11 |
ASP.NET Misconfiguration: Creating Debug Binary |
|
Major |
Applicable_Platforms, Background_Details |
|
Minor |
None |
12 |
ASP.NET Misconfiguration: Missing Custom Error Page |
|
Major |
Applicable_Platforms, Background_Details |
|
Minor |
None |
14 |
Compiler Removal of Code to Clear Buffers |
|
Major |
None |
|
Minor |
References |
15 |
External Control of System or Configuration Setting |
|
Major |
Modes_of_Introduction |
|
Minor |
None |
20 |
Improper Input Validation |
|
Major |
Detection_Factors, Modes_of_Introduction, Potential_Mitigations |
|
Minor |
References |
22 |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
|
Major |
Detection_Factors |
|
Minor |
Potential_Mitigations, References |
23 |
Relative Path Traversal |
|
Major |
None |
|
Minor |
References |
31 |
Path Traversal: 'dir\..\..\filename' |
|
Major |
None |
|
Minor |
References |
34 |
Path Traversal: '....//' |
|
Major |
None |
|
Minor |
Detection_Factors |
36 |
Absolute Path Traversal |
|
Major |
None |
|
Minor |
References |
40 |
Path Traversal: '\\UNC\share\name\' (Windows UNC Share) |
|
Major |
None |
|
Minor |
References |
41 |
Improper Resolution of Path Equivalence |
|
Major |
Detection_Factors |
|
Minor |
None |
58 |
Path Equivalence: Windows 8.3 Filename |
|
Major |
None |
|
Minor |
References |
59 |
Improper Link Resolution Before File Access ('Link Following') |
|
Major |
Detection_Factors |
|
Minor |
Applicable_Platforms, References |
61 |
UNIX Symbolic Link (Symlink) Following |
|
Major |
None |
|
Minor |
References |
62 |
UNIX Hard Link |
|
Major |
None |
|
Minor |
Applicable_Platforms, References |
65 |
Windows Hard Link |
|
Major |
None |
|
Minor |
References |
66 |
Improper Handling of File Names that Identify Virtual Resources |
|
Major |
Detection_Factors |
|
Minor |
None |
67 |
Improper Handling of Windows Device Names |
|
Major |
None |
|
Minor |
References |
69 |
Improper Handling of Windows ::DATA Alternate Data Stream |
|
Major |
None |
|
Minor |
References |
72 |
Improper Handling of Apple HFS+ Alternate Data Stream Path |
|
Major |
None |
|
Minor |
Applicable_Platforms |
73 |
External Control of File Name or Path |
|
Major |
None |
|
Minor |
Applicable_Platforms, References |
77 |
Improper Neutralization of Special Elements used in a Command ('Command Injection') |
|
Major |
None |
|
Minor |
References |
78 |
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
|
Major |
Potential_Mitigations |
|
Minor |
Detection_Factors, References |
79 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
|
Major |
Applicable_Platforms, Background_Details, Description, References |
|
Minor |
Detection_Factors, Potential_Mitigations |
81 |
Improper Neutralization of Script in an Error Message Web Page |
|
Major |
None |
|
Minor |
References |
88 |
Argument Injection or Modification |
|
Major |
None |
|
Minor |
References |
89 |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
|
Major |
Modes_of_Introduction, References |
|
Minor |
Detection_Factors, Potential_Mitigations |
91 |
XML Injection (aka Blind XPath Injection) |
|
Major |
None |
|
Minor |
References |
94 |
Improper Control of Generation of Code ('Code Injection') |
|
Major |
Applicable_Platforms, Potential_Mitigations |
|
Minor |
References |
95 |
Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') |
|
Major |
Applicable_Platforms, Modes_of_Introduction |
|
Minor |
References |
98 |
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') |
|
Major |
