請注意:本文是以機器翻譯軟體翻譯而成,且可能由人工進行事後編修。同時,本文可能並非依照最新的英文版本翻譯而成。就翻譯內容之不正確或錯誤,或客戶因使用翻譯內容所產生的任何損害,Lucent Sky 不負擔任何責任。
這個文章說明了 Lucent Sky AVM 使用的弱點分類方式,以及列出可被 Lucent Sky AVM 檢測和修正的弱點類別清單。較早的 Lucent Sky AVM 版本可能沒有支援部分弱點類別。
Lucent Sky AVM 如何分類弱點
Lucent Sky AVM 使用 CWE ID 作為主要的分類方式。CWE 使用層疊式架構,也就是說一個弱點可能可以被歸類為好幾個不同的 CWE ID。對於這些弱點,Lucent Sky 團隊與外部專家以及相關人士合作來決定要使用哪個 CWE ID。
這麼做的目標是使用具有可識別且獨特定義的 CWE ID(例如選擇 CWE-201: Information Exposure Through Sent Data 而非 CWE-200: Exposure of Sensitive Information to an Unauthorized Actor),並避免讓掃描結果充滿數百個相似的 CWE DI(例如選擇 CWE-22: Path Traversal 而非 CWE-32: Path Traversal: '…' (Triple Dot))。
弱點類別清單
名稱 | CWE ID | OWASP Top 10 | OWASP ASVS | PCI DSS | CWE Top 25 | CWE/SANS Top 25 |
---|---|---|---|---|---|---|
J2EE Misconfiguration: Data Transmission Without Encryption | CWE5 | 2004 A10, 2010 A9, 2013 A6, 2017 A3, 2021 A2 | L1 | * | ||
J2EE Misconfiguration: Insufficient Session-ID Length | CWE6 | 2004 A10 | ||||
J2EE Misconfiguration: Missing Custom Error Page | CWE7 | 2004 A7, 2004 A10, 2021 A5 | ||||
J2EE Misconfiguration: Entity Bean Declared Remote | CWE8 | 2004 A10, 2021 A1 | ||||
J2EE Misconfiguration: Weak Access Permissions for EJB Methods | CWE9 | 2004 A2, 2004 A10, 2021 A4 | ||||
ASP.NET Misconfiguration: Creating Debug Binary | CWE11 | 2004 A10, 2021 A5 | ||||
ASP.NET Misconfiguration: Missing Custom Error Page* | CWE12 | 2004 A10, 2021 A5 | ||||
ASP.NET Misconfiguration: Password in Configuration File | CWE13 | 2004 A10, 2021 A5 | ||||
Compiler Removal of Code to Clear Buffers | CWE14 | 2004 A8 | ||||
External Control of System or Configuration Setting | CWE15 | 2004 A1, 2021 A3, 2021 A4, 2021 A5 | L1 | * | * | |
Improper Input Validation | CWE20 | 2004 A1, 2014 M8, 2021 A3 | L1 | * | * | |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | CWE22 | 2004 A2, 2007 A4, 2010 A4, 2013 A4, 2017 A5, 2021 A1 | L1 | v3.2.1 6.5.8, v4.0 6.2.4 | * | * |
Relative Path Traversal | CWE23 | 2004 A2, 2007 A4, 2010 A4, 2013 A4, 2017 A5, 2021 A1 | L1 | * | * | |
Path Traversal: '../filedir'* | CWE24 | 2021 A1 | ||||
Path Traversal: '/../filedir' | CWE25 | 2021 A1 | ||||
Path Traversal: '/dir/../filename'* | CWE26 | 2021 A1 | ||||
Path Traversal: 'dir/../../filename'* | CWE27 | 2021 A1 | ||||
Path Traversal: '..\filedir' | CWE28 | 2021 A1 | ||||
Path Traversal: '..\filename' | CWE29 | 2021 A1 | ||||
Path Traversal: '\dir..\filename'* | CWE30 | 2021 A1 | ||||
Path Traversal: 'dir....\filename' | CWE31 | 2021 A1 | ||||
Path Traversal: '…' (Triple Dot) | CWE32 | 2021 A1 | ||||
Path Traversal: '….' (Multiple Dot) | CWE33 | 2021 A1 | ||||
Path Traversal: '….//' | CWE34 | 2021 A1 | ||||
Path Traversal: '…/…//' | CWE35 | 2021 A1 | ||||
Absolute Path Traversal | CWE36 | 2004 A2, 2007 A4, 2010 A4, 2013 A4, 2017 A5, 2021 A1 | L1 | * | * | |
Path Traversal: '/absolute/pathname/here'* | CWE37 | |||||
Path Traversal: '\absolute\pathname\here'* | CWE38 | |||||
Path Traversal: 'C:dirname'* | CWE39 | |||||
Path Traversal: '\UNC\share\name' (Windows UNC Share) | CWE40 | |||||
Improper Resolution of Path Equivalence* | CWE41 | 2004 A2, 2013 A4, 2021 A1 | ||||
Path Equivalence: 'filename.' (Trailing Dot)* | CWE42 | 2004 A2 | ||||
Path Equivalence: 'filename….' (Multiple Trailing Dot)* | CWE43 | |||||
Path Equivalence: 'file.name' (Internal Dot)* | CWE44 | 2004 A2 | ||||
Path Equivalence: 'file…name' (Multiple Internal Dot)* | CWE45 | |||||
Path Equivalence: 'filename ' (Trailing Space)* | CWE46 | 2004 A2 | ||||
Path Equivalence: ' filename' (Leading Space)* | CWE47 | 2004 A2 | ||||
Path Equivalence: 'file name' (Internal Whitespace)* | CWE48 | 2004 A2 | ||||
Path Equivalence: 'filename/' (Trailing Slash)* | CWE49 | 2004 A2 | ||||
Path Equivalence: '//multiple/leading/slash' | CWE50 | 2004 A2 | ||||
Path Equivalence: '/multiple//internal/slash'* | CWE51 | 2004 A2 | ||||
Path Equivalence: '/multiple/trailing/slash//' | CWE52 | 2004 A2 | ||||
Path Equivalence: '\multiple\internal\backslash' | CWE53 | 2004 A2 | ||||
Path Equivalence: 'filedir' (Trailing Backslash)* | CWE54 | 2004 A2 | ||||
Path Equivalence: '/./' (Single Dot Directory) | CWE55 | 2004 A2 | ||||
Path Equivalence: 'filedir*' (Wildcard) | CWE56 | 2004 A2 | ||||
Path Equivalence: 'fakedir/../realdir/filename' | CWE57 | 2004 A2 | ||||
Path Equivalence: Windows 8.3 Filename | CWE58 | 2004 A2 | ||||
Improper Link Resolution Before File Access ('Link Following')* | CWE59 | 2013 A4, 2021 A1 | * | |||
UNIX Symbolic Link (Symlink) Following | CWE61 | 2021 A1 | * | |||
UNIX Hard Link | CWE62 | 2021 A1 | * | |||
Windows Shortcut Following (.LNK) | CWE64 | 2021 A1 | * | |||
Windows Hard Link | CWE65 | 2021 A1 | * | |||
Improper Handling of File Names that Identify Virtual Resources* | CWE66 | 2013 A4, 2021 A1 | ||||
Improper Handling of Windows Device Names | CWE67 | |||||
Improper Handling of Windows ::DATA Alternate Data Stream | CWE69 | |||||
DEPRECATED: Apple '.DS_Store' | CWE71 | |||||
Improper Handling of Apple HFS+ Alternate Data Stream Path | CWE72 | |||||
External Control of File Name or Path | CWE73 | 2004 A1, 2004 A2, 2021 A3, 2021 A4 | L1 | * | * | |
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') | CWE74 | 2004 A6, 2013 A1, 2021 A3 | ||||
Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) | CWE75 | 2004 A6, 2013 A1, 2021 A3 | ||||
Improper Neutralization of Equivalent Special Elements | CWE76 | 2021 A3 | ||||
Improper Neutralization of Special Elements used in a Command ('Command Injection') | CWE77 | 2004 A1, 2004 A6, 2007 A2, 2013 A1, 2017 A1, 2019 API8, 2021 A3 | * | |||
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') | CWE78 | 2004 A1, 2004 A6, 2007 A2, 2007 A3, 2010 A1, 2013 A1, 2017 A1, 2019 API8, 2021 A3 | L1 | v3.2.1 6.5.1, v4.0 6.2.4 | * | * |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | CWE79 | 2004 A1, 2004 A4, 2004 A6, 2007 A1, 2010 A2, 2013 A1, 2013 A3, 2014 M7, 2017 A7, 2021 A3 | L1 | v3.2.1 6.5.7, v4.0 6.2.4 | * | * |
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) | CWE80 | 2004 A1, 2004 A4, 2007 A1, 2010 A2, 2013 A3, 2017 A7, 2021 A3 | L1 | * | * | |
Improper Neutralization of Script in an Error Message Web Page | CWE81 | 2004 A1, 2004 A4, 2007 A1, 2010 A2, 2013 A3, 2017 A7, 2021 A3 | L1 | * | * | |
Improper Neutralization of Script in Attributes of IMG Tags in a Web Page | CWE82 | 2021 A3 | ||||
Improper Neutralization of Script in Attributes in a Web Page | CWE83 | 2004 A1, 2004 A4, 2007 A1, 2010 A2, 2013 A3, 2017 A7, 2021 A3 | L1 | * | * | |
Improper Neutralization of Encoded URI Schemes in a Web Page* | CWE84 | 2004 A1, 2004 A4, 2007 A1, 2010 A2, 2013 A3, 2017 A7, 2021 A3 | L1 | * | * | |
Doubled Character XSS Manipulations | CWE85 | 2004 A1, 2004 A4, 2007 A1, 2010 A2, 2013 A3, 2017 A7, 2021 A3 | L1 | * | * | |
Improper Neutralization of Invalid Characters in Identifiers in Web Pages | CWE86 | 2004 A1, 2004 A4, 2007 A1, 2010 A2, 2013 A3, 2017 A7, 2021 A3 | L1 | * | * | |
Improper Neutralization of Alternate XSS Syntax | CWE87 | 2004 A1, 2004 A4, 2007 A1, 2010 A2, 2013 A3, 2017 A7, 2021 A3 | L1 | * | * | |
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') | CWE88 | 2004 A1, 2004 A6, 2007 A2, 2010 A1, 2013 A1, 2017 A1, 2019 API8, 2021 A3 | * | |||
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | CWE89 | 2004 A1, 2004 A6, 2007 A2, 2010 A1, 2013 A1, 2014 M7, 2017 A1, 2019 API8, 2021 A3 | L1 | v3.2.1 6.5.1, v4.0 6.2.4 | * | * |
Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') | CWE90 | 2007 A2, 2010 A1, 2013 A1, 2017 A1, 2019 API8, 2021 A3 | L1 | v3.2.1 6.5.1, v4.0 6.2.4 | ||
XML Injection (aka Blind XPath Injection) | CWE91 | 2004 A6, 2007 A2, 2010 A1, 2013 A1, 2014 M7, 2017 A1, 2019 API8, 2021 A3 | v3.2.1 6.5.1, v4.0 6.2.4 | |||
DEPRECATED: Improper Sanitization of Custom Special Characters | CWE92 | |||||
Improper Neutralization of CRLF Sequences ('CRLF Injection') | CWE93 | 2004 A6, 2007 A2, 2013 A1, 2021 A3 | ||||
Improper Control of Generation of Code ('Code Injection') | CWE94 | 2004 A6, 2013 A1, 2021 A1, 2021 A3 | L1 | v3.2.1 6.5.1, v4.0 6.2.4 | * | * |
Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') | CWE95 | 2004 A6, 2007 A3, 2021 A3 | L1 | v3.2.1 6.5.1, v4.0 6.2.4 | * | * |
Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') | CWE96 | 2021 A3 | L1 | v3.2.1 6.5.1, v4.0 6.2.4 | * | * |
Improper Neutralization of Server-Side Includes (SSI) Within a Web Page | CWE97 | 2021 A3 | v3.2.1 6.5.1, v4.0 6.2.4 | |||
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') | CWE98 | 2004 A6, 2007 A3, 2010 A4, 2013 A4, 2021 A1, 2021 A3, 2021 A8 | L1 | v3.2.1 6.5.1, v4.0 6.2.4 | * | |
Improper Control of Resource Identifiers ('Resource Injection')* | CWE99 | 2004 A6, 2010 A4, 2013 A1, 2013 A4, 2021 A3 | ||||
Struts: Duplicate Validation Forms* | CWE102 | 2004 A1, 2021 A3, 2021 A4 | L1 | * | * | |
Struts: Incomplete validate() Method Definition* | CWE103 | 2004 A1, 2021 A3 | L1 | * | * | |
Struts: Form Bean Does Not Extend Validation Class* | CWE104 | 2004 A1, 2021 A3 | L1 | * | * | |
Struts: Form Field Without Validator* | CWE105 | 2004 A1, 2021 A3, 2021 A4 | L1 | * | * | |
Struts: Plug-in Framework not in Use | CWE106 | 2004 A1, 2021 A3, 2021 A4 | L1 | * | * | |
Struts: Unused Validation Form* | CWE107 | 2004 A1, 2021 A3 | L1 | * | * | |
Struts: Unvalidated Action Form* | CWE108 | 2004 A1, 2021 A3, 2021 A4 | L1 | * | * | |
Struts: Validator Turned Off* | CWE109 | 2004 A1, 2021 A3, 2021 A4 | L1 | * | * | |
Struts: Validator Without Form Field* | CWE110 | 2004 A1, 2021 A3 | L1 | * | * | |
Direct Use of Unsafe JNI* | CWE111 | 2004 A1, 2021 A3 | L1 | * | * | |
Missing XML Validation* | CWE112 | 2004 A1, 2021 A3 | L1 | * | * | |
Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') | CWE113 | 2004 A1, 2007 A2, 2021 A3 | L1 | * | * | |
Process Control* | CWE114 | 2004 A1, 2004 A2, 2021 A3, 2021 A4 | L1 | * | * | |
Misinterpretation of Input* | CWE115 | L2 | ||||
Improper Encoding or Escaping of Output* | CWE116 | 2021 A3 | L1 | * | ||
