *
Unchecked Return Value to NULL Pointer Dereference* CWE690 2004 A7        
Insufficient Control Flow Management* CWE691          
Incomplete Denylist to Cross-Site Scripting* CWE692 2021 A3        
Protection Mechanism Failure* CWE693          
Use of Multiple Resources with Duplicate Identifier* CWE694 2010 A4, 2013 A4, 2021 A3        
Use of Low-Level Functionality* CWE695          
Incorrect Behavior Order CWE696          
Incorrect Comparison* CWE697          
Execution After Redirect (EAR)* CWE698          
Improper Check or Handling of Exceptional Conditions CWE703          
Incorrect Type Conversion or Cast CWE704          
Incorrect Control Flow Scoping* CWE705          
Use of Incorrectly-Resolved Name or Reference* CWE706 2013 A4, 2021 A1        
Improper Neutralization* CWE707          
Incorrect Ownership Assignment* CWE708 2004 A2        
Improper Adherence to Coding Standards* CWE710          
Incorrect Permission Assignment for Critical Resource CWE732 2004 A2, 2007 A10, 2010 A6, 2010 A8, 2013 A7, 2017 A5, 2019 API1, 2019 API5, 2021 A1 L1   * *
Compiler Optimization Removal or Modification of Security-critical Code* CWE733          
Exposed Dangerous Method or Function CWE749 2004 A2, 2017 A5, 2019 API1, 2021 A1 L1     *
Improper Check for Unusual or Exceptional Conditions* CWE754   L2     *
Improper Handling of Exceptional Conditions* CWE755          
Missing Custom Error Page* CWE756 2021 A5        
Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')* CWE757 2021 A2        
Reliance on Undefined, Unspecified, or Implementation-Defined Behavior CWE758          
Use of a One-Way Hash without a Salt* CWE759 2010 A7, 2021 A2 L2     *
Use of a One-Way Hash with a Predictable Salt* CWE760 2021 A2 L2      
Free of Pointer not at Start of Buffer* CWE761 2004 A9       *
Mismatched Memory Management Routines CWE762 2004 A9       *
Release of Invalid Pointer or Reference* CWE763 2004 A9       *
Multiple Locks of a Critical Resource* CWE764          
Multiple Unlocks of a Critical Resource* CWE765          
Critical Data Element Declared Public* CWE766 2010 A6 L2   * *
Access to Critical Private Variable via Public Method* CWE767 2021 A1        
Incorrect Short Circuit Evaluation CWE768          
DEPRECATED: Uncontrolled File Descriptor Consumption* CWE769          
Allocation of Resources Without Limits or Throttling* CWE770 2004 A9, 2019 API4 L1   * *
Missing Reference to Active Allocated Resource CWE771 2004 A9 L1   *  
Missing Release of Resource after Effective Lifetime CWE772 2004 A9     * *
Missing Reference to Active File Descriptor or Handle* CWE773          
Allocation of File Descriptors or Handles Without Limits or Throttling* CWE774 2019 API4 L1     *
Missing Release of File Descriptor or Handle after Effective Lifetime CWE775 2004 A9     * *
Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')* CWE776 2004 A9, 2017 A4, 2021 A5        
Regular Expression without Anchors* CWE777          
Insufficient Logging* CWE778 2017 A10, 2019 API10, 2021 A9 L2      
Logging of Excessive Data* CWE779 2004 A9 L1   *  
Use of RSA Algorithm without OAEP CWE780 2004 A8, 2010 A7, 2013 A6, 2017 A3, 2021 A2 L2     *
Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code* CWE781          
Exposed IOCTL with Insufficient Access Control* CWE782   L1     *
Operator Precedence Logic Error CWE783          
Reliance on Cookies without Validation and Integrity Checking in a Security Decision* CWE784 2021 A4, 2021 A8       *
Use of Path Manipulation Function without Maximum-sized Buffer* CWE785 2004 A1, 2004 A5, 2021 A3 L1   * *