None |
|
Minor |
Potential_Mitigations, References |
106 |
Struts: Plug-in Framework not in Use |
|
Major |
Potential_Mitigations |
|
Minor |
None |
109 |
Struts: Validator Turned Off |
|
Major |
Other_Notes |
|
Minor |
None |
113 |
Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') |
|
Major |
Demonstrative_Examples |
|
Minor |
References |
116 |
Improper Encoding or Escaping of Output |
|
Major |
None |
|
Minor |
Potential_Mitigations, References |
119 |
Improper Restriction of Operations within the Bounds of a Memory Buffer |
|
Major |
Detection_Factors |
|
Minor |
Potential_Mitigations, References |
120 |
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') |
|
Major |
Detection_Factors |
|
Minor |
Potential_Mitigations, References |
121 |
Stack-based Buffer Overflow |
|
Major |
None |
|
Minor |
References |
122 |
Heap-based Buffer Overflow |
|
Major |
None |
|
Minor |
References |
123 |
Write-what-where Condition |
|
Major |
None |
|
Minor |
References |
124 |
Buffer Underwrite ('Buffer Underflow') |
|
Major |
Observed_Examples |
|
Minor |
References |
125 |
Out-of-bounds Read |
|
Major |
None |
|
Minor |
References |
128 |
Wrap-around Error |
|
Major |
None |
|
Minor |
References |
129 |
Improper Validation of Array Index |
|
Major |
Potential_Mitigations |
|
Minor |
References |
131 |
Incorrect Calculation of Buffer Size |
|
Major |
Detection_Factors, Potential_Mitigations |
|
Minor |
References |
134 |
Use of Externally-Controlled Format String |
|
Major |
Detection_Factors, Modes_of_Introduction |
|
Minor |
Potential_Mitigations, References |
135 |
Incorrect Calculation of Multi-Byte String Length |
|
Major |
None |
|
Minor |
References |
141 |
Improper Neutralization of Parameter/Argument Delimiters |
|
Major |
None |
|
Minor |
References |
142 |
Improper Neutralization of Value Delimiters |
|
Major |
None |
|
Minor |
References |
143 |
Improper Neutralization of Record Delimiters |
|
Major |
None |
|
Minor |
References |
144 |
Improper Neutralization of Line Delimiters |
|
Major |
None |
|
Minor |
References |
145 |
Improper Neutralization of Section Delimiters |
|
Major |
None |
|
Minor |
References |
146 |
Improper Neutralization of Expression/Command Delimiters |
|
Major |
None |
|
Minor |
References |
158 |
Improper Neutralization of Null Byte or NUL Character |
|
Major |
None |
|
Minor |
References |
171 |
Cleansing, Canonicalization, and Comparison Errors |
|
Major |
None |
|
Minor |
References |
176 |
Improper Handling of Unicode Encoding |
|
Major |
None |
|
Minor |
References |
179 |
Incorrect Behavior Order: Early Validation |
|
Major |
None |
|
Minor |
References |
182 |
Collapse of Data into Unsafe Value |
|
Major |
None |
|
Minor |
References |
183 |
Permissive Whitelist |
|
Major |
None |
|
Minor |
References |
184 |
Incomplete Blacklist |
|
Major |
Observed_Examples |
|
Minor |
References |
185 |
Incorrect Regular Expression |
|
Major |
None |
|
Minor |
References |
188 |
Reliance on Data/Memory Layout |
|
Major |
None |
|
Minor |
References |
190 |
Integer Overflow or Wraparound |
|
Major |
References |
|
Minor |
Detection_Factors, Potential_Mitigations |
191 |
Integer Underflow (Wrap or Wraparound) |
|
Major |
Applicable_Platforms |
|
Minor |
References |
192 |
Integer Coercion Error |
|
Major |
Applicable_Platforms |
|
Minor |
References |
193 |
Off-by-one Error |
|
Major |
None |
|
Minor |
References |
195 |
Signed to Unsigned Conversion Error |
|
Major |
None |
|
Minor |