Improper Output Neutralization for Logs | CWE117 | 2004 A1, 2004 A6, 2021 A3, 2021 A9 | L1 | * | * | |
Incorrect Access of Indexable Resource ('Range Error')* | CWE118 | |||||
Improper Restriction of Operations within the Bounds of a Memory Buffer | CWE119 | 2004 A1, 2004 A5, 2021 A3 | L1 | * | * | |
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') | CWE120 | 2004 A1, 2004 A5, 2021 A3 | L1 | v3.2.1 6.5.2, v4.0 6.2.4 | * | * |
Stack-based Buffer Overflow* | CWE121 | * | ||||
Heap-based Buffer Overflow* | CWE122 | * | ||||
Write-what-where Condition* | CWE123 | 2004 A5 | * | * | ||
Buffer Underwrite ('Buffer Underflow')* | CWE124 | * | ||||
Out-of-bounds Read* | CWE125 | 2004 A5 | * | * | ||
Buffer Over-read* | CWE126 | * | ||||
Buffer Under-read* | CWE127 | * | ||||
Wrap-around Error | CWE128 | * | ||||
Improper Validation of Array Index* | CWE129 | 2004 A1, 2021 A3 | L1 | * | * | |
Improper Handling of Length Parameter Inconsistency* | CWE130 | 2004 A5 | * | * | ||
Incorrect Calculation of Buffer Size | CWE131 | * | ||||
DEPRECATED: Miscalculated Null Termination* | CWE132 | |||||
Use of Externally-Controlled Format String | CWE134 | 2004 A1, 2004 A5, 2021 A1, 2021 A3 | L1 | * | * | |
Incorrect Calculation of Multi-Byte String Length* | CWE135 | * | ||||
Improper Neutralization of Special Elements* | CWE138 | 2021 A3 | L1 | |||
Improper Neutralization of Delimiters* | CWE140 | 2021 A3 | L1 | |||
Improper Neutralization of Parameter/Argument Delimiters* | CWE141 | |||||
Improper Neutralization of Value Delimiters* | CWE142 | |||||
Improper Neutralization of Record Delimiters* | CWE143 | |||||
Improper Neutralization of Line Delimiters* | CWE144 | |||||
Improper Neutralization of Section Delimiters* | CWE145 | |||||
Improper Neutralization of Expression/Command Delimiters* | CWE146 | |||||
Improper Neutralization of Input Terminators* | CWE147 | 2021 A3 | L1 | |||
Improper Neutralization of Input Leaders* | CWE148 | 2021 A3 | L1 | |||
Improper Neutralization of Quoting Syntax* | CWE149 | 2021 A3 | L1 | |||
Improper Neutralization of Escape, Meta, or Control Sequences* | CWE150 | 2021 A3 | L1 | |||
Improper Neutralization of Comment Delimiters* | CWE151 | 2021 A3 | L1 | |||
Improper Neutralization of Macro Symbols* | CWE152 | 2021 A3 | L1 | |||
Improper Neutralization of Substitution Characters* | CWE153 | 2021 A3 | L1 | |||
Improper Neutralization of Variable Name Delimiters* | CWE154 | 2021 A3 | L1 | |||
Improper Neutralization of Wildcards or Matching Symbols* | CWE155 | 2021 A3 | L1 | |||
Improper Neutralization of Whitespace* | CWE156 | 2021 A3 | L1 | |||
Failure to Sanitize Paired Delimiters* | CWE157 | 2021 A3 | L1 | |||
Improper Neutralization of Null Byte or NUL Character | CWE158 | 2021 A3 | L1 | |||
Improper Handling of Invalid Use of Special Elements* | CWE159 | 2021 A3 | L1 | |||
Improper Neutralization of Leading Special Elements* | CWE160 | 2021 A3 | L1 | |||
Improper Neutralization of Multiple Leading Special Elements* | CWE161 | |||||
Improper Neutralization of Trailing Special Elements* | CWE162 | 2021 A3 | L1 | |||
Improper Neutralization of Multiple Trailing Special Elements* | CWE163 | |||||
Improper Neutralization of Internal Special Elements* | CWE164 | 2021 A3 | L1 | |||
Improper Neutralization of Multiple Internal Special Elements* | CWE165 | |||||
Improper Handling of Missing Special Element* | CWE166 | 2004 A1, 2004 A7 | L1 | |||
Improper Handling of Additional Special Element* | CWE167 | 2004 A1, 2004 A7 | L1 | |||
Improper Handling of Inconsistent Special Elements* | CWE168 | 2004 A7 | L1 | |||
Improper Null Termination | CWE170 | 2004 A1, 2004 A9, 2021 A3 | L1 | * | * | |
Encoding Error* | CWE172 | |||||
Improper Handling of Alternate Encoding* | CWE173 | L1 | ||||
Double Decoding of the Same Data* | CWE174 | |||||
Improper Handling of Mixed Encoding* | CWE175 | |||||
Improper Handling of Unicode Encoding | CWE176 | L1 | ||||
Improper Handling of URL Encoding (Hex Encoding)* | CWE177 | |||||
Improper Handling of Case Sensitivity* | CWE178 | 2013 A4, 2021 A1 | ||||
Incorrect Behavior Order: Early Validation* | CWE179 | 2004 A1, 2021 A3 | L1 | * | * | |
Incorrect Behavior Order: Validate Before Canonicalize* | CWE180 | 2004 A1 | ||||
Incorrect Behavior Order: Validate Before Filter* | CWE181 | 2004 A1 | ||||
Collapse of Data into Unsafe Value* | CWE182 | 2004 A1 | ||||
Permissive List of Allowed Inputs* | CWE183 | 2004 A1, 2021 A4 | ||||
Incomplete List of Disallowed Inputs* | CWE184 | 2021 A3 | ||||
Incorrect Regular Expression | CWE185 | |||||
Overly Restrictive Regular Expression* | CWE186 | |||||
Partial String Comparison* | CWE187 | |||||
Reliance on Data/Memory Layout* | CWE188 | |||||
Integer Overflow or Wraparound | CWE190 | 2004 A1, 2021 A3 | L1 | * | * | |
Integer Underflow (Wrap or Wraparound)* | CWE191 | * | ||||
Integer Coercion Error | CWE192 | * | ||||
Off-by-one Error* | CWE193 | * | ||||
Unexpected Sign Extension* | CWE194 | * | ||||
Signed to Unsigned Conversion Error | CWE195 | * | ||||
Unsigned to Signed Conversion Error* | CWE196 | * | ||||
Numeric Truncation Error | CWE197 | * | ||||
Use of Incorrect Byte Ordering* | CWE198 | |||||
Exposure of Sensitive Information to an Unauthorized Actor | CWE200 | 2007 A6, 2021 A1 | L1 | v3.2.1 6.5.5, v4.0 6.2.4 | * | |
Insertion of Sensitive Information Into Sent Data* | CWE201 | 2007 A6, 2021 A1 | L1 | * | ||
Exposure of Sensitive Information Through Data Queries* | CWE202 | |||||
Observable Discrepancy | CWE203 | 2004 A7, 2007 A6, 2021 A1 | L1 | * | ||
Observable Response Discrepancy* | CWE204 | 2004 A7, 2007 A6 | ||||
Observable Behavioral Discrepancy* | CWE205 | 2004 A7, 2007 A6 | ||||
Observable Internal Behavioral Discrepancy* | CWE206 | |||||
Observable Behavioral Discrepancy With Equivalent Products* | CWE207 | |||||
Observable Timing Discrepancy* | CWE208 | 2004 A7, 2007 A6 | ||||
Generation of Error Message Containing Sensitive Information | CWE209 | 2004 A7, 2004 A10, 2007 A6, 2010 A6, 2013 A5, 2017 A6, 2021 A1, 2021 A4 | L1 | v3.2.1 6.5.5, v4.0 6.2.4 | * | * |
Self-generated Error Message Containing Sensitive Information* | CWE210 | 2004 A7, 2004 A10, 2007 A6, 2010 A6, 2013 A5, 2017 A6, 2021 A4 | L1 | * | ||
Externally-Generated Error Message Containing Sensitive Information | CWE211 | 2004 A7, 2004 A10, 2007 A6, 2010 A6, 2013 A5, 2017 A6, 2021 A4 | * | |||
Improper Removal of Sensitive Information Before Storage or Transfer | CWE212 | L1 | * | |||
Exposure of Sensitive Information Due to Incompatible Policies | CWE213 | 2007 A6, 2019 API3, 2021 A1, 2021 A4 | L1 | * | ||
Invocation of Process Using Visible Sensitive Information* | CWE214 | 2021 A1 | L1 | |||
Insertion of Sensitive Information Into Debugging Code | CWE215 | 2004 A10, 2007 A6, 2013 A5, 2021 A1 | L1 | * | ||
DEPRECATED: Containment Errors (Container Errors)* | CWE216 | |||||
DEPRECATED: Failure to Protect Stored Data from Modification* | CWE217 | |||||
DEPRECATED: Failure to provide confidentiality for stored data* | CWE218 | |||||
Storage of File with Sensitive Data Under Web Root* | CWE219 | 2004 A10, 2010 A6, 2021 A1 | L1 | |||
Storage of File With Sensitive Data Under FTP Root* | CWE220 | 2004 A10, 2010 A6, 2017 A3, 2021 A1 | L1 | |||
Information Loss or Omission* | CWE221 | |||||
Truncation of Security-relevant Information* | CWE222 | |||||
Omission of Security-relevant Information* | CWE223 | 2017 A10, 2019 API10, 2021 A9 | ||||
Obscured Security-relevant Information by Alternate Name* | CWE224 | |||||
DEPRECATED: General Information Management Problems* | CWE225 | |||||
Sensitive Information in Resource Not Removed Before Reuse* | CWE226 | 2004 A8, 2004 A10 | L1 | * | ||
Improper Handling of Syntactically Invalid Structure* | CWE228 | 2004 A7 | ||||
Improper Handling of Values* | CWE229 | 2004 A7 | ||||
Improper Handling of Missing Values* | CWE230 | |||||
Improper Handling of Extra Values* | CWE231 | |||||
Improper Handling of Undefined Values* | CWE232 | |||||
Improper Handling of Parameters* | CWE233 | 2004 A7 | L2 | |||
Failure to Handle Missing Parameter* | CWE234 | L2 | ||||
Improper Handling of Extra Parameters* | CWE235 | 2021 A4 | L1 | |||
Improper Handling of Undefined Parameters* | CWE236 | L2 | ||||
Improper Handling of Structural Elements* | CWE237 | 2004 A7 | ||||
Improper Handling of Incomplete Structural Elements* | CWE238 | |||||
Failure to Handle Incomplete Element* | CWE239 | |||||
Improper Handling of Inconsistent Structural Elements* | CWE240 | |||||
Improper Handling of Unexpected Data Type* | CWE241 | 2004 A7 | ||||
Use of Inherently Dangerous Function | CWE242 | 2016 M1, 2016 M7 | v3.2.1 6.5.6, v4.0 6.2.4 | |||
Creation of chroot Jail Without Changing Working Directory* | CWE243 | |||||
Improper Clearing of Heap Memory Before Release ('Heap Inspection')* | CWE244 | 2004 A8 | L2 | |||
J2EE Bad Practices: Direct Management of Connections* | CWE245 | |||||
J2EE Bad Practices: Direct Use of Sockets* | CWE246 | |||||
DEPRECATED: Reliance on DNS Lookups in a Security Decision* | CWE247 | |||||
Uncaught Exception* | CWE248 | 2004 A9 | ||||
DEPRECATED: Often Misused: Path Manipulation* | CWE249 | |||||
Execution with Unnecessary Privileges* | CWE250 | 2010 A6, 2021 A4 | L2 | * | * | |
Unchecked Return Value | CWE252 | 2004 A7 | L2 | * | ||
Incorrect Check of Function Return Value | CWE253 | L2 | * | |||
Plaintext Storage of a Password* | CWE256 | 2004 A3, 2007 A7, 2013 A2, 2017 A2, 2021 A4 | L2 | * | ||
Storing Passwords in a Recoverable Format* | CWE257 | 2004 A3, 2007 A7, 2013 A2, 2017 A2, 2021 A4 | * | |||
Empty Password in Configuration File* | CWE258 | 2004 A3, 2021 A5, 2021 A7 | L1 | |||
Use of Hard-coded Password | CWE259 | 2004 A3, 2010 A3, 2019 API2, 2021 A7 | L2 | * | * | |
Password in Configuration File* | CWE260 | 2004 A3, 2007 A7, 2013 A2, 2017 A2, 2021 A4, 2021 A5 | * | |||
Weak Encoding for Password* | CWE261 | 2004 A3, 2004 A8, 2007 A7, 2013 A2, 2017 A2, 2021 A2, 2021 A4 | * | |||