Access of Memory Location Before Start of Buffer CWE786 2004 A5     * *
Out-of-bounds Write* CWE787 2004 A5     * *
Access of Memory Location After End of Buffer CWE788 2004 A5     * *
Memory Allocation with Excessive Size Value* CWE789 2019 API4 L1     *
Improper Filtering of Special Elements* CWE790 2021 A3 L1      
Incomplete Filtering of Special Elements* CWE791          
Incomplete Filtering of One or More Instances of Special Elements* CWE792          
Only Filtering One Instance of a Special Element* CWE793          
Incomplete Filtering of Multiple Instances of Special Elements* CWE794          
Only Filtering Special Elements at a Specified Location* CWE795          
Only Filtering Special Elements Relative to a Marker* CWE796          
Only Filtering Special Elements at an Absolute Position* CWE797          
Use of Hard-coded Credentials CWE798 2004 A3, 2007 A7, 2010 A3, 2013 A2, 2014 M2, 2016 M2, 2017 A2, 2019 API2, 2021 A7 L1 v3.2.1 6.5.10, v4.0 6.2.4 * *
Improper Control of Interaction Frequency* CWE799 2021 A4 L1     *
Guessable CAPTCHA* CWE804 2010 A4, 2010 A8, 2021 A1     * *
Buffer Access with Incorrect Length Value* CWE805 2004 A5     * *
Buffer Access Using Size of Source Buffer* CWE806         *
Reliance on Untrusted Inputs in a Security Decision CWE807 2021 A4       *
Missing Synchronization* CWE820          
Incorrect Synchronization* CWE821          
Untrusted Pointer Dereference* CWE822 2004 A5     * *
Use of Out-of-range Pointer Offset* CWE823 2004 A5     * *
Access of Uninitialized Pointer* CWE824 2004 A5     * *
Expired Pointer Dereference CWE825 2004 A5     * *
Premature Release of Resource During Expected Lifetime* CWE826          
Improper Control of Document Type Definition* CWE827 2010 A4, 2013 A4, 2021 A1, 2021 A8 L1     *
Signal Handler with Functionality that is not Asynchronous-Safe* CWE828          
Inclusion of Functionality from Untrusted Control Sphere* CWE829 2010 A4, 2021 A8 L1     *
Inclusion of Web Functionality from an Untrusted Source* CWE830 2010 A4, 2021 A8 L1     *
Signal Handler Function Associated with Multiple Signals* CWE831          
Unlock of a Resource that is not Locked* CWE832          
Deadlock CWE833          
Excessive Iteration CWE834          
Loop with Unreachable Exit Condition ('Infinite Loop')* CWE835          
Use of Password Hash Instead of Password for Authentication* CWE836          
Improper Enforcement of a Single, Unique Action* CWE837 2021 A4 L1     *
Inappropriate Encoding for Output Context* CWE838 2021 A3 L1     *
Numeric Range Comparison Without Minimum Check* CWE839          
Improper Enforcement of Behavioral Workflow* CWE841 2021 A4 L1     *
Placement of User into Incorrect Group* CWE842          
Access of Resource Using Incompatible Type ('Type Confusion')* CWE843          
Missing Authorization* CWE862 2004 A2, 2007 A10, 2010 A4, 2010 A8, 2013 A7, 2017 A5, 2019 API1, 2019 API5, 2021 A1 L1   * *
Incorrect Authorization* CWE863 2004 A2, 2007 A10, 2010 A4, 2010 A8, 2013 A7, 2017 A5, 2019 API1, 2019 API5, 2021 A1 L1   * *
Use of Uninitialized Resource* CWE908         *
Missing Initialization of Resource* CWE909         *
Use of Expired File Descriptor CWE910         *
Improper Update of Reference Count* CWE911          
Hidden Functionality* CWE912          
Improper Control of Dynamically-Managed Code Resources* CWE913 2021 A1        
Improper Control of Dynamically-Identified Variables* CWE914 2010 A4, 2013 A4, 2021 A1, 2021 A3        
Improperly Controlled Modification of Dynamically-Determined Object Attributes CWE915 2019 API6, 2021 A1, 2021 A8 L1      