References |
196 |
Unsigned to Signed Conversion Error |
|
Major |
None |
|
Minor |
References |
197 |
Numeric Truncation Error |
|
Major |
Applicable_Platforms |
|
Minor |
References |
200 |
Information Exposure |
|
Major |
Applicable_Platforms |
|
Minor |
Detection_Factors, References |
204 |
Response Discrepancy Information Exposure |
|
Major |
None |
|
Minor |
References |
209 |
Information Exposure Through an Error Message |
|
Major |
Potential_Mitigations |
|
Minor |
References |
210 |
Information Exposure Through Self-generated Error Message |
|
Major |
Potential_Mitigations |
|
Minor |
References |
211 |
Information Exposure Through Externally-Generated Error Message |
|
Major |
Modes_of_Introduction, Potential_Mitigations |
|
Minor |
None |
219 |
Sensitive Data Under Web Root |
|
Major |
Modes_of_Introduction |
|
Minor |
None |
223 |
Omission of Security-relevant Information |
|
Major |
None |
|
Minor |
References |
224 |
Obscured Security-relevant Information by Alternate Name |
|
Major |
None |
|
Minor |
References |
242 |
Use of Inherently Dangerous Function |
|
Major |
None |
|
Minor |
References |
243 |
Creation of chroot Jail Without Changing Working Directory |
|
Major |
None |
|
Minor |
Applicable_Platforms |
248 |
Uncaught Exception |
|
Major |
Applicable_Platforms |
|
Minor |
None |
250 |
Execution with Unnecessary Privileges |
|
Major |
Applicable_Platforms, Detection_Factors, Modes_of_Introduction, Potential_Mitigations, References, Time_of_Introduction |
|
Minor |
None |
252 |
Unchecked Return Value |
|
Major |
None |
|
Minor |
References |
253 |
Incorrect Check of Function Return Value |
|
Major |
None |
|
Minor |
References |
256 |
Plaintext Storage of a Password |
|
Major |
Modes_of_Introduction |
|
Minor |
References |
258 |
Empty Password in Configuration File |
|
Major |
None |
|
Minor |
References |
259 |
Use of Hard-coded Password |
|
Major |
None |
|
Minor |
References |
260 |
Password in Configuration File |
|
Major |
None |
|
Minor |
References |
261 |
Weak Cryptography for Passwords |
|
Major |
None |
|
Minor |
References |
262 |
Not Using Password Aging |
|
Major |
None |
|
Minor |
References |
263 |
Password Aging with Long Expiration |
|
Major |
None |
|
Minor |
References |
264 |
Permissions, Privileges, and Access Controls |
|
Major |
None |
|
Minor |
References |
266 |
Incorrect Privilege Assignment |
|
Major |
None |
|
Minor |
Potential_Mitigations, References |
267 |
Privilege Defined With Unsafe Actions |
|
Major |
None |
|
Minor |
Potential_Mitigations, References |
268 |
Privilege Chaining |
|
Major |
None |
|
Minor |
Potential_Mitigations, References |
269 |
Improper Privilege Management |
|
Major |
None |
|
Minor |
References |
270 |
Privilege Context Switching Error |
|
Major |
None |
|
Minor |
Potential_Mitigations, References |
271 |
Privilege Dropping / Lowering Errors |
|
Major |
None |
|
Minor |
References |
272 |
Least Privilege Violation |
|
Major |
None |
|
Minor |
Detection_Factors |
273 |
Improper Check for Dropped Privileges |
|
Major |
Modes_of_Introduction |
|
Minor |
None |
275 |
Permission Issues |
|
Major |
None |
|
Minor |
References |
276 |
Incorrect Default Permissions |
|
Major |
Detection_Factors |
|
Minor |
References |
279 |
Incorrect Execution-Assigned Permissions |
|
Major |
Time_of_Introduction |
|
Minor |
None |
284 |
Improper Access Control |
|
Major |
None |
|
Minor |
References |
285 |
Improper Authorization |
|
Major |