Not Using Password Aging* | CWE262 | |||||
Password Aging with Long Expiration* | CWE263 | L1 | ||||
Incorrect Privilege Assignment* | CWE266 | 2004 A2, 2021 A4 | * | |||
Privilege Defined With Unsafe Actions* | CWE267 | 2021 A4 | * | |||
Privilege Chaining* | CWE268 | 2004 A2, 2021 A4 | * | |||
Improper Privilege Management* | CWE269 | 2004 A2, 2017 A5, 2019 API1, 2021 A1, 2021 A4 | L2 | * | ||
Privilege Context Switching Error* | CWE270 | 2021 A4 | * | |||
Privilege Dropping / Lowering Errors* | CWE271 | 2021 A4 | * | |||
Least Privilege Violation* | CWE272 | L2 | ||||
Improper Check for Dropped Privileges* | CWE273 | L2 | * | |||
Improper Handling of Insufficient Privileges* | CWE274 | 2021 A4 | * | |||
Incorrect Default Permissions* | CWE276 | 2010 A6, 2021 A1 | L2 | * | * | |
Insecure Inherited Permissions* | CWE277 | 2010 A6 | L2 | * | * | |
Insecure Preserved Inherited Permissions* | CWE278 | 2010 A6 | L2 | * | * | |
Incorrect Execution-Assigned Permissions* | CWE279 | 2010 A6 | L2 | * | * | |
Improper Handling of Insufficient Permissions or Privileges * | CWE280 | 2021 A4 | ||||
Improper Preservation of Permissions* | CWE281 | 2010 A6 | L2 | * | * | |
Improper Ownership Management* | CWE282 | 2004 A2, 2017 A5, 2019 API1, 2021 A1 | L2 | |||
Unverified Ownership* | CWE283 | 2004 A2 | ||||
Improper Access Control* | CWE284 | 2004 A2, 2014 M5, 2016 M4, 2017 A5, 2019 API1, 2021 A1 | L2 | v3.2.1 6.5.8, v3.2.1 6.5.10, v4.0 6.2.4 | ||
Improper Authorization* | CWE285 | 2004 A2, 2007 A10, 2010 A8, 2013 A7, 2017 A5, 2019 API1, 2019 API5, 2021 A1 | L1 | * | ||
Incorrect User Management* | CWE286 | 2004 A2, 2017 A5, 2019 API1, 2021 A1 | L2 | |||
Improper Authentication* | CWE287 | 2004 A2, 2004 A3, 2007 A7, 2010 A3, 2013 A2, 2017 A2, 2017 A5, 2019 API1, 2021 A1, 2021 A7 | L1 | v3.2.1 6.5.10, v4.0 6.2.4 | * | |
Authentication Bypass Using an Alternate Path or Channel* | CWE288 | 2004 A2, 2007 A10, 2010 A3, 2017 A5, 2019 API1, 2021 A1, 2021 A7 | L1 | * | * | |
Authentication Bypass by Alternate Name* | CWE289 | |||||
Authentication Bypass by Spoofing* | CWE290 | 2004 A3, 2007 A7, 2010 A3, 2013 A2, 2017 A2, 2021 A7 | L1 | * | ||
Reliance on IP Address for Authentication* | CWE291 | 2021 A3, 2021 A7 | L2 | |||
DEPRECATED: Trusting Self-reported DNS Name* | CWE292 | |||||
Using Referer Field for Authentication* | CWE293 | 2021 A7 | L2 | |||
Authentication Bypass by Capture-replay* | CWE294 | 2004 A3, 2007 A7, 2010 A3, 2013 A2, 2017 A2, 2021 A7 | L1 | * | ||
Improper Certificate Validation | CWE295 | 2004 A3, 2004 A10, 2007 A7, 2010 A3, 2013 A2, 2014 M5, 2016 M4, 2017 A2, 2017 A3, 2021 A7 | L1 | v3.2.1 6.5.3, v3.2.1 6.5.4, v3.2.1 6.5.10, v4.0 6.2.4 | * | |
Improper Following of a Certificate's Chain of Trust* | CWE296 | 2004 A3, 2004 A10, 2017 A3, 2021 A2, 2021 A7 | L2 | * | ||
Improper Validation of Certificate with Host Mismatch | CWE297 | 2004 A10, 2017 A3, 2021 A7 | L2 | * | ||
Improper Validation of Certificate Expiration* | CWE298 | 2004 A3, 2004 A10, 2017 A3, 2021 A7 | L2 | * | * | |
Improper Check for Certificate Revocation* | CWE299 | 2004 A9, 2004 A10, 2017 A3, 2021 A7 | L2 | * | * | |
Channel Accessible by Non-Endpoint* | CWE300 | 2021 A7 | L2 | |||
Reflection Attack in an Authentication Protocol* | CWE301 | 2007 A7 | ||||
Authentication Bypass by Assumed-Immutable Data* | CWE302 | 2004 A3, 2021 A4, 2021 A7 | * | |||
Incorrect Implementation of Authentication Algorithm* | CWE303 | |||||
Missing Critical Step in Authentication* | CWE304 | 2004 A3, 2021 A7 | L1 | |||
Authentication Bypass by Primary Weakness* | CWE305 | |||||
Missing Authentication for Critical Function* | CWE306 | 2004 A3, 2007 A7, 2010 A3, 2013 A2, 2017 A2, 2021 A7 | L1 | * | * | |
Improper Restriction of Excessive Authentication Attempts* | CWE307 | 2004 A3, 2007 A7, 2010 A3, 2013 A2, 2017 A2, 2019 API4, 2021 A4, 2021 A7 | L1 | * | * | |
Use of Single-factor Authentication* | CWE308 | 2017 A2 | L2 | |||
Use of Password System for Primary Authentication* | CWE309 | 2004 A3 | ||||
Missing Encryption of Sensitive Data | CWE311 | 2004 A8, 2007 A8, 2007 A9, 2010 A7, 2010 A9, 2013 A2, 2013 A6, 2017 A3, 2021 A4 | L2 | v3.2.1 6.5.3, v3.2.1 6.5.4, v3.2.1 6.5.10, v4.0 6.2.4 | * | |
Cleartext Storage of Sensitive Information | CWE312 | 2004 A8, 2007 A8, 2007 A9, 2010 A7, 2010 A9, 2013 A2, 2013 A6, 2014 M2, 2016 M2, 2017 A3, 2021 A1, 2021 A4 | L1 | * | ||
Cleartext Storage in a File or on Disk* | CWE313 | 2010 A7, 2013 A6, 2017 A3, 2021 A4 | ||||
Cleartext Storage in the Registry* | CWE314 | 2010 A7, 2013 A6, 2017 A3, 2021 A4 | ||||
Cleartext Storage of Sensitive Information in a Cookie | CWE315 | 2010 A7, 2013 A6, 2017 A3, 2021 A4, 2021 A5 | ||||
Cleartext Storage of Sensitive Information in Memory* | CWE316 | 2010 A7, 2013 A6, 2017 A3, 2021 A4 | ||||
Cleartext Storage of Sensitive Information in GUI* | CWE317 | 2010 A7, 2013 A6, 2017 A3, 2021 A4 | ||||
Cleartext Storage of Sensitive Information in Executable* | CWE318 | 2010 A7, 2013 A6, 2017 A3, 2021 A4 | ||||
Cleartext Transmission of Sensitive Information | CWE319 | 2004 A8, 2007 A8, 2007 A9, 2010 A7, 2010 A9, 2013 A2, 2013 A6, 2014 M3, 2016 M3, 2017 A3, 2021 A2, 2021 A4 | L1 | * | ||
Use of Hard-coded Cryptographic Key | CWE321 | 2004 A3, 2004 A8, 2007 A8, 2007 A9, 2010 A3, 2019 API2, 2021 A2, 2021 A7 | L2 | * | * | |
Key Exchange without Entity Authentication* | CWE322 | 2010 A3, 2021 A2, 2021 A7 | L1 | * | * | |
Reusing a Nonce, Key Pair in Encryption* | CWE323 | 2021 A2 | ||||
Use of a Key Past its Expiration Date* | CWE324 | 2021 A2 | * | |||
Missing Cryptographic Step* | CWE325 | 2007 A8, 2007 A9, 2013 A6, 2017 A3, 2021 A2 | ||||
Inadequate Encryption Strength | CWE326 | 2004 A8, 2007 A8, 2007 A9, 2010 A7, 2013 A6, 2014 M6, 2016 M5, 2017 A3, 2021 A2 | L1 | v3.2.1 6.5.3, v4.0 6.2.4 | ||
Use of a Broken or Risky Cryptographic Algorithm | CWE327 | 2004 A8, 2010 A7, 2013 A6, 2014 M6, 2016 M5, 2017 A3, 2021 A2 | L2 | v3.2.1 6.5.3, v4.0 6.2.4 | * | |
Use of Weak Hash | CWE328 | 2004 A8, 2007 A8, 2007 A9, 2010 A7, 2013 A6, 2014 M6, 2016 M5, 2017 A3, 2021 A2 | L1 | v3.2.1 6.5.3, v4.0 6.2.4 | * | |
Generation of Predictable IV with CBC Mode | CWE329 | 2021 A2 | v3.2.1 6.5.3, v4.0 6.2.4 | |||
Use of Insufficiently Random Values | CWE330 | 2004 A2, 2021 A2 | L1 | * | ||
Insufficient Entropy* | CWE331 | 2004 A2, 2021 A2 | L1 | * | ||
Insufficient Entropy in PRNG* | CWE332 | 2021 A2 | L1 | |||
Improper Handling of Insufficient Entropy in TRNG* | CWE333 | 2021 A2 | L1 | |||
Small Space of Random Values* | CWE334 | 2004 A2, 2021 A2 | L1 | * | ||
Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)* | CWE335 | 2004 A2, 2021 A2 | L1 | * | ||
Same Seed in Pseudo-Random Number Generator (PRNG)* | CWE336 | 2021 A2 | ||||
Predictable Seed in Pseudo-Random Number Generator (PRNG)* | CWE337 | 2021 A2 | ||||
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)* | CWE338 | 2004 A2, 2021 A2 | L1 | * | ||
Small Seed Space in PRNG* | CWE339 | 2021 A2 | ||||
Generation of Predictable Numbers or Identifiers* | CWE340 | 2004 A2, 2021 A2 | L1 | * | ||
Predictable from Observable State* | CWE341 | 2021 A2 | ||||
Predictable Exact Value from Previous Values* | CWE342 | 2021 A2 | ||||
Predictable Value Range from Previous Values* | CWE343 | 2021 A2 | ||||
Use of Invariant Value in Dynamically Changing Context* | CWE344 | 2004 A2, 2021 A2 | L1 | * | ||
Insufficient Verification of Data Authenticity* | CWE345 | 2004 A3, 2021 A8 | L2 | |||
Origin Validation Error* | CWE346 | 2004 A2, 2004 A3, 2017 A5, 2019 API1, 2021 A1, 2021 A7, 2021 A8 | L1 | |||
Improper Verification of Cryptographic Signature* | CWE347 | 2004 A3, 2021 A2, 2021 A8 | L2 | |||
Use of Less Trusted Source* | CWE348 | 2004 A3, 2021 A8 | L2 | |||
Acceptance of Extraneous Untrusted Data With Trusted Data* | CWE349 | 2004 A3, 2021 A8 | L2 | |||
Reliance on Reverse DNS Resolution for a Security-Critical Action* | CWE350 | 2021 A4, 2021 A7 | L1 | * | ||
Insufficient Type Distinction* | CWE351 | 2004 A3, 2021 A8 | L2 | |||
Cross-Site Request Forgery (CSRF) | CWE352 | 2004 A3, 2007 A5, 2010 A5, 2013 A8, 2021 A1, 2021 A8 | L1 | v3.2.1 6.5.9, v4.0 6.2.4 | * | * |
Missing Support for Integrity Check | CWE353 | 2004 A3, 2021 A8 | L1 | |||
Improper Validation of Integrity Check Value* | CWE354 | 2004 A3, 2021 A8 | L2 | * | ||
Product UI does not Warn User of Unsafe Actions* | CWE356 | |||||
Insufficient UI Warning of Dangerous Operations* | CWE357 | |||||
Improperly Implemented Security Check for Standard* | CWE358 | |||||
Exposure of Private Personal Information to an Unauthorized Actor | CWE359 | 2007 A6, 2017 A3, 2021 A1 | L1 | * | ||
Trust of System Event Data* | CWE360 | 2004 A3, 2021 A8 | L2 | |||
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') | CWE362 | L2 | * | * | ||
Race Condition Enabling Link Following* | CWE363 | L2 | ||||
Signal Handler Race Condition* | CWE364 | L2 | * | * | ||
DEPRECATED: Race Condition in Switch* | CWE365 | |||||
Race Condition within a Thread | CWE366 | L2 | * | * | ||
Time-of-check Time-of-use (TOCTOU) Race Condition* | CWE367 | L2 | * | * | ||
Context Switching Race Condition* | CWE368 | L2 | * | * | ||
Divide By Zero | CWE369 | 2004 A9 | * | |||
Missing Check for Certificate Revocation after Initial Check* | CWE370 | L2 | ||||
Incomplete Internal State Distinction* | CWE372 | |||||
DEPRECATED: State Synchronization Error* | CWE373 | |||||
Passing Mutable Objects to an Untrusted Method | CWE374 | 2021 A1 | ||||
Returning a Mutable Object to an Untrusted Caller* | CWE375 | 2021 A1 | ||||
Insecure Temporary File* | CWE377 | 2021 A1 | ||||
Creation of Temporary File With Insecure Permissions* | CWE378 | 2021 A1 | ||||
Creation of Temporary File in Directory with Insecure Permissions* | CWE379 | 2021 A1 | ||||
J2EE Bad Practices: Use of System.exit() | CWE382 | 2004 A9 | ||||
J2EE Bad Practices: Direct Use of Threads* | CWE383 | |||||