Use of Password Hash With Insufficient Computational Effort* CWE916 2004 A8, 2010 A7, 2013 A6, 2017 A3, 2021 A2 L2     *
Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')* CWE917 2004 A1, 2004 A6, 2007 A2, 2013 A1, 2017 A1, 2019 API8, 2021 A3     *  
Server-Side Request Forgery (SSRF) CWE918 2021 A1, 2021 A3, 2021 A10 L1   *  
Improper Restriction of Power Consumption* CWE920 2004 A9 L1   *  
Storage of Sensitive Data in a Mechanism without Access Control CWE921 2014 M2, 2014 M4, 2016 M2, 2021 A1 L1      
Insecure Storage of Sensitive Information* CWE922 2021 A1 L1      
Improper Restriction of Communication Channel to Intended Endpoints* CWE923 2004 A2, 2017 A5, 2019 API1, 2021 A1 L2      
Improper Enforcement of Message Integrity During Transmission in a Communication Channel* CWE924 2004 A3, 2021 A8 L2      
Improper Verification of Intent by Broadcast Receiver CWE925 2016 M1, 2021 A7        
Improper Export of Android Application Components* CWE926 2004 A2, 2007 A10, 2010 A8, 2013 A7, 2016 M1, 2017 A5, 2019 API1, 2019 API5, 2021 A1 L1     *
Use of Implicit Intent for Sensitive Communication CWE927 2004 A2, 2007 A10, 2010 A8, 2013 A7, 2017 A5, 2019 API1, 2019 API5, 2021 A1, 2021 A4 L1     *
Improper Authorization in Handler for Custom URL Scheme* CWE939 2010 A4, 2010 A8, 2021 A1     * *
Improper Verification of Source of a Communication Channel* CWE940 2021 A7 L1      
Incorrectly Specified Destination in a Communication Channel* CWE941   L2      
Permissive Cross-domain Policy with Untrusted Domains* CWE942 2004 A1, 2010 A4, 2010 A8, 2021 A1, 2021 A4, 2021 A5 L2   * *
Improper Neutralization of Special Elements in Data Query Logic CWE943 2004 A6, 2013 A1, 2017 A1, 2021 A3        
Sensitive Cookie Without 'HttpOnly' Flag CWE1004 2010 A6, 2021 A5 L1   * *
Insufficient Visual Distinction of Homoglyphs Presented to User* CWE1007 2021 A4        
Improper Restriction of Rendered UI Layers or Frames* CWE1021 2021 A1, 2021 A3, 2021 A4 L1      
Use of Web Link to Untrusted Target with window.opener Access* CWE1022 2004 A2, 2021 A4        
Incomplete Comparison with Missing Factors* CWE1023          
Comparison of Incompatible Types* CWE1024          
Comparison Using Wrong Factors* CWE1025          
Processor Optimization Removal or Modification of Security-critical Code* CWE1037          
Insecure Automated Optimizations* CWE1038          
Automated Recognition Mechanism with Inadequate Detection or Handling of Adversarial Input Perturbations* CWE1039          
Use of Redundant Code* CWE1041          
Static Member Data Element outside of a Singleton Class Element* CWE1042          
Data Element Aggregating an Excessively Large Number of Non-Primitive Elements* CWE1043          
Architecture with Number of Horizontal Layers Outside of Expected Range* CWE1044          
Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor* CWE1045          
Creation of Immutable Text Using String Concatenation* CWE1046          
Modules with Circular Dependencies* CWE1047          
Invokable Control Element with Large Number of Outward Calls* CWE1048          
Excessive Data Query Operations in a Large Data Table* CWE1049          
Excessive Platform Resource Consumption within a Loop* CWE1050 2004 A9        
Initialization with Hard-Coded Network Resource Configuration Data* CWE1051          
Excessive Use of Hard-Coded Literals in Initialization* CWE1052          
Missing Documentation for Design* CWE1053 2019 API9 L2      
Invocation of a Control Element at an Unnecessarily Deep Horizontal Layer* CWE1054          
Multiple Inheritance from Concrete Classes* CWE1055          