Detection_Factors, Modes_of_Introduction, Time_of_Introduction |
|
Minor |
Potential_Mitigations, References |
287 |
Improper Authentication |
|
Major |
Demonstrative_Examples, Detection_Factors, References |
|
Minor |
None |
290 |
Authentication Bypass by Spoofing |
|
Major |
None |
|
Minor |
References |
293 |
Using Referer Field for Authentication |
|
Major |
None |
|
Minor |
References |
295 |
Improper Certificate Validation |
|
Major |
Applicable_Platforms, Detection_Factors |
|
Minor |
None |
296 |
Improper Following of a Certificate's Chain of Trust |
|
Major |
None |
|
Minor |
References |
297 |
Improper Validation of Certificate with Host Mismatch |
|
Major |
Applicable_Platforms |
|
Minor |
References |
298 |
Improper Validation of Certificate Expiration |
|
Major |
None |
|
Minor |
References |
299 |
Improper Check for Certificate Revocation |
|
Major |
None |
|
Minor |
References |
301 |
Reflection Attack in an Authentication Protocol |
|
Major |
None |
|
Minor |
References |
306 |
Missing Authentication for Critical Function |
|
Major |
Detection_Factors |
|
Minor |
Potential_Mitigations, References |
307 |
Improper Restriction of Excessive Authentication Attempts |
|
Major |
Demonstrative_Examples, References |
|
Minor |
Detection_Factors, Potential_Mitigations |
310 |
Cryptographic Issues |
|
Major |
None |
|
Minor |
References |
311 |
Missing Encryption of Sensitive Data |
|
Major |
Detection_Factors |
|
Minor |
Potential_Mitigations, References |
312 |
Cleartext Storage of Sensitive Information |
|
Major |
Applicable_Platforms |
|
Minor |
References |
319 |
Cleartext Transmission of Sensitive Information |
|
Major |
Applicable_Platforms |
|
Minor |
References |
322 |
Key Exchange without Entity Authentication |
|
Major |
None |
|
Minor |
References |
324 |
Use of a Key Past its Expiration Date |
|
Major |
None |
|
Minor |
References |
325 |
Missing Required Cryptographic Step |
|
Major |
Observed_Examples, Time_of_Introduction |
|
Minor |
None |
326 |
Inadequate Encryption Strength |
|
Major |
None |
|
Minor |
References |
327 |
Use of a Broken or Risky Cryptographic Algorithm |
|
Major |
Detection_Factors, References |
|
Minor |
Potential_Mitigations |
328 |
Reversible One-Way Hash |
|
Major |
None |
|
Minor |
Potential_Mitigations, References |
329 |
Not Using a Random IV with CBC Mode |
|
Major |
None |
|
Minor |
References |
330 |
Use of Insufficiently Random Values |
|
Major |
Detection_Factors, References |
|
Minor |
Potential_Mitigations |
331 |
Insufficient Entropy |
|
Major |
None |
|
Minor |
References |
332 |
Insufficient Entropy in PRNG |
|
Major |
None |
|
Minor |
Potential_Mitigations, References |
334 |
Small Space of Random Values |
|
Major |
None |
|
Minor |
Potential_Mitigations, References |
335 |
Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) |
|
Major |
None |
|
Minor |
References |
336 |
Same Seed in Pseudo-Random Number Generator (PRNG) |
|
Major |
None |
|
Minor |
Potential_Mitigations, References |
337 |
Predictable Seed in Pseudo-Random Number Generator (PRNG) |
|
Major |
None |
|
Minor |
Potential_Mitigations, References |
338 |
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) |
|
Major |
None |
|
Minor |
References |
339 |
Small Seed Space in PRNG |
|
Major |
None |
|
Minor |
Potential_Mitigations, References |
340 |
Predictability Problems |
|
Major |
None |
|
Minor |
References |
341 |
Predictable from Observable State |
|
Major |
None |
|
Minor |
Potential_Mitigations, References |