Session Fixation* | CWE384 | 2004 A3, 2013 A2, 2014 M9, 2017 A2, 2021 A3, 2021 A7 | L1 | |||
Covert Timing Channel* | CWE385 | L3 | ||||
Symbolic Name not Mapping to Correct Object* | CWE386 | 2013 A4, 2021 A1 | ||||
Detection of Error Condition Without Action* | CWE390 | 2004 A7 | L2 | |||
Unchecked Error Condition | CWE391 | 2004 A7 | L2 | * | ||
Missing Report of Error Condition* | CWE392 | |||||
Return of Wrong Status Code* | CWE393 | |||||
Unexpected Status Code or Return Value* | CWE394 | 2004 A7 | L2 | * | ||
Use of NullPointerException Catch to Detect NULL Pointer Dereference* | CWE395 | |||||
Declaration of Catch for Generic Exception | CWE396 | |||||
Declaration of Throws for Generic Exception* | CWE397 | |||||
Uncontrolled Resource Consumption | CWE400 | 2004 A9 | L1 | * | ||
Missing Release of Memory after Effective Lifetime | CWE401 | 2004 A9 | * | * | ||
Transmission of Private Resources into a New Sphere ('Resource Leak')* | CWE402 | 2021 A1 | ||||
Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')* | CWE403 | 2021 A1 | ||||
Improper Resource Shutdown or Release | CWE404 | 2004 A9 | * | |||
Asymmetric Resource Consumption (Amplification)* | CWE405 | 2004 A9 | L1 | * | ||
Insufficient Control of Network Message Volume (Network Amplification)* | CWE406 | 2004 A9 | ||||
Inefficient Algorithmic Complexity* | CWE407 | 2004 A9 | ||||
Incorrect Behavior Order: Early Amplification* | CWE408 | 2004 A9 | ||||
Improper Handling of Highly Compressed Data (Data Amplification)* | CWE409 | 2004 A9 | L2 | |||
Insufficient Resource Pool* | CWE410 | 2004 A9 | ||||
Unrestricted Externally Accessible Lock* | CWE412 | 2004 A9 | ||||
Improper Resource Locking* | CWE413 | |||||
Missing Lock Check* | CWE414 | |||||
Double Free | CWE415 | * | ||||
Use After Free | CWE416 | * | * | |||
Unprotected Primary Channel* | CWE419 | 2021 A4 | L1 | |||
Unprotected Alternate Channel* | CWE420 | L2 | ||||
Race Condition During Access to Alternate Channel* | CWE421 | L2 | * | * | ||
Unprotected Windows Messaging Channel ('Shatter')* | CWE422 | |||||
DEPRECATED: Proxied Trusted Channel* | CWE423 | |||||
Improper Protection of Alternate Path* | CWE424 | |||||
Direct Request ('Forced Browsing')* | CWE425 | 2004 A1, 2004 A2, 2007 A10, 2010 A4, 2010 A8, 2017 A5, 2021 A1, 2021 A7 | * | * | ||
Untrusted Search Path* | CWE426 | 2021 A1, 2021 A4, 2021 A8 | * | * | ||
Uncontrolled Search Path Element* | CWE427 | 2021 A1 | ||||
Unquoted Search Path or Element* | CWE428 | 2021 A1 | ||||
Deployment of Wrong Handler* | CWE430 | 2021 A4 | ||||
Missing Handler* | CWE431 | L2 | ||||
Dangerous Signal Handler not Disabled During Sensitive Operations* | CWE432 | |||||
Unparsed Raw Web Content Delivery* | CWE433 | 2004 A10, 2010 A6, 2021 A1 | ||||
Unrestricted Upload of File with Dangerous Type* | CWE434 | 2007 A3, 2010 A4, 2021 A4 | L1 | * | * | |
Improper Interaction Between Multiple Correctly-Behaving Entities* | CWE435 | |||||
Interpretation Conflict* | CWE436 | L2 | ||||
Incomplete Model of Endpoint Features* | CWE437 | L2 | ||||
Behavioral Change in New Version or Environment* | CWE439 | |||||
Expected Behavior Violation | CWE440 | |||||
Unintended Proxy or Intermediary ('Confused Deputy')* | CWE441 | 2021 A1, 2021 A3 | ||||
DEPRECATED: HTTP response splitting* | CWE443 | |||||
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')* | CWE444 | 2021 A4 | L2 | |||
UI Discrepancy for Security Feature* | CWE446 | |||||
Unimplemented or Unsupported Feature in UI* | CWE447 | |||||
Obsolete Feature in UI* | CWE448 | |||||
The UI Performs the Wrong Action* | CWE449 | |||||
Multiple Interpretations of UI Input* | CWE450 | |||||
User Interface (UI) Misrepresentation of Critical Information* | CWE451 | 2021 A4 | ||||
Insecure Default Variable Initialization* | CWE453 | |||||
External Initialization of Trusted Variables or Data Stores* | CWE454 | * | ||||
Non-exit on Failed Initialization* | CWE455 | 2004 A7 | * | |||
Missing Initialization of a Variable* | CWE456 | * | ||||
Use of Uninitialized Variable | CWE457 | * | ||||
DEPRECATED: Incorrect Initialization* | CWE458 | |||||
Incomplete Cleanup* | CWE459 | 2004 A9, 2004 A10 | * | |||
Improper Cleanup on Thrown Exception* | CWE460 | 2004 A10 | ||||
Duplicate Key in Associative List (Alist)* | CWE462 | |||||
Deletion of Data Structure Sentinel* | CWE463 | |||||
Addition of Data Structure Sentinel* | CWE464 | 2021 A3 | L1 | |||
Return of Pointer Value Outside of Expected Range* | CWE466 | 2004 A1, 2004 A5, 2021 A3 | L1 | * | * | |
Use of sizeof() on a Pointer Type | CWE467 | * | ||||
Incorrect Pointer Scaling* | CWE468 | * | ||||
Use of Pointer Subtraction to Determine Size* | CWE469 | * | ||||
Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') | CWE470 | 2004 A1, 2021 A1, 2021 A3 | L1 | v3.2.1 6.5.1, v4.0 6.2.4 | * | * |
Modification of Assumed-Immutable Data (MAID)* | CWE471 | 2021 A3 | ||||
External Control of Assumed-Immutable Web Parameter* | CWE472 | 2004 A1, 2007 A4, 2021 A3, 2021 A4 | * | |||
PHP External Variable Modification* | CWE473 | 2021 A3 | ||||
Use of Function with Inconsistent Implementations* | CWE474 | |||||
Undefined Behavior for Input to API | CWE475 | |||||
NULL Pointer Dereference | CWE476 | 2004 A9 | L2 | * | * | |
Use of Obsolete Function | CWE477 | L2 | ||||
Missing Default Case in Multiple Condition Expression* | CWE478 | |||||
Signal Handler Use of a Non-reentrant Function* | CWE479 | |||||
Use of Incorrect Operator | CWE480 | |||||
Assigning instead of Comparing | CWE481 | |||||
Comparing instead of Assigning* | CWE482 | |||||
Incorrect Block Delimitation* | CWE483 | |||||
Omitted Break Statement in Switch | CWE484 | |||||
Comparison of Classes by Name* | CWE486 | |||||
Reliance on Package-level Scope* | CWE487 | |||||
Exposure of Data Element to Wrong Session* | CWE488 | 2021 A1 | ||||
Active Debug Code* | CWE489 | 2004 A10 | ||||
Public cloneable() Method Without Final ('Object Hijack')* | CWE491 | 2021 A1 | ||||
Use of Inner Class Containing Sensitive Data* | CWE492 | 2021 A1 | ||||
Critical Public Variable Without Final Modifier | CWE493 | 2021 A1 | ||||
Download of Code Without Integrity Check* | CWE494 | 2004 A3, 2021 A8 | L2 | * | ||
Private Data Structure Returned From A Public Method* | CWE495 | |||||
Public Data Assigned to Private Array-Typed Field* | CWE496 | |||||
Exposure of Sensitive System Information to an Unauthorized Control Sphere* | CWE497 | 2007 A6, 2021 A1 | L1 | v3.2.1 6.5.5, v4.0 6.2.4 | * | |
Cloneable Class Containing Sensitive Information* | CWE498 | 2021 A1 | ||||
Serializable Class Containing Sensitive Data* | CWE499 | 2021 A1 | ||||
Public Static Field Not Marked Final* | CWE500 | |||||
Trust Boundary Violation | CWE501 | 2021 A4 | ||||
Deserialization of Untrusted Data | CWE502 | 2017 A8, 2021 A1, 2021 A8 | L1 | * | ||
Embedded Malicious Code* | CWE506 | |||||
Trojan Horse* | CWE507 | L3 | ||||
Non-Replicating Malicious Code* | CWE508 | L3 | ||||
Replicating Malicious Code (Virus or Worm)* | CWE509 | L1 | ||||
Trapdoor* | CWE510 | |||||
Logic/Time Bomb* | CWE511 | L3 | ||||
Spyware* | CWE512 | |||||
Covert Channel* | CWE514 | |||||
Covert Storage Channel* | CWE515 | |||||
DEPRECATED: Covert Timing Channel* | CWE516 | |||||
.NET Misconfiguration: Use of Impersonation* | CWE520 | 2004 A2, 2004 A10, 2021 A4, 2021 A5 | ||||
Weak Password Requirements* | CWE521 | 2004 A3, 2007 A7, 2010 A3, 2013 A2, 2017 A2, 2021 A7 | L1 | * | ||
Insufficiently Protected Credentials* | CWE522 | 2004 A3, 2007 A7, 2010 A3, 2013 A2, 2017 A2, 2021 A1, 2021 A4, 2021 A7 | L1 | * | ||
Unprotected Transport of Credentials* | CWE523 | 2004 A3, 2007 A7, 2013 A2, 2017 A2, 2021 A2, 2021 A4 | L1 | * | ||
Use of Cache Containing Sensitive Information* | CWE524 | 2021 A1 | L2 | |||
Use of Web Browser Cache Containing Sensitive Information* | CWE525 | 2004 A2, 2004 A3, 2021 A4 | L1 | |||
Cleartext Storage of Sensitive Information in an Environment Variable* | CWE526 | 2004 A10, 2010 A7, 2013 A6, 2017 A3, 2021 A4, 2021 A5 | ||||
Exposure of Version-Control Repository to an Unauthorized Control Sphere* | CWE527 | 2004 A10, 2010 A6, 2021 A1 | L1 | |||
Exposure of Core Dump File to an Unauthorized Control Sphere* | CWE528 | 2004 A10, 2010 A6, 2021 A1 | L1 | |||
Exposure of Access Control List Files to an Unauthorized Control Sphere* | CWE529 | 2004 A10, 2010 A6, 2021 A1 | L1 | |||
Exposure of Backup File to an Unauthorized Control Sphere* | CWE530 | 2004 A10, 2010 A6, 2021 A1 | L1 | |||
Inclusion of Sensitive Information in Test Code* | CWE531 | 2004 A10, 2021 A1 | ||||
Insertion of Sensitive Information into Log File* | CWE532 | 2004 A10, 2007 A6, 2010 A6, 2021 A1, 2021 A9 | L1 | * | ||
DEPRECATED: Information Exposure Through Server Log Files* | CWE533 | |||||
DEPRECATED: Information Exposure Through Debug Log Files* | CWE534 | |||||
Exposure of Information Through Shell Error Message* | CWE535 | |||||
Servlet Runtime Error Message Containing Sensitive Information* | CWE536 | |||||
Java Runtime Error Message Containing Sensitive Information* | CWE537 | 2021 A5 | ||||
Insertion of Sensitive Information into Externally-Accessible File or Directory* | CWE538 | 2007 A6, 2010 A6, 2021 A1 | L1 | * | ||
Use of Persistent Cookies Containing Sensitive Information | CWE539 | 2004 A8, 2004 A10, 2010 A6, 2021 A1, 2021 A4 | L1 | |||
Inclusion of Sensitive Information in Source Code* | CWE540 | 2004 A10, 2010 A6, 2021 A1 | ||||
Inclusion of Sensitive Information in an Include File* | CWE541 | 2004 A10, 2021 A1, 2021 A5 | ||||
DEPRECATED: Information Exposure Through Cleanup Log Files* | CWE542 | |||||
Use of Singleton Pattern Without Synchronization in a Multithreaded Context | CWE543 | |||||
Missing Standardized Error Handling Mechanism* | CWE544 | L2 | ||||
DEPRECATED: Use of Dynamic Class Loading* | CWE545 | |||||
Suspicious Comment* | CWE546 | |||||
Use of Hard-coded, Security-relevant Constants* | CWE547 | 2021 A5 | ||||