Invokable Control Element with Variadic Parameters* CWE1056          
Data Access Operations Outside of Expected Data Manager Component* CWE1057          
Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element* CWE1058          
Insufficient Technical Documentation* CWE1059 2019 API9 L2      
Excessive Number of Inefficient Server-Side Data Accesses* CWE1060          
Insufficient Encapsulation* CWE1061          
Parent Class with References to Child Class* CWE1062          
Creation of Class Instance within a Static Code Block* CWE1063          
Invokable Control Element with Signature Containing an Excessive Number of Parameters* CWE1064          
Runtime Resource Management Control Element in a Component Built to Run on Application Servers* CWE1065          
Missing Serialization Control Element* CWE1066          
Excessive Execution of Sequential Searches of Data Resource* CWE1067          
Inconsistency Between Implementation and Documented Design* CWE1068          
Empty Exception Block* CWE1069          
Serializable Data Element Containing non-Serializable Item Elements* CWE1070          
Empty Code Block* CWE1071          
Data Resource Access without Use of Connection Pooling* CWE1072 2004 A9        
Non-SQL Invokable Control Element with Excessive Number of Data Resource Accesses* CWE1073 2004 A9        
Class with Excessively Deep Inheritance* CWE1074          
Unconditional Control Flow Transfer outside of Switch Block* CWE1075          
Insufficient Adherence to Expected Conventions* CWE1076          
Floating Point Comparison with Incorrect Operator* CWE1077          
Inappropriate Source Code Style or Formatting* CWE1078          
Parent Class without Virtual Destructor Method* CWE1079          
Source Code File with Excessive Number of Lines of Code* CWE1080          
Class Instance Self Destruction Control Element* CWE1082          
Data Access from Outside Expected Data Manager Component* CWE1083          
Invokable Control Element with Excessive File or Data Access Operations* CWE1084 2004 A9        
Invokable Control Element with Excessive Volume of Commented-out Code* CWE1085          
Class with Excessive Number of Child Classes* CWE1086          
Class with Virtual Method without a Virtual Destructor* CWE1087          
Synchronous Access of Remote Resource without Timeout* CWE1088          
Large Data Table with Excessive Number of Indices* CWE1089 2004 A9        
Method Containing Access of a Member Element from Another Class* CWE1090          
Use of Object without Invoking Destructor Method* CWE1091       * *
Use of Same Invokable Control Element in Multiple Architectural Layers* CWE1092          
Excessively Complex Data Representation* CWE1093          
Excessive Index Range Scan for a Data Resource* CWE1094 2004 A9        
Loop Condition Value Update within the Loop* CWE1095          
Singleton Class Instance Creation without Proper Locking or Synchronization* CWE1096          
Persistent Storable Data Element without Associated Comparison Control Element* CWE1097          
Data Element containing Pointer Item without Proper Copy Control Element* CWE1098          
Inconsistent Naming Conventions for Identifiers* CWE1099          
Insufficient Isolation of System-Dependent Functions* CWE1100          
Reliance on Runtime Component in Generated Code* CWE1101          
Reliance on Machine-Dependent Data Representation* CWE1102          
Use of Platform-Dependent Third Party Components* CWE1103          
Use of Unmaintained Third Party Components CWE1104 2021 A6 L2      