342 |
Predictable Exact Value from Previous Values |
|
Major |
None |
|
Minor |
Potential_Mitigations, References |
343 |
Predictable Value Range from Previous Values |
|
Major |
None |
|
Minor |
Potential_Mitigations, References |
344 |
Use of Invariant Value in Dynamically Changing Context |
|
Major |
None |
|
Minor |
References |
345 |
Insufficient Verification of Data Authenticity |
|
Major |
None |
|
Minor |
References |
346 |
Origin Validation Error |
|
Major |
None |
|
Minor |
Demonstrative_Examples |
350 |
Reliance on Reverse DNS Resolution for a Security-Critical Action |
|
Major |
None |
|
Minor |
References |
352 |
Cross-Site Request Forgery (CSRF) |
|
Major |
Detection_Factors |
|
Minor |
Potential_Mitigations, References |
353 |
Missing Support for Integrity Check |
|
Major |
None |
|
Minor |
References |
359 |
Exposure of Private Information ('Privacy Violation') |
|
Major |
Applicable_Platforms, References |
|
Minor |
Demonstrative_Examples, Description |
362 |
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') |
|
Major |
Demonstrative_Examples, References |
|
Minor |
Detection_Factors, Potential_Mitigations |
363 |
Race Condition Enabling Link Following |
|
Major |
None |
|
Minor |
References |
364 |
Signal Handler Race Condition |
|
Major |
None |
|
Minor |
Demonstrative_Examples, References |
365 |
Race Condition in Switch |
|
Major |
Applicable_Platforms |
|
Minor |
References |
366 |
Race Condition within a Thread |
|
Major |
Applicable_Platforms |
|
Minor |
References |
367 |
Time-of-check Time-of-use (TOCTOU) Race Condition |
|
Major |
None |
|
Minor |
References |
368 |
Context Switching Race Condition |
|
Major |
None |
|
Minor |
References |
369 |
Divide By Zero |
|
Major |
Demonstrative_Examples, References |
|
Minor |
None |
370 |
Missing Check for Certificate Revocation after Initial Check |
|
Major |
None |
|
Minor |
References |
374 |
Passing Mutable Objects to an Untrusted Method |
|
Major |
Applicable_Platforms |
|
Minor |
Demonstrative_Examples |
375 |
Returning a Mutable Object to an Untrusted Caller |
|
Major |
Applicable_Platforms |
|
Minor |
None |
377 |
Insecure Temporary File |
|
Major |
References |
|
Minor |
None |
379 |
Creation of Temporary File in Directory with Incorrect Permissions |
|
Major |
None |
|
Minor |
References |
384 |
Session Fixation |
|
Major |
Modes_of_Introduction |
|
Minor |
None |
388 |
7PK - Errors |
|
Major |
References |
|
Minor |
None |
389 |
Error Conditions, Return Values, Status Codes |
|
Major |
None |
|
Minor |
References |
390 |
Detection of Error Condition Without Action |
|
Major |
None |
|
Minor |
References |
395 |
Use of NullPointerException Catch to Detect NULL Pointer Dereference |
|
Major |
None |
|
Minor |
Detection_Factors |
396 |
Declaration of Catch for Generic Exception |
|
Major |
Applicable_Platforms |
|
Minor |
References |
397 |
Declaration of Throws for Generic Exception |
|
Major |
Applicable_Platforms |
|
Minor |
None |
398 |
7PK - Code Quality |
|
Major |
References |
|
Minor |
None |
400 |
Uncontrolled Resource Consumption ('Resource Exhaustion') |
|
Major |
References |
|
Minor |
None |
401 |
Improper Release of Memory Before Removing Last Reference ('Memory Leak') |
|
Major |
None |
|
Minor |
Potential_Mitigations, References |
403 |
Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak') |
|
Major |
None |
|
Minor |
Applicable_Platforms |
404 |
Improper Resource Shutdown or Release |
|
Major |