Exposure of Information Through Directory Listing* | CWE548 | 2004 A10, 2013 A5, 2017 A6, 2021 A1 | L1 | |||
Missing Password Field Masking* | CWE549 | 2004 A3, 2007 A7, 2013 A2, 2017 A2, 2021 A4 | * | |||
Server-generated Error Message Containing Sensitive Information* | CWE550 | 2004 A7, 2004 A10, 2007 A6, 2010 A6, 2013 A5, 2017 A6, 2021 A4 | * | |||
Incorrect Behavior Order: Authorization Before Parsing and Canonicalization* | CWE551 | 2004 A2, 2010 A4, 2010 A8, 2021 A1 | * | * | ||
Files or Directories Accessible to External Parties | CWE552 | 2004 A2, 2004 A10, 2007 A10, 2010 A6, 2010 A8, 2013 A7, 2017 A5, 2019 API1, 2019 API5, 2021 A1 | L1 | * | ||
Command Shell in Externally Accessible Directory* | CWE553 | 2004 A10, 2010 A6, 2021 A1 | L1 | |||
ASP.NET Misconfiguration: Not Using Input Validation Framework* | CWE554 | 2004 A10, 2021 A4 | ||||
J2EE Misconfiguration: Plaintext Password in Configuration File* | CWE555 | 2004 A10, 2021 A5 | ||||
ASP.NET Misconfiguration: Use of Identity Impersonation* | CWE556 | 2004 A2, 2004 A10, 2021 A4 | ||||
Use of getlogin() in Multithreaded Application* | CWE558 | |||||
Use of umask() with chmod-style Argument* | CWE560 | |||||
Dead Code | CWE561 | |||||
Return of Stack Variable Address | CWE562 | |||||
Assignment to Variable without Use | CWE563 | |||||
SQL Injection: Hibernate | CWE564 | 2004 A1, 2004 A6, 2007 A2, 2010 A1, 2013 A1, 2017 A1, 2019 API8, 2021 A3 | L1 | * | * | |
Reliance on Cookies without Validation and Integrity Checking* | CWE565 | 2004 A1, 2021 A4, 2021 A8 | L1 | * | ||
Authorization Bypass Through User-Controlled SQL Primary Key* | CWE566 | 2004 A2, 2007 A4, 2010 A4, 2013 A4, 2017 A5, 2019 API1, 2021 A1 | L1 | |||
Unsynchronized Access to Shared Data in a Multithreaded Context* | CWE567 | |||||
finalize() Method Without super.finalize() | CWE568 | 2004 A10 | ||||
Expression is Always False | CWE570 | |||||
Expression is Always True | CWE571 | |||||
Call to Thread run() instead of start() | CWE572 | |||||
Improper Following of Specification by Caller* | CWE573 | |||||
EJB Bad Practices: Use of Synchronization Primitives* | CWE574 | |||||
EJB Bad Practices: Use of AWT Swing* | CWE575 | |||||
EJB Bad Practices: Use of Java I/O* | CWE576 | |||||
EJB Bad Practices: Use of Sockets* | CWE577 | |||||
EJB Bad Practices: Use of Class Loader* | CWE578 | |||||
J2EE Bad Practices: Non-serializable Object Stored in Session | CWE579 | 2021 A4 | ||||
clone() Method Without super.clone() | CWE580 | |||||
Object Model Violation: Just One of Equals and Hashcode Defined* | CWE581 | |||||
Array Declared Public, Final, and Static* | CWE582 | 2021 A1 | ||||
finalize() Method Declared Public | CWE583 | 2021 A1 | ||||
Return Inside Finally Block* | CWE584 | |||||
Empty Synchronized Block | CWE585 | |||||
Explicit Call to Finalize() | CWE586 | |||||
Assignment of a Fixed Address to a Pointer | CWE587 | |||||
Attempt to Access Child of a Non-structure Pointer* | CWE588 | |||||
Call to Non-ubiquitous API* | CWE589 | |||||
Free of Memory not on the Heap | CWE590 | |||||
Sensitive Data Storage in Improperly Locked Memory* | CWE591 | 2004 A8 | ||||
DEPRECATED: Authentication Bypass Issues* | CWE592 | |||||
Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created* | CWE593 | |||||
J2EE Framework: Saving Unserializable Objects to Disk* | CWE594 | |||||
Comparison of Object References Instead of Object Contents | CWE595 | |||||
DEPRECATED: Incorrect Semantic Object Comparison* | CWE596 | |||||
Use of Wrong Operator in String Comparison | CWE597 | |||||
Use of GET Request Method With Sensitive Query Strings* | CWE598 | 2004 A8, 2021 A1, 2021 A4 | L1 | |||
Missing Validation of OpenSSL Certificate* | CWE599 | 2004 A10, 2017 A3, 2021 A7 | L2 | * | ||
Uncaught Exception in Servlet * | CWE600 | 2004 A9 | ||||
URL Redirection to Untrusted Site ('Open Redirect') | CWE601 | 2004 A1, 2010 A10, 2013 A10, 2021 A1, 2021 A3 | L1 | * | ||
Client-Side Enforcement of Server-Side Security* | CWE602 | 2004 A1, 2021 A4 | L1 | * | ||
Use of Client-Side Authentication* | CWE603 | 2004 A1, 2021 A4 | L1 | * | ||
Multiple Binds to the Same Port* | CWE605 | |||||
Unchecked Input for Loop Condition* | CWE606 | |||||
Public Static Final Field References Mutable Object* | CWE607 | 2021 A3 | ||||
Struts: Non-private Field in ActionForm Class* | CWE608 | 2021 A1 | ||||
Double-Checked Locking | CWE609 | |||||
Externally Controlled Reference to a Resource in Another Sphere* | CWE610 | 2021 A3 | ||||
Improper Restriction of XML External Entity Reference | CWE611 | 2017 A4, 2021 A3, 2021 A5 | L1 | * | ||
Improper Authorization of Index Containing Sensitive Information* | CWE612 | |||||
Insufficient Session Expiration* | CWE613 | 2004 A3, 2013 A2, 2014 M9, 2017 A2, 2021 A7 | L1 | * | ||
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute | CWE614 | 2010 A9, 2013 A6, 2016 M3, 2017 A3, 2021 A2, 2021 A5 | L1 | * | ||
Inclusion of Sensitive Information in Source Code Comments* | CWE615 | 2004 A10, 2021 A1 | ||||
Incomplete Identification of Uploaded File Variables (PHP)* | CWE616 | 2004 A3, 2021 A8 | L2 | |||
Reachable Assertion* | CWE617 | |||||
Exposed Unsafe ActiveX Method* | CWE618 | L1 | * | |||
Dangling Database Cursor ('Cursor Injection')* | CWE619 | 2021 A1 | ||||
Unverified Password Change* | CWE620 | 2004 A3, 2013 A2, 2017 A2, 2021 A7 | L1 | |||
Variable Extraction Error* | CWE621 | |||||
Improper Validation of Function Hook Arguments* | CWE622 | 2004 A1, 2021 A3 | L1 | * | * | |
Unsafe ActiveX Control Marked Safe For Scripting* | CWE623 | |||||
Executable Regular Expression Error* | CWE624 | 2004 A1, 2004 A6, 2007 A2, 2013 A1, 2017 A1, 2019 API8, 2021 A3 | * | |||
Permissive Regular Expression* | CWE625 | |||||
Null Byte Interaction Error (Poison Null Byte)* | CWE626 | L1 | ||||
Dynamic Variable Evaluation* | CWE627 | |||||
Function Call with Incorrectly Specified Arguments | CWE628 | |||||
Not Failing Securely ('Failing Open')* | CWE636 | 2004 A7, 2021 A4 | ||||
Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')* | CWE637 | 2021 A4 | L2 | |||
Not Using Complete Mediation* | CWE638 | 2010 A4, 2010 A8, 2021 A1, 2021 A4 | * | * | ||
Authorization Bypass Through User-Controlled Key* | CWE639 | 2004 A2, 2007 A4, 2010 A4, 2010 A8, 2013 A4, 2017 A5, 2019 API1, 2021 A1 | L1 | * | * | |
Weak Password Recovery Mechanism for Forgotten Password* | CWE640 | 2004 A3, 2007 A7, 2010 A3, 2013 A2, 2017 A2, 2021 A7 | L1 | * | ||
Improper Restriction of Names for Files and Other Resources* | CWE641 | 2010 A4, 2013 A4, 2021 A3 | L1 | |||
External Control of Critical State Data* | CWE642 | 2021 A1, 2021 A4 | * | |||
Improper Neutralization of Data within XPath Expressions ('XPath Injection') | CWE643 | 2004 A6, 2007 A2, 2010 A1, 2013 A1, 2017 A1, 2019 API8, 2021 A3 | L1 | v3.2.1 6.5.1, v4.0 6.2.4 | ||
Improper Neutralization of HTTP Headers for Scripting Syntax* | CWE644 | 2004 A4, 2021 A3 | L1 | * | ||
Overly Restrictive Account Lockout Mechanism* | CWE645 | 2004 A3, 2007 A7, 2010 A3, 2013 A2, 2017 A2, 2021 A7 | L1 | * | ||
Reliance on File Name or Extension of Externally-Supplied File* | CWE646 | 2004 A3, 2021 A4, 2021 A8 | L2 | |||
Use of Non-Canonical URL Paths for Authorization Decisions* | CWE647 | 2010 A4, 2010 A8, 2021 A1 | * | * | ||
Incorrect Use of Privileged APIs* | CWE648 | 2021 A4 | * | |||
Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking* | CWE649 | 2004 A3, 2021 A8 | L2 | |||
Trusting HTTP Permission Methods on the Server Side* | CWE650 | 2021 A4 | L1 | |||
Exposure of WSDL File Containing Sensitive Information* | CWE651 | 2010 A6, 2021 A1 | ||||
Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')* | CWE652 | 2004 A6, 2007 A2, 2010 A1, 2013 A1, 2017 A1, 2019 API8, 2021 A3 | ||||
Improper Isolation or Compartmentalization* | CWE653 | 2021 A4 | ||||
Reliance on a Single Factor in a Security Decision* | CWE654 | 2021 A4 | ||||
Insufficient Psychological Acceptability* | CWE655 | 2021 A4 | ||||
Reliance on Security Through Obscurity* | CWE656 | 2021 A4 | ||||
Violation of Secure Design Principles* | CWE657 | 2021 A4 | ||||
Improper Synchronization* | CWE662 | |||||
Use of a Non-reentrant Function in a Concurrent Context* | CWE663 | |||||
Improper Control of a Resource Through its Lifetime | CWE664 | |||||
Improper Initialization | CWE665 | * | ||||
Operation on Resource in Wrong Phase of Lifetime* | CWE666 | |||||
Improper Locking | CWE667 | |||||
Exposure of Resource to Wrong Sphere* | CWE668 | 2021 A1 | ||||
Incorrect Resource Transfer Between Spheres* | CWE669 | |||||
Always-Incorrect Control Flow Implementation* | CWE670 | |||||
Lack of Administrator Control over Security* | CWE671 | 2021 A4 | ||||
Operation on a Resource after Expiration or Release | CWE672 | * | ||||
External Influence of Sphere Definition* | CWE673 | |||||
Uncontrolled Recursion | CWE674 | 2004 A9 | ||||
Multiple Operations on Resource in Single-Operation Context* | CWE675 | |||||
Use of Potentially Dangerous Function | CWE676 | * | ||||
Integer Overflow to Buffer Overflow* | CWE680 | L2 | * | * | ||
Incorrect Conversion between Numeric Types* | CWE681 | * | ||||
Incorrect Calculation | CWE682 | * | ||||
Function Call With Incorrect Order of Arguments | CWE683 | |||||
Incorrect Provision of Specified Functionality* | CWE684 | |||||
Function Call With Incorrect Number of Arguments | CWE685 | |||||
Function Call With Incorrect Argument Type | CWE686 | |||||
Function Call With Incorrectly Specified Argument Value | CWE687 | |||||
Function Call With Incorrect Variable or Reference as Argument | CWE688 | |||||
Permission Race Condition During Resource Copy* | CWE689 | L2 | * | * | ||
Unchecked Return Value to NULL Pointer Dereference* | CWE690 | 2004 A7 | ||||
Insufficient Control Flow Management* | CWE691 | |||||
Incomplete Denylist to Cross-Site Scripting* | CWE692 | 2021 A3 | ||||
Protection Mechanism Failure* | CWE693 | |||||