Insufficient Encapsulation of Machine-Dependent Functionality* CWE1105          
Insufficient Use of Symbolic Constants* CWE1106          
Insufficient Isolation of Symbolic Constant Definitions* CWE1107          
Excessive Reliance on Global Variables* CWE1108          
Use of Same Variable for Multiple Purposes* CWE1109          
Incomplete Design Documentation* CWE1110 2019 API9 L2      
Incomplete I/O Documentation* CWE1111 2019 API9 L2      
Incomplete Documentation of Program Execution* CWE1112 2019 API9 L2      
Inappropriate Comment Style* CWE1113          
Inappropriate Whitespace Style* CWE1114          
Source Code Element without Standard Prologue* CWE1115          
Inaccurate Comments* CWE1116          
Callable with Insufficient Behavioral Summary* CWE1117          
Insufficient Documentation of Error Handling Techniques* CWE1118 2019 API9 L2      
Excessive Use of Unconditional Branching* CWE1119          
Excessive Code Complexity* CWE1120          
Excessive McCabe Cyclomatic Complexity* CWE1121          
Excessive Halstead Complexity* CWE1122          
Excessive Use of Self-Modifying Code* CWE1123          
Excessively Deep Nesting* CWE1124          
Excessive Attack Surface* CWE1125          
Declaration of Variable with Unnecessarily Wide Scope* CWE1126          
Compilation with Insufficient Warnings or Errors* CWE1127          
Irrelevant Code* CWE1164          
Improper Use of Validation Framework* CWE1173 2004 A1, 2021 A3, 2021 A4 L1   * *
ASP.NET Misconfiguration: Improper Model Validation* CWE1174 2021 A4, 2021 A5        
Inefficient CPU Computation* CWE1176 2004 A9        
Use of Prohibited Code* CWE1177          
DEPRECATED: Use of Uninitialized Resource* CWE1187          
Initialization of a Resource with an Insecure Default* CWE1188         *
Improper Isolation of Shared Resources on System-on-a-Chip (SoC)* CWE1189 2021 A1, 2021 A4        
DMA Device Enabled Too Early in Boot Phase* CWE1190          
On-Chip Debug and Test Interface With Improper Access Control* CWE1191 2004 A2, 2017 A5, 2019 API1, 2021 A1 L2      
Improper Identifier for IP Block used in System-On-Chip (SOC)* CWE1192 2021 A4        
Power-On of Untrusted Execution Core Before Enabling Fabric Access Control* CWE1193          
Generation of Weak Initialization Vector (IV)* CWE1204 2004 A2, 2021 A2 L1     *
Failure to Disable Reserved Bits* CWE1209          
Insufficient Granularity of Access Control* CWE1220 2004 A2, 2017 A5, 2019 API1, 2021 A1 L2      
Incorrect Register Defaults or Module Parameters* CWE1221          
Insufficient Granularity of Address Regions Protected by Register Locks* CWE1222          
Race Condition for Write-Once Attributes* CWE1223   L2   * *
Improper Restriction of Write-Once Bit Fields* CWE1224 2004 A2, 2017 A5, 2019 API1, 2021 A1 L2      
Creation of Emergent Resource* CWE1229          
Exposure of Sensitive Information Through Metadata* CWE1230 2004 A2, 2007 A10, 2010 A8, 2013 A7, 2017 A5, 2019 API1, 2019 API5, 2021 A1 L1     *
Improper Prevention of Lock Bit Modification* CWE1231 2004 A2, 2017 A5, 2019 API1, 2021 A1 L2      
Improper Lock Behavior After Power State Transition* CWE1232          
Security-Sensitive Hardware Controls with Missing Lock Bit Protection* CWE1233 2004 A2, 2017 A5, 2019 API1, 2021 A1 L2      
Hardware Internal or Debug Modes Allow Override of Locks* CWE1234          
Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations* CWE1235 2004 A9 L1   *  
Improper Neutralization of Formula Elements in a CSV File* CWE1236 2004 A6, 2013 A1, 2021 A3        
Improper Zeroization of Hardware Register* CWE1239 2004 A8 L2      