None |
|
Minor |
References |
410 |
Insufficient Resource Pool |
|
Major |
None |
|
Minor |
References |
415 |
Double Free |
|
Major |
None |
|
Minor |
References |
416 |
Use After Free |
|
Major |
None |
|
Minor |
References |
421 |
Race Condition During Access to Alternate Channel |
|
Major |
References |
|
Minor |
None |
422 |
Unprotected Windows Messaging Channel ('Shatter') |
|
Major |
References |
|
Minor |
None |
426 |
Untrusted Search Path |
|
Major |
Modes_of_Introduction, References |
|
Minor |
Applicable_Platforms |
427 |
Uncontrolled Search Path Element |
|
Major |
None |
|
Minor |
Applicable_Platforms |
428 |
Unquoted Search Path or Element |
|
Major |
Applicable_Platforms |
|
Minor |
References |
430 |
Deployment of Wrong Handler |
|
Major |
None |
|
Minor |
References |
431 |
Missing Handler |
|
Major |
None |
|
Minor |
References |
433 |
Unparsed Raw Web Content Delivery |
|
Major |
None |
|
Minor |
References |
434 |
Unrestricted Upload of File with Dangerous Type |
|
Major |
Applicable_Platforms, Observed_Examples |
|
Minor |
Detection_Factors, Potential_Mitigations, References |
436 |
Interpretation Conflict |
|
Major |
References |
|
Minor |
Demonstrative_Examples |
444 |
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') |
|
Major |
None |
|
Minor |
Potential_Mitigations |
456 |
Missing Initialization of a Variable |
|
Major |
None |
|
Minor |
References |
457 |
Use of Uninitialized Variable |
|
Major |
References |
|
Minor |
None |
460 |
Improper Cleanup on Thrown Exception |
|
Major |
Applicable_Platforms |
|
Minor |
None |
462 |
Duplicate Key in Associative List (Alist) |
|
Major |
Applicable_Platforms |
|
Minor |
None |
463 |
Deletion of Data Structure Sentinel |
|
Major |
None |
|
Minor |
References |
466 |
Return of Pointer Value Outside of Expected Range |
|
Major |
None |
|
Minor |
References |
468 |
Incorrect Pointer Scaling |
|
Major |
None |
|
Minor |
References |
470 |
Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') |
|
Major |
Applicable_Platforms |
|
Minor |
None |
472 |
External Control of Assumed-Immutable Web Parameter |
|
Major |
None |
|
Minor |
References |
476 |
NULL Pointer Dereference |
|
Major |
Applicable_Platforms |
|
Minor |
None |
477 |
Use of Obsolete Function |
|
Major |
Detection_Factors |
|
Minor |
None |
478 |
Missing Default Case in Switch Statement |
|
Major |
Applicable_Platforms |
|
Minor |
References |
479 |
Signal Handler Use of a Non-reentrant Function |
|
Major |
Demonstrative_Examples |
|
Minor |
References |
480 |
Use of Incorrect Operator |
|
Major |
None |
|
Minor |
References |
481 |
Assigning instead of Comparing |
|
Major |
Applicable_Platforms |
|
Minor |
References |
482 |
Comparing instead of Assigning |
|
Major |
None |
|
Minor |
References |
484 |
Omitted Break Statement in Switch |
|
Major |
Applicable_Platforms |
|
Minor |
References |
494 |
Download of Code Without Integrity Check |
|
Major |
None |
|
Minor |
Potential_Mitigations, References |
495 |
Private Array-Typed Field Returned From A Public Method |
|
Major |
Applicable_Platforms |
|
Minor |
None |
496 |
Public Data Assigned to Private Array-Typed Field |
|
Major |
Applicable_Platforms |
|
Minor |
None |
498 |
Cloneable Class Containing Sensitive Information |
|
Major |
Applicable_Platforms |
|
Minor |
None |
502 |
Deserialization of Untrusted Data |
|
Major |
None |
|
Minor |
Applicable_Platforms |
506 |
Embedded Malicious Code |
|
Major |
Detection_Factors |
|