Use of Multiple Resources with Duplicate Identifier* | CWE694 | 2010 A4, 2013 A4, 2021 A3 | ||||
Use of Low-Level Functionality* | CWE695 | |||||
Incorrect Behavior Order | CWE696 | |||||
Incorrect Comparison* | CWE697 | |||||
Execution After Redirect (EAR)* | CWE698 | |||||
Improper Check or Handling of Exceptional Conditions | CWE703 | |||||
Incorrect Type Conversion or Cast | CWE704 | |||||
Incorrect Control Flow Scoping* | CWE705 | |||||
Use of Incorrectly-Resolved Name or Reference* | CWE706 | 2013 A4, 2021 A1 | ||||
Improper Neutralization* | CWE707 | |||||
Incorrect Ownership Assignment* | CWE708 | 2004 A2 | ||||
Improper Adherence to Coding Standards* | CWE710 | |||||
Incorrect Permission Assignment for Critical Resource | CWE732 | 2004 A2, 2007 A10, 2010 A6, 2010 A8, 2013 A7, 2017 A5, 2019 API1, 2019 API5, 2021 A1 | L1 | * | * | |
Compiler Optimization Removal or Modification of Security-critical Code* | CWE733 | |||||
Exposed Dangerous Method or Function | CWE749 | 2004 A2, 2017 A5, 2019 API1, 2021 A1 | L1 | * | ||
Improper Check for Unusual or Exceptional Conditions* | CWE754 | L2 | * | |||
Improper Handling of Exceptional Conditions* | CWE755 | |||||
Missing Custom Error Page* | CWE756 | 2021 A5 | ||||
Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')* | CWE757 | 2021 A2 | ||||
Reliance on Undefined, Unspecified, or Implementation-Defined Behavior | CWE758 | |||||
Use of a One-Way Hash without a Salt* | CWE759 | 2010 A7, 2021 A2 | L2 | * | ||
Use of a One-Way Hash with a Predictable Salt* | CWE760 | 2021 A2 | L2 | |||
Free of Pointer not at Start of Buffer* | CWE761 | 2004 A9 | * | |||
Mismatched Memory Management Routines | CWE762 | 2004 A9 | * | |||
Release of Invalid Pointer or Reference* | CWE763 | 2004 A9 | * | |||
Multiple Locks of a Critical Resource* | CWE764 | |||||
Multiple Unlocks of a Critical Resource* | CWE765 | |||||
Critical Data Element Declared Public* | CWE766 | 2010 A6 | L2 | * | * | |
Access to Critical Private Variable via Public Method* | CWE767 | 2021 A1 | ||||
Incorrect Short Circuit Evaluation | CWE768 | |||||
DEPRECATED: Uncontrolled File Descriptor Consumption* | CWE769 | |||||
Allocation of Resources Without Limits or Throttling* | CWE770 | 2004 A9, 2019 API4 | L1 | * | * | |
Missing Reference to Active Allocated Resource | CWE771 | 2004 A9 | L1 | * | ||
Missing Release of Resource after Effective Lifetime | CWE772 | 2004 A9 | * | * | ||
Missing Reference to Active File Descriptor or Handle* | CWE773 | |||||
Allocation of File Descriptors or Handles Without Limits or Throttling* | CWE774 | 2019 API4 | L1 | * | ||
Missing Release of File Descriptor or Handle after Effective Lifetime | CWE775 | 2004 A9 | * | * | ||
Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')* | CWE776 | 2004 A9, 2017 A4, 2021 A5 | ||||
Regular Expression without Anchors* | CWE777 | |||||
Insufficient Logging* | CWE778 | 2017 A10, 2019 API10, 2021 A9 | L2 | |||
Logging of Excessive Data* | CWE779 | 2004 A9 | L1 | * | ||
Use of RSA Algorithm without OAEP | CWE780 | 2004 A8, 2010 A7, 2013 A6, 2017 A3, 2021 A2 | L2 | * | ||
Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code* | CWE781 | |||||
Exposed IOCTL with Insufficient Access Control* | CWE782 | L1 | * | |||
Operator Precedence Logic Error | CWE783 | |||||
Reliance on Cookies without Validation and Integrity Checking in a Security Decision* | CWE784 | 2021 A4, 2021 A8 | * | |||
Use of Path Manipulation Function without Maximum-sized Buffer* | CWE785 | 2004 A1, 2004 A5, 2021 A3 | L1 | * | * | |
Access of Memory Location Before Start of Buffer | CWE786 | 2004 A5 | * | * | ||
Out-of-bounds Write* | CWE787 | 2004 A5 | * | * | ||
Access of Memory Location After End of Buffer | CWE788 | 2004 A5 | * | * | ||
Memory Allocation with Excessive Size Value* | CWE789 | 2019 API4 | L1 | * | ||
Improper Filtering of Special Elements* | CWE790 | 2021 A3 | L1 | |||
Incomplete Filtering of Special Elements* | CWE791 | |||||
Incomplete Filtering of One or More Instances of Special Elements* | CWE792 | |||||
Only Filtering One Instance of a Special Element* | CWE793 | |||||
Incomplete Filtering of Multiple Instances of Special Elements* | CWE794 | |||||
Only Filtering Special Elements at a Specified Location* | CWE795 | |||||
Only Filtering Special Elements Relative to a Marker* | CWE796 | |||||
Only Filtering Special Elements at an Absolute Position* | CWE797 | |||||
Use of Hard-coded Credentials | CWE798 | 2004 A3, 2007 A7, 2010 A3, 2013 A2, 2014 M2, 2016 M2, 2017 A2, 2019 API2, 2021 A7 | L1 | v3.2.1 6.5.10, v4.0 6.2.4 | * | * |
Improper Control of Interaction Frequency* | CWE799 | 2021 A4 | L1 | * | ||
Guessable CAPTCHA* | CWE804 | 2010 A4, 2010 A8, 2021 A1 | * | * | ||
Buffer Access with Incorrect Length Value* | CWE805 | 2004 A5 | * | * | ||
Buffer Access Using Size of Source Buffer* | CWE806 | * | ||||
Reliance on Untrusted Inputs in a Security Decision | CWE807 | 2021 A4 | * | |||
Missing Synchronization* | CWE820 | |||||
Incorrect Synchronization* | CWE821 | |||||
Untrusted Pointer Dereference* | CWE822 | 2004 A5 | * | * | ||
Use of Out-of-range Pointer Offset* | CWE823 | 2004 A5 | * | * | ||
Access of Uninitialized Pointer* | CWE824 | 2004 A5 | * | * | ||
Expired Pointer Dereference | CWE825 | 2004 A5 | * | * | ||
Premature Release of Resource During Expected Lifetime* | CWE826 | |||||
Improper Control of Document Type Definition* | CWE827 | 2010 A4, 2013 A4, 2021 A1, 2021 A8 | L1 | * | ||
Signal Handler with Functionality that is not Asynchronous-Safe* | CWE828 | |||||
Inclusion of Functionality from Untrusted Control Sphere* | CWE829 | 2010 A4, 2021 A8 | L1 | * | ||
Inclusion of Web Functionality from an Untrusted Source* | CWE830 | 2010 A4, 2021 A8 | L1 | * | ||
Signal Handler Function Associated with Multiple Signals* | CWE831 | |||||
Unlock of a Resource that is not Locked* | CWE832 | |||||
Deadlock | CWE833 | |||||
Excessive Iteration | CWE834 | |||||
Loop with Unreachable Exit Condition ('Infinite Loop')* | CWE835 | |||||
Use of Password Hash Instead of Password for Authentication* | CWE836 | |||||
Improper Enforcement of a Single, Unique Action* | CWE837 | 2021 A4 | L1 | * | ||
Inappropriate Encoding for Output Context* | CWE838 | 2021 A3 | L1 | * | ||
Numeric Range Comparison Without Minimum Check* | CWE839 | |||||
Improper Enforcement of Behavioral Workflow* | CWE841 | 2021 A4 | L1 | * | ||
Placement of User into Incorrect Group* | CWE842 | |||||
Access of Resource Using Incompatible Type ('Type Confusion')* | CWE843 | |||||
Missing Authorization* | CWE862 | 2004 A2, 2007 A10, 2010 A4, 2010 A8, 2013 A7, 2017 A5, 2019 API1, 2019 API5, 2021 A1 | L1 | * | * | |
Incorrect Authorization* | CWE863 | 2004 A2, 2007 A10, 2010 A4, 2010 A8, 2013 A7, 2017 A5, 2019 API1, 2019 API5, 2021 A1 | L1 | * | * | |
Use of Uninitialized Resource* | CWE908 | * | ||||
Missing Initialization of Resource* | CWE909 | * | ||||
Use of Expired File Descriptor | CWE910 | * | ||||
Improper Update of Reference Count* | CWE911 | |||||
Hidden Functionality* | CWE912 | |||||
Improper Control of Dynamically-Managed Code Resources* | CWE913 | 2021 A1 | ||||
Improper Control of Dynamically-Identified Variables* | CWE914 | 2010 A4, 2013 A4, 2021 A1, 2021 A3 | ||||
Improperly Controlled Modification of Dynamically-Determined Object Attributes | CWE915 | 2019 API6, 2021 A1, 2021 A8 | L1 | |||
Use of Password Hash With Insufficient Computational Effort* | CWE916 | 2004 A8, 2010 A7, 2013 A6, 2017 A3, 2021 A2 | L2 | * | ||
Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')* | CWE917 | 2004 A1, 2004 A6, 2007 A2, 2013 A1, 2017 A1, 2019 API8, 2021 A3 | * | |||
Server-Side Request Forgery (SSRF) | CWE918 | 2021 A1, 2021 A3, 2021 A10 | L1 | * | ||
Improper Restriction of Power Consumption* | CWE920 | 2004 A9 | L1 | * | ||
Storage of Sensitive Data in a Mechanism without Access Control | CWE921 | 2014 M2, 2014 M4, 2016 M2, 2021 A1 | L1 | |||
Insecure Storage of Sensitive Information* | CWE922 | 2021 A1 | L1 | |||
Improper Restriction of Communication Channel to Intended Endpoints* | CWE923 | 2004 A2, 2017 A5, 2019 API1, 2021 A1 | L2 | |||
Improper Enforcement of Message Integrity During Transmission in a Communication Channel* | CWE924 | 2004 A3, 2021 A8 | L2 | |||
Improper Verification of Intent by Broadcast Receiver | CWE925 | 2016 M1, 2021 A7 | ||||
Improper Export of Android Application Components* | CWE926 | 2004 A2, 2007 A10, 2010 A8, 2013 A7, 2016 M1, 2017 A5, 2019 API1, 2019 API5, 2021 A1 | L1 | * | ||
Use of Implicit Intent for Sensitive Communication | CWE927 | 2004 A2, 2007 A10, 2010 A8, 2013 A7, 2017 A5, 2019 API1, 2019 API5, 2021 A1, 2021 A4 | L1 | * | ||
Improper Authorization in Handler for Custom URL Scheme* | CWE939 | 2010 A4, 2010 A8, 2021 A1 | * | * | ||
Improper Verification of Source of a Communication Channel* | CWE940 | 2021 A7 | L1 | |||
Incorrectly Specified Destination in a Communication Channel* | CWE941 | L2 | ||||
Permissive Cross-domain Policy with Untrusted Domains* | CWE942 | 2004 A1, 2010 A4, 2010 A8, 2021 A1, 2021 A4, 2021 A5 | L2 | * | * | |
Improper Neutralization of Special Elements in Data Query Logic | CWE943 | 2004 A6, 2013 A1, 2017 A1, 2021 A3 | ||||
Sensitive Cookie Without 'HttpOnly' Flag | CWE1004 | 2010 A6, 2021 A5 | L1 | * | * | |
Insufficient Visual Distinction of Homoglyphs Presented to User* | CWE1007 | 2021 A4 | ||||
Improper Restriction of Rendered UI Layers or Frames* | CWE1021 | 2021 A1, 2021 A3, 2021 A4 | L1 | |||
Use of Web Link to Untrusted Target with window.opener Access* | CWE1022 | 2004 A2, 2021 A4 | ||||
Incomplete Comparison with Missing Factors* | CWE1023 | |||||
Comparison of Incompatible Types* | CWE1024 | |||||
Comparison Using Wrong Factors* | CWE1025 | |||||
Processor Optimization Removal or Modification of Security-critical Code* | CWE1037 | |||||
Insecure Automated Optimizations* | CWE1038 | |||||