Use of a Cryptographic Primitive with a Risky Implementation* CWE1240 2004 A8, 2010 A7, 2013 A6, 2017 A3, 2021 A2 L2     *
Use of Predictable Algorithm in Random Number Generator* CWE1241 2004 A2, 2021 A2 L1     *
Inclusion of Undocumented Features or Chicken Bits* CWE1242 2004 A2, 2017 A5, 2019 API1, 2021 A1 L2      
Sensitive Non-Volatile Information Not Protected During Debug* CWE1243          
Internal Asset Exposed to Unsafe Debug Access Level or State* CWE1244 2010 A4, 2010 A8, 2021 A1     * *
Improper Finite State Machines (FSMs) in Hardware Logic* CWE1245          
Improper Write Handling in Limited-write Non-Volatile Memories* CWE1246 2004 A9 L1   *  
Improper Protection Against Voltage and Clock Glitches* CWE1247          
Semiconductor Defects in Hardware Logic with Security-Sensitive Implications* CWE1248          
Application-Level Admin Tool with Inconsistent View of Underlying Operating System* CWE1249          
Improper Preservation of Consistency Between Independent Representations of Shared State* CWE1250          
Mirrored Regions with Different Values* CWE1251          
CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations* CWE1252 2004 A2, 2017 A5, 2019 API1, 2021 A1 L2      
Incorrect Selection of Fuse Values* CWE1253          
Incorrect Comparison Logic Granularity* CWE1254          
Comparison Logic is Vulnerable to Power Side-Channel Attacks* CWE1255          
Improper Restriction of Software Interfaces to Hardware Features* CWE1256 2004 A2, 2007 A10, 2010 A8, 2013 A7, 2017 A5, 2019 API1, 2019 API5, 2021 A1 L1     *
Improper Access Control Applied to Mirrored or Aliased Memory Regions* CWE1257 2004 A2, 2017 A5, 2019 API1, 2021 A1 L2      
Exposure of Sensitive System Information Due to Uncleared Debug Information* CWE1258 2007 A6, 2021 A1 L1   * *
Improper Restriction of Security Token Assignment* CWE1259 2004 A2, 2017 A5, 2019 API1, 2021 A1 L2      
Improper Handling of Overlap Between Protected Memory Ranges* CWE1260 2004 A2, 2017 A5, 2019 API1, 2021 A1 L2      
Improper Handling of Single Event Upsets* CWE1261          
Improper Access Control for Register Interface* CWE1262 2004 A2, 2017 A5, 2019 API1, 2021 A1 L2      
Improper Physical Access Control* CWE1263 2004 A2, 2017 A5, 2019 API1, 2021 A1 L2      
Hardware Logic with Insecure De-Synchronization between Control and Data Channels* CWE1264          
Unintended Reentrant Invocation of Non-reentrant Code Via Nested Calls* CWE1265          
Improper Scrubbing of Sensitive Data from Decommissioned Device* CWE1266 2004 A9       *
Policy Uses Obsolete Encoding* CWE1267 2004 A2, 2017 A5, 2019 API1, 2021 A1 L2      
Policy Privileges are not Assigned Consistently Between Control and Data Agents* CWE1268 2004 A2, 2017 A5, 2019 API1, 2021 A1 L2      
Product Released in Non-Release Configuration* CWE1269          
Generation of Incorrect Security Tokens* CWE1270 2004 A2, 2017 A5, 2019 API1, 2021 A1 L2      
Uninitialized Value on Reset for Registers Holding Security Settings* CWE1271          
Sensitive Information Uncleared Before Debug/Power State Transition* CWE1272 2004 A8 L2      
Device Unlock Credential Sharing* CWE1273 2007 A6, 2021 A1 L1   *  
Improper Access Control for Volatile Memory Containing Boot Code* CWE1274 2004 A2, 2017 A5, 2019 API1, 2021 A1 L2      
Sensitive Cookie with Improper SameSite Attribute* CWE1275 2021 A1 L1      
Hardware Child Block Incorrectly Connected to Parent System* CWE1276 2004 A2, 2017 A5, 2019 API1, 2021 A1 L2      
Firmware Not Updateable* CWE1277          
Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques* CWE1278          