Minor |
None |
507 |
Trojan Horse |
|
Major |
None |
|
Minor |
References |
510 |
Trapdoor |
|
Major |
Detection_Factors |
|
Minor |
None |
511 |
Logic/Time Bomb |
|
Major |
Applicable_Platforms |
|
Minor |
References |
521 |
Weak Password Requirements |
|
Major |
None |
|
Minor |
References |
522 |
Insufficiently Protected Credentials |
|
Major |
None |
|
Minor |
References |
538 |
File and Directory Information Exposure |
|
Major |
Modes_of_Introduction |
|
Minor |
References |
549 |
Missing Password Field Masking |
|
Major |
None |
|
Minor |
References |
552 |
Files or Directories Accessible to External Parties |
|
Major |
Modes_of_Introduction |
|
Minor |
None |
554 |
ASP.NET Misconfiguration: Not Using Input Validation Framework |
|
Major |
Applicable_Platforms |
|
Minor |
None |
560 |
Use of umask() with chmod-style Argument |
|
Major |
Other_Notes |
|
Minor |
None |
561 |
Dead Code |
|
Major |
None |
|
Minor |
Detection_Factors |
597 |
Use of Wrong Operator in String Comparison |
|
Major |
None |
|
Minor |
References |
601 |
URL Redirection to Untrusted Site ('Open Redirect') |
|
Major |
Applicable_Platforms, Observed_Examples, References |
|
Minor |
Detection_Factors, Potential_Mitigations |
602 |
Client-Side Enforcement of Server-Side Security |
|
Major |
Applicable_Platforms, Observed_Examples |
|
Minor |
References |
603 |
Use of Client-Side Authentication |
|
Major |
Observed_Examples |
|
Minor |
References |
604 |
Deprecated Entries |
|
Major |
View_Filter |
|
Minor |
None |
606 |
Unchecked Input for Loop Condition |
|
Major |
None |
|
Minor |
References |
609 |
Double-Checked Locking |
|
Major |
None |
|
Minor |
References |
611 |
Improper Restriction of XML External Entity Reference ('XXE') |
|
Major |
Applicable_Platforms, References |
|
Minor |
None |
614 |
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute |
|
Major |
Observed_Examples |
|
Minor |
None |
618 |
Exposed Unsafe ActiveX Method |
|
Major |
None |
|
Minor |
References |
620 |
Unverified Password Change |
|
Major |
None |
|
Minor |
References |
623 |
Unsafe ActiveX Control Marked Safe For Scripting |
|
Major |
None |
|
Minor |
References |
625 |
Permissive Regular Expression |
|
Major |
None |
|
Minor |
References |
629 |
Weaknesses in OWASP Top Ten (2007) |
|
Major |
View_Audience |
|
Minor |
None |
630 |
DEPRECATED: Weaknesses Examined by SAMATE |
|
Major |
View_Structure |
|
Minor |
None |
635 |
Weaknesses Originally Used by NVD from 2008 to 2016 |
|
Major |
View_Structure |
|
Minor |
None |
636 |
Not Failing Securely ('Failing Open') |
|
Major |
References |
|
Minor |
None |
637 |
Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism') |
|
Major |
References |
|
Minor |
None |
638 |
Not Using Complete Mediation |
|
Major |
References |
|
Minor |
None |
640 |
Weak Password Recovery Mechanism for Forgotten Password |
|
Major |
None |
|
Minor |
References |
642 |
External Control of Critical State Data |
|
Major |
None |
|
Minor |
Potential_Mitigations, References |
643 |
Improper Neutralization of Data within XPath Expressions ('XPath Injection') |
|
Major |
None |
|
Minor |
References |
647 |
Use of Non-Canonical URL Paths for Authorization Decisions |
|
Major |
Applicable_Platforms |
|
Minor |
None |
653 |
Insufficient Compartmentalization |
|
Major |
References |
|
Minor |
Detection_Factors |
654 |
Reliance on a Single Factor in a Security Decision |
|
Major |
References |
|
Minor |
None |
655 |
Insufficient Psychological