Automated Recognition Mechanism with Inadequate Detection or Handling of Adversarial Input Perturbations* | CWE1039 | |||||
Use of Redundant Code* | CWE1041 | |||||
Static Member Data Element outside of a Singleton Class Element* | CWE1042 | |||||
Data Element Aggregating an Excessively Large Number of Non-Primitive Elements* | CWE1043 | |||||
Architecture with Number of Horizontal Layers Outside of Expected Range* | CWE1044 | |||||
Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor* | CWE1045 | |||||
Creation of Immutable Text Using String Concatenation* | CWE1046 | |||||
Modules with Circular Dependencies* | CWE1047 | |||||
Invokable Control Element with Large Number of Outward Calls* | CWE1048 | |||||
Excessive Data Query Operations in a Large Data Table* | CWE1049 | |||||
Excessive Platform Resource Consumption within a Loop* | CWE1050 | 2004 A9 | ||||
Initialization with Hard-Coded Network Resource Configuration Data* | CWE1051 | |||||
Excessive Use of Hard-Coded Literals in Initialization* | CWE1052 | |||||
Missing Documentation for Design* | CWE1053 | 2019 API9 | L2 | |||
Invocation of a Control Element at an Unnecessarily Deep Horizontal Layer* | CWE1054 | |||||
Multiple Inheritance from Concrete Classes* | CWE1055 | |||||
Invokable Control Element with Variadic Parameters* | CWE1056 | |||||
Data Access Operations Outside of Expected Data Manager Component* | CWE1057 | |||||
Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element* | CWE1058 | |||||
Insufficient Technical Documentation* | CWE1059 | 2019 API9 | L2 | |||
Excessive Number of Inefficient Server-Side Data Accesses* | CWE1060 | |||||
Insufficient Encapsulation* | CWE1061 | |||||
Parent Class with References to Child Class* | CWE1062 | |||||
Creation of Class Instance within a Static Code Block* | CWE1063 | |||||
Invokable Control Element with Signature Containing an Excessive Number of Parameters* | CWE1064 | |||||
Runtime Resource Management Control Element in a Component Built to Run on Application Servers* | CWE1065 | |||||
Missing Serialization Control Element* | CWE1066 | |||||
Excessive Execution of Sequential Searches of Data Resource* | CWE1067 | |||||
Inconsistency Between Implementation and Documented Design* | CWE1068 | |||||
Empty Exception Block* | CWE1069 | |||||
Serializable Data Element Containing non-Serializable Item Elements* | CWE1070 | |||||
Empty Code Block* | CWE1071 | |||||
Data Resource Access without Use of Connection Pooling* | CWE1072 | 2004 A9 | ||||
Non-SQL Invokable Control Element with Excessive Number of Data Resource Accesses* | CWE1073 | 2004 A9 | ||||
Class with Excessively Deep Inheritance* | CWE1074 | |||||
Unconditional Control Flow Transfer outside of Switch Block* | CWE1075 | |||||
Insufficient Adherence to Expected Conventions* | CWE1076 | |||||
Floating Point Comparison with Incorrect Operator* | CWE1077 | |||||
Inappropriate Source Code Style or Formatting* | CWE1078 | |||||
Parent Class without Virtual Destructor Method* | CWE1079 | |||||
Source Code File with Excessive Number of Lines of Code* | CWE1080 | |||||
Class Instance Self Destruction Control Element* | CWE1082 | |||||
Data Access from Outside Expected Data Manager Component* | CWE1083 | |||||
Invokable Control Element with Excessive File or Data Access Operations* | CWE1084 | 2004 A9 | ||||
Invokable Control Element with Excessive Volume of Commented-out Code* | CWE1085 | |||||
Class with Excessive Number of Child Classes* | CWE1086 | |||||
Class with Virtual Method without a Virtual Destructor* | CWE1087 | |||||
Synchronous Access of Remote Resource without Timeout* | CWE1088 | |||||
Large Data Table with Excessive Number of Indices* | CWE1089 | 2004 A9 | ||||
Method Containing Access of a Member Element from Another Class* | CWE1090 | |||||
Use of Object without Invoking Destructor Method* | CWE1091 | * | * | |||
Use of Same Invokable Control Element in Multiple Architectural Layers* | CWE1092 | |||||
Excessively Complex Data Representation* | CWE1093 | |||||
Excessive Index Range Scan for a Data Resource* | CWE1094 | 2004 A9 | ||||
Loop Condition Value Update within the Loop* | CWE1095 | |||||
Singleton Class Instance Creation without Proper Locking or Synchronization* | CWE1096 | |||||
Persistent Storable Data Element without Associated Comparison Control Element* | CWE1097 | |||||
Data Element containing Pointer Item without Proper Copy Control Element* | CWE1098 | |||||
Inconsistent Naming Conventions for Identifiers* | CWE1099 | |||||
Insufficient Isolation of System-Dependent Functions* | CWE1100 | |||||
Reliance on Runtime Component in Generated Code* | CWE1101 | |||||
Reliance on Machine-Dependent Data Representation* | CWE1102 | |||||
Use of Platform-Dependent Third Party Components* | CWE1103 | |||||
Use of Unmaintained Third Party Components | CWE1104 | 2021 A6 | L2 | |||
Insufficient Encapsulation of Machine-Dependent Functionality* | CWE1105 | |||||
Insufficient Use of Symbolic Constants* | CWE1106 | |||||
Insufficient Isolation of Symbolic Constant Definitions* | CWE1107 | |||||
Excessive Reliance on Global Variables* | CWE1108 | |||||
Use of Same Variable for Multiple Purposes* | CWE1109 | |||||
Incomplete Design Documentation* | CWE1110 | 2019 API9 | L2 | |||
Incomplete I/O Documentation* | CWE1111 | 2019 API9 | L2 | |||
Incomplete Documentation of Program Execution* | CWE1112 | 2019 API9 | L2 | |||
Inappropriate Comment Style* | CWE1113 | |||||
Inappropriate Whitespace Style* | CWE1114 | |||||
Source Code Element without Standard Prologue* | CWE1115 | |||||
Inaccurate Comments* | CWE1116 | |||||
Callable with Insufficient Behavioral Summary* | CWE1117 | |||||
Insufficient Documentation of Error Handling Techniques* | CWE1118 | 2019 API9 | L2 | |||
Excessive Use of Unconditional Branching* | CWE1119 | |||||
Excessive Code Complexity* | CWE1120 | |||||
Excessive McCabe Cyclomatic Complexity* | CWE1121 | |||||
Excessive Halstead Complexity* | CWE1122 | |||||
Excessive Use of Self-Modifying Code* | CWE1123 | |||||
Excessively Deep Nesting* | CWE1124 | |||||
Excessive Attack Surface* | CWE1125 | |||||
Declaration of Variable with Unnecessarily Wide Scope* | CWE1126 | |||||
Compilation with Insufficient Warnings or Errors* | CWE1127 | |||||
Irrelevant Code* | CWE1164 | |||||
Improper Use of Validation Framework* | CWE1173 | 2004 A1, 2021 A3, 2021 A4 | L1 | * | * | |
ASP.NET Misconfiguration: Improper Model Validation* | CWE1174 | 2021 A4, 2021 A5 | ||||
Inefficient CPU Computation* | CWE1176 | 2004 A9 | ||||
Use of Prohibited Code* | CWE1177 | |||||
DEPRECATED: Use of Uninitialized Resource* | CWE1187 | |||||
Initialization of a Resource with an Insecure Default* | CWE1188 | * | ||||
Improper Isolation of Shared Resources on System-on-a-Chip (SoC)* | CWE1189 | 2021 A1, 2021 A4 | ||||
DMA Device Enabled Too Early in Boot Phase* | CWE1190 | |||||
On-Chip Debug and Test Interface With Improper Access Control* | CWE1191 | 2004 A2, 2017 A5, 2019 API1, 2021 A1 | L2 | |||
Improper Identifier for IP Block used in System-On-Chip (SOC)* | CWE1192 | 2021 A4 | ||||
Power-On of Untrusted Execution Core Before Enabling Fabric Access Control* | CWE1193 | |||||
Generation of Weak Initialization Vector (IV)* | CWE1204 | 2004 A2, 2021 A2 | L1 | * | ||
Failure to Disable Reserved Bits* | CWE1209 | |||||
Insufficient Granularity of Access Control* | CWE1220 | 2004 A2, 2017 A5, 2019 API1, 2021 A1 | L2 | |||
Incorrect Register Defaults or Module Parameters* | CWE1221 | |||||
Insufficient Granularity of Address Regions Protected by Register Locks* | CWE1222 | |||||
Race Condition for Write-Once Attributes* | CWE1223 | L2 | * | * | ||
Improper Restriction of Write-Once Bit Fields* | CWE1224 | 2004 A2, 2017 A5, 2019 API1, 2021 A1 | L2 | |||
Creation of Emergent Resource* | CWE1229 | |||||
Exposure of Sensitive Information Through Metadata* | CWE1230 | 2004 A2, 2007 A10, 2010 A8, 2013 A7, 2017 A5, 2019 API1, 2019 API5, 2021 A1 | L1 | * | ||
Improper Prevention of Lock Bit Modification* | CWE1231 | 2004 A2, 2017 A5, 2019 API1, 2021 A1 | L2 | |||
Improper Lock Behavior After Power State Transition* | CWE1232 | |||||
Security-Sensitive Hardware Controls with Missing Lock Bit Protection* | CWE1233 | 2004 A2, 2017 A5, 2019 API1, 2021 A1 | L2 | |||
Hardware Internal or Debug Modes Allow Override of Locks* | CWE1234 | |||||
Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations* | CWE1235 | 2004 A9 | L1 | * | ||
Improper Neutralization of Formula Elements in a CSV File* | CWE1236 | 2004 A6, 2013 A1, 2021 A3 | ||||
Improper Zeroization of Hardware Register* | CWE1239 | 2004 A8 | L2 | |||
Use of a Cryptographic Primitive with a Risky Implementation* | CWE1240 | 2004 A8, 2010 A7, 2013 A6, 2017 A3, 2021 A2 | L2 | * | ||
Use of Predictable Algorithm in Random Number Generator* | CWE1241 | 2004 A2, 2021 A2 | L1 | * | ||
Inclusion of Undocumented Features or Chicken Bits* | CWE1242 | 2004 A2, 2017 A5, 2019 API1, 2021 A1 | L2 | |||
Sensitive Non-Volatile Information Not Protected During Debug* | CWE1243 | |||||
Internal Asset Exposed to Unsafe Debug Access Level or State* | CWE1244 | 2010 A4, 2010 A8, 2021 A1 | * | * | ||
Improper Finite State Machines (FSMs) in Hardware Logic* | CWE1245 | |||||
Improper Write Handling in Limited-write Non-Volatile Memories* | CWE1246 | 2004 A9 | L1 | * | ||
Improper Protection Against Voltage and Clock Glitches* | CWE1247 | |||||
Semiconductor Defects in Hardware Logic with Security-Sensitive Implications* | CWE1248 | |||||
Application-Level Admin Tool with Inconsistent View of Underlying Operating System* | CWE1249 | |||||
Improper Preservation of Consistency Between Independent Representations of Shared State* | CWE1250 | |||||
Mirrored Regions with Different Values* | CWE1251 | |||||
CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations* | CWE1252 | 2004 A2, 2017 A5, 2019 API1, 2021 A1 | L2 | |||
Incorrect Selection of Fuse Values* | CWE1253 | |||||
Incorrect Comparison Logic Granularity* | CWE1254 | |||||