Cryptographic Operations are run Before Supporting Units are Ready* CWE1279         *
Access Control Check Implemented After Asset is Accessed* CWE1280 2004 A2, 2017 A5, 2019 API1, 2021 A1 L2      
Sequence of Processor Instructions Leads to Unexpected Behavior* CWE1281          
Assumed-Immutable Data is Stored in Writable Memory* CWE1282 2021 A1        
Mutable Attestation or Measurement Reporting Data* CWE1283 2004 A2, 2017 A5, 2019 API1, 2021 A1 L2      
Improper Validation of Specified Quantity in Input* CWE1284 2004 A1, 2021 A3 L1   * *
Improper Validation of Specified Index, Position, or Offset in Input* CWE1285 2004 A1, 2021 A3 L1   * *
Improper Validation of Syntactic Correctness of Input* CWE1286 2004 A1, 2021 A3 L1   * *
Improper Validation of Specified Type of Input* CWE1287 2004 A1, 2021 A3 L1   * *
Improper Validation of Consistency within Input* CWE1288 2004 A1, 2021 A3 L1   * *
Improper Validation of Unsafe Equivalence in Input* CWE1289 2004 A1, 2021 A3 L1   * *
Incorrect Decoding of Security Identifiers * CWE1290 2004 A2, 2017 A5, 2019 API1, 2021 A1 L2      
Public Key Re-Use for Signing both Debug and Production Code* CWE1291          
Incorrect Conversion of Security Identifiers* CWE1292 2004 A2, 2017 A5, 2019 API1, 2021 A1 L2      
Missing Source Correlation of Multiple Independent Data* CWE1293 2004 A3, 2021 A8 L2      
Insecure Security Identifier Mechanism* CWE1294 2004 A2, 2017 A5, 2019 API1, 2021 A1 L2      
Debug Messages Revealing Unnecessary Information* CWE1295 2007 A6, 2021 A1 L1   *  
Incorrect Chaining or Granularity of Debug Components* CWE1296 2004 A2, 2017 A5, 2019 API1, 2021 A1 L2      
Unprotected Confidential Information on Device is Accessible by OSAT Vendors* CWE1297 2004 A2, 2007 A10, 2010 A8, 2013 A7, 2017 A5, 2019 API1, 2019 API5, 2021 A1 L1     *
Hardware Logic Contains Race Conditions* CWE1298   L2   * *
Missing Protection Mechanism for Alternate Hardware Interface* CWE1299 2007 A10, 2021 A7        
Improper Protection of Physical Side Channels* CWE1300 2004 A7, 2007 A6        
Insufficient or Incomplete Data Removal within Hardware Component* CWE1301 2004 A8 L2      
Missing Source Identifier in Entity Transactions on a System-On-Chip (SOC)* CWE1302          
Non-Transparent Sharing of Microarchitectural Resources* CWE1303 2004 A7, 2007 A6        
Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation* CWE1304 2004 A2, 2017 A5, 2019 API1, 2021 A1 L2      
Missing Ability to Patch ROM Code* CWE1310          
Improper Translation of Security Attributes by Fabric Bridge* CWE1311 2004 A2, 2017 A5, 2019 API1, 2021 A1 L2      
Missing Protection for Mirrored Regions in On-Chip Fabric Firewall* CWE1312 2004 A2, 2017 A5, 2019 API1, 2021 A1 L2      
Hardware Allows Activation of Test or Debug Logic at Runtime* CWE1313 2004 A2, 2017 A5, 2019 API1, 2021 A1 L2      
Missing Write Protection for Parametric Data Values* CWE1314 2010 A4, 2010 A8, 2021 A1     * *
Improper Setting of Bus Controlling Capability in Fabric End-point* CWE1315 2004 A2, 2017 A5, 2019 API1, 2021 A1 L2      
Fabric-Address Map Allows Programming of Unwarranted Overlaps of Protected and Unprotected Ranges* CWE1316 2004 A2, 2017 A5, 2019 API1, 2021 A1 L2      
Improper Access Control in Fabric Bridge* CWE1317 2004 A2, 2017 A5, 2019 API1, 2021 A1 L2      
Missing Support for Security Features in On-chip Fabrics or Buses* CWE1318          
Improper Protection against Electromagnetic Fault Injection (EM-FI)* CWE1319          
Improper Protection for Outbound Error Messages and Alert Signals* CWE1320 2004 A2, 2017 A5, 2019 API1, 2021 A1 L2      
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')* CWE1321 2019 API6, 2021 A1, 2021 A8 L1      
Use of Blocking Code in Single-threaded, Non-blocking Context* CWE1322          
Improper Management of Sensitive Trace Data* CWE1323 2004 A2, 2017 A5, 2019 API1, 2021 A1 L2      
DEPRECATED: Sensitive Information Accessible by Physical Probing of JTAG Interface* CWE1324          
Improperly Controlled Sequential Memory Allocation* CWE1325 2019 API4 L1     *
Missing Immutable Root of Trust in Hardware* CWE1326          
Binding to an Unrestricted IP Address* CWE1327 2021 A1        
Security Version Number Mutable to Older Versions* CWE1328 2004 A2, 2007 A10, 2010 A8, 2013 A7, 2017 A5, 2019 API1, 2019 API5, 2021 A1 L1     *
Reliance on Component That is Not Updateable* CWE1329          
Remanent Data Readable after Memory Erase* CWE1330          
Improper Isolation of Shared Resources in Network On Chip (NoC)* CWE1331 2021 A1, 2021 A4        
Improper Handling of Faults that Lead to Instruction Skips* CWE1332          
Inefficient Regular Expression Complexity* CWE1333          
Unauthorized Error Injection Can Degrade Hardware Redundancy* CWE1334 2004 A2, 2017 A5, 2019 API1, 2021 A1 L2      
Incorrect Bitwise Shift of Integer* CWE1335         *
Improper Neutralization of Special Elements Used in a Template Engine* CWE1336 2021 A3 L1   * *
Improper Protections Against Hardware Overheating* CWE1338          
Insufficient Precision or Accuracy of a Real Number* CWE1339         *
Multiple Releases of Same Resource or Handle* CWE1341          
Information Exposure through Microarchitectural State after Transient Execution* CWE1342 2004 A8 L2      
Improper Handling of Hardware Behavior in Exceptionally Cold Environments* CWE1351          
Reliance on Insufficiently Trustworthy Component* CWE1357          
Improper Handling of Physical or Environmental Conditions* CWE1384          
Missing Origin Validation in WebSockets* CWE1385 2021 A7 L1      
Insecure Operation on Windows Junction / Mount Point* CWE1386 2021 A1       *
Incorrect Parsing of Numbers with Different Radices* CWE1389          
Weak Authentication* CWE1390 2004 A3, 2007 A7, 2010 A3, 2013 A2, 2017 A2, 2021 A7 L1   *  
Use of Weak Credentials* CWE1391          
Use of Default Credentials* CWE1392          
Use of Default Password* CWE1393          
Use of Default Cryptographic Key* CWE1394          
Dependency on Vulnerable Third-Party Component* CWE1395 2021 A4        
Incorrect Initialization of Resource* CWE1419         *
Exposure of Sensitive Information during Transient Execution* CWE1420          
Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution* CWE1421          
Exposure of Sensitive Information caused by Incorrect Data Forwarding during Transient Execution* CWE1422          
Exposure of Sensitive Information caused by Shared Microarchitectural Predictor State that Influences Transient Execution* CWE1423          
Improper Validation of Generative AI Output* CWE1426          
Improper Neutralization of Input Used for LLM Prompting* CWE1427 2004 A1, 2004 A6, 2007 A2, 2013 A1, 2017 A1, 2019 API8, 2021 A3     *  

* 這個弱點不包含在內建的規則套件中,但是內建規則套件中另一個弱點的子項目,或是經由自訂規則套件支援。

參考資料

  1. 弱點類別的名稱是依據 Common Weakness Enumeration List Version 4.14。
  2. OWASP Top 10 清單是依據 OWASP Top Ten 計畫。
  3. OWASP ASVS 清單是依據 OWASP Application Security Verification Standard 4.0.3。
  4. CWE Top 25 清單是依據 CWE Top 25 Most Dangerous Software Errors。
  5. CWE/SANS Top 25 清單是依據 SANS Top 25 Most Dangerous Software Errors Version 3.0。
  6. PCI DSS 清單是依據 Payment Card Industry (PCI) Data Security Standard, v4.0。