Comparison Logic is Vulnerable to Power Side-Channel Attacks* | CWE1255 | |||||
Improper Restriction of Software Interfaces to Hardware Features* | CWE1256 | 2004 A2, 2007 A10, 2010 A8, 2013 A7, 2017 A5, 2019 API1, 2019 API5, 2021 A1 | L1 | * | ||
Improper Access Control Applied to Mirrored or Aliased Memory Regions* | CWE1257 | 2004 A2, 2017 A5, 2019 API1, 2021 A1 | L2 | |||
Exposure of Sensitive System Information Due to Uncleared Debug Information* | CWE1258 | 2007 A6, 2021 A1 | L1 | * | * | |
Improper Restriction of Security Token Assignment* | CWE1259 | 2004 A2, 2017 A5, 2019 API1, 2021 A1 | L2 | |||
Improper Handling of Overlap Between Protected Memory Ranges* | CWE1260 | 2004 A2, 2017 A5, 2019 API1, 2021 A1 | L2 | |||
Improper Handling of Single Event Upsets* | CWE1261 | |||||
Improper Access Control for Register Interface* | CWE1262 | 2004 A2, 2017 A5, 2019 API1, 2021 A1 | L2 | |||
Improper Physical Access Control* | CWE1263 | 2004 A2, 2017 A5, 2019 API1, 2021 A1 | L2 | |||
Hardware Logic with Insecure De-Synchronization between Control and Data Channels* | CWE1264 | |||||
Unintended Reentrant Invocation of Non-reentrant Code Via Nested Calls* | CWE1265 | |||||
Improper Scrubbing of Sensitive Data from Decommissioned Device* | CWE1266 | 2004 A9 | * | |||
Policy Uses Obsolete Encoding* | CWE1267 | 2004 A2, 2017 A5, 2019 API1, 2021 A1 | L2 | |||
Policy Privileges are not Assigned Consistently Between Control and Data Agents* | CWE1268 | 2004 A2, 2017 A5, 2019 API1, 2021 A1 | L2 | |||
Product Released in Non-Release Configuration* | CWE1269 | |||||
Generation of Incorrect Security Tokens* | CWE1270 | 2004 A2, 2017 A5, 2019 API1, 2021 A1 | L2 | |||
Uninitialized Value on Reset for Registers Holding Security Settings* | CWE1271 | |||||
Sensitive Information Uncleared Before Debug/Power State Transition* | CWE1272 | 2004 A8 | L2 | |||
Device Unlock Credential Sharing* | CWE1273 | 2007 A6, 2021 A1 | L1 | * | ||
Improper Access Control for Volatile Memory Containing Boot Code* | CWE1274 | 2004 A2, 2017 A5, 2019 API1, 2021 A1 | L2 | |||
Sensitive Cookie with Improper SameSite Attribute* | CWE1275 | 2021 A1 | L1 | |||
Hardware Child Block Incorrectly Connected to Parent System* | CWE1276 | 2004 A2, 2017 A5, 2019 API1, 2021 A1 | L2 | |||
Firmware Not Updateable* | CWE1277 | |||||
Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques* | CWE1278 | |||||
Cryptographic Operations are run Before Supporting Units are Ready* | CWE1279 | * | ||||
Access Control Check Implemented After Asset is Accessed* | CWE1280 | 2004 A2, 2017 A5, 2019 API1, 2021 A1 | L2 | |||
Sequence of Processor Instructions Leads to Unexpected Behavior* | CWE1281 | |||||
Assumed-Immutable Data is Stored in Writable Memory* | CWE1282 | 2021 A1 | ||||
Mutable Attestation or Measurement Reporting Data* | CWE1283 | 2004 A2, 2017 A5, 2019 API1, 2021 A1 | L2 | |||
Improper Validation of Specified Quantity in Input* | CWE1284 | 2004 A1, 2021 A3 | L1 | * | * | |
Improper Validation of Specified Index, Position, or Offset in Input* | CWE1285 | 2004 A1, 2021 A3 | L1 | * | * | |
Improper Validation of Syntactic Correctness of Input* | CWE1286 | 2004 A1, 2021 A3 | L1 | * | * | |
Improper Validation of Specified Type of Input* | CWE1287 | 2004 A1, 2021 A3 | L1 | * | * | |
Improper Validation of Consistency within Input* | CWE1288 | 2004 A1, 2021 A3 | L1 | * | * | |
Improper Validation of Unsafe Equivalence in Input* | CWE1289 | 2004 A1, 2021 A3 | L1 | * | * | |
Incorrect Decoding of Security Identifiers * | CWE1290 | 2004 A2, 2017 A5, 2019 API1, 2021 A1 | L2 | |||
Public Key Re-Use for Signing both Debug and Production Code* | CWE1291 | |||||
Incorrect Conversion of Security Identifiers* | CWE1292 | 2004 A2, 2017 A5, 2019 API1, 2021 A1 | L2 | |||
Missing Source Correlation of Multiple Independent Data* | CWE1293 | 2004 A3, 2021 A8 | L2 | |||
Insecure Security Identifier Mechanism* | CWE1294 | 2004 A2, 2017 A5, 2019 API1, 2021 A1 | L2 | |||
Debug Messages Revealing Unnecessary Information* | CWE1295 | 2007 A6, 2021 A1 | L1 | * | ||
Incorrect Chaining or Granularity of Debug Components* | CWE1296 | 2004 A2, 2017 A5, 2019 API1, 2021 A1 | L2 | |||
Unprotected Confidential Information on Device is Accessible by OSAT Vendors* | CWE1297 | 2004 A2, 2007 A10, 2010 A8, 2013 A7, 2017 A5, 2019 API1, 2019 API5, 2021 A1 | L1 | * | ||
Hardware Logic Contains Race Conditions* | CWE1298 | L2 | * | * | ||
Missing Protection Mechanism for Alternate Hardware Interface* | CWE1299 | 2007 A10, 2021 A7 | ||||
Improper Protection of Physical Side Channels* | CWE1300 | 2004 A7, 2007 A6 | ||||
Insufficient or Incomplete Data Removal within Hardware Component* | CWE1301 | 2004 A8 | L2 | |||
Missing Source Identifier in Entity Transactions on a System-On-Chip (SOC)* | CWE1302 | |||||
Non-Transparent Sharing of Microarchitectural Resources* | CWE1303 | 2004 A7, 2007 A6 | ||||
Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation* | CWE1304 | 2004 A2, 2017 A5, 2019 API1, 2021 A1 | L2 | |||
Missing Ability to Patch ROM Code* | CWE1310 | |||||
Improper Translation of Security Attributes by Fabric Bridge* | CWE1311 | 2004 A2, 2017 A5, 2019 API1, 2021 A1 | L2 | |||
Missing Protection for Mirrored Regions in On-Chip Fabric Firewall* | CWE1312 | 2004 A2, 2017 A5, 2019 API1, 2021 A1 | L2 | |||
Hardware Allows Activation of Test or Debug Logic at Runtime* | CWE1313 | 2004 A2, 2017 A5, 2019 API1, 2021 A1 | L2 | |||
Missing Write Protection for Parametric Data Values* | CWE1314 | 2010 A4, 2010 A8, 2021 A1 | * | * | ||
Improper Setting of Bus Controlling Capability in Fabric End-point* | CWE1315 | 2004 A2, 2017 A5, 2019 API1, 2021 A1 | L2 | |||
Fabric-Address Map Allows Programming of Unwarranted Overlaps of Protected and Unprotected Ranges* | CWE1316 | 2004 A2, 2017 A5, 2019 API1, 2021 A1 | L2 | |||
Improper Access Control in Fabric Bridge* | CWE1317 | 2004 A2, 2017 A5, 2019 API1, 2021 A1 | L2 | |||
Missing Support for Security Features in On-chip Fabrics or Buses* | CWE1318 | |||||
Improper Protection against Electromagnetic Fault Injection (EM-FI)* | CWE1319 | |||||
Improper Protection for Outbound Error Messages and Alert Signals* | CWE1320 | 2004 A2, 2017 A5, 2019 API1, 2021 A1 | L2 | |||
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')* | CWE1321 | 2019 API6, 2021 A1, 2021 A8 | L1 | |||
Use of Blocking Code in Single-threaded, Non-blocking Context* | CWE1322 | |||||
Improper Management of Sensitive Trace Data* | CWE1323 | 2004 A2, 2017 A5, 2019 API1, 2021 A1 | L2 | |||
DEPRECATED: Sensitive Information Accessible by Physical Probing of JTAG Interface* | CWE1324 | |||||
Improperly Controlled Sequential Memory Allocation* | CWE1325 | 2019 API4 | L1 | * | ||
Missing Immutable Root of Trust in Hardware* | CWE1326 | |||||
Binding to an Unrestricted IP Address* | CWE1327 | 2021 A1 | ||||
Security Version Number Mutable to Older Versions* | CWE1328 | 2004 A2, 2007 A10, 2010 A8, 2013 A7, 2017 A5, 2019 API1, 2019 API5, 2021 A1 | L1 | * | ||
Reliance on Component That is Not Updateable* | CWE1329 | |||||
Remanent Data Readable after Memory Erase* | CWE1330 | |||||
Improper Isolation of Shared Resources in Network On Chip (NoC)* | CWE1331 | 2021 A1, 2021 A4 | ||||
Improper Handling of Faults that Lead to Instruction Skips* | CWE1332 | |||||
Inefficient Regular Expression Complexity* | CWE1333 | |||||
Unauthorized Error Injection Can Degrade Hardware Redundancy* | CWE1334 | 2004 A2, 2017 A5, 2019 API1, 2021 A1 | L2 | |||
Incorrect Bitwise Shift of Integer* | CWE1335 | * | ||||
Improper Neutralization of Special Elements Used in a Template Engine* | CWE1336 | 2021 A3 | L1 | * | * | |
Improper Protections Against Hardware Overheating* | CWE1338 | |||||
Insufficient Precision or Accuracy of a Real Number* | CWE1339 | * | ||||
Multiple Releases of Same Resource or Handle* | CWE1341 | |||||
Information Exposure through Microarchitectural State after Transient Execution* | CWE1342 | 2004 A8 | L2 | |||
Improper Handling of Hardware Behavior in Exceptionally Cold Environments* | CWE1351 | |||||
Reliance on Insufficiently Trustworthy Component* | CWE1357 | |||||
Improper Handling of Physical or Environmental Conditions* | CWE1384 | |||||
Missing Origin Validation in WebSockets* | CWE1385 | 2021 A7 | L1 | |||
Insecure Operation on Windows Junction / Mount Point* | CWE1386 | 2021 A1 | * | |||
Incorrect Parsing of Numbers with Different Radices* | CWE1389 | |||||
Weak Authentication* | CWE1390 | 2004 A3, 2007 A7, 2010 A3, 2013 A2, 2017 A2, 2021 A7 | L1 | * | ||
Use of Weak Credentials* | CWE1391 | |||||
Use of Default Credentials* | CWE1392 | |||||
Use of Default Password* | CWE1393 | |||||
Use of Default Cryptographic Key* | CWE1394 | |||||
Dependency on Vulnerable Third-Party Component* | CWE1395 | 2021 A4 | ||||
Incorrect Initialization of Resource* | CWE1419 | * | ||||
Exposure of Sensitive Information during Transient Execution* | CWE1420 | |||||
Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution* | CWE1421 | |||||
Exposure of Sensitive Information caused by Incorrect Data Forwarding during Transient Execution* | CWE1422 | |||||
Exposure of Sensitive Information caused by Shared Microarchitectural Predictor State that Influences Transient Execution* | CWE1423 | |||||
Improper Validation of Generative AI Output* | CWE1426 | |||||
Improper Neutralization of Input Used for LLM Prompting* | CWE1427 | 2004 A1, 2004 A6, 2007 A2, 2013 A1, 2017 A1, 2019 API8, 2021 A3 | * |
* 這個弱點不包含在內建的規則套件中,但是內建規則套件中另一個弱點的子項目,或是經由自訂規則套件支援。
參考資料
- 弱點類別的名稱是依據 Common Weakness Enumeration List Version 4.14。
- OWASP Top 10 清單是依據 OWASP Top Ten 計畫。
- OWASP ASVS 清單是依據 OWASP Application Security Verification Standard 4.0.3。
- CWE Top 25 清單是依據 CWE Top 25 Most Dangerous Software Errors。
- CWE/SANS Top 25 清單是依據 SANS Top 25 Most Dangerous Software Errors Version 3.0。
- PCI DSS 清單是依據 Payment Card Industry (PCI) Data Security Standard, v4.0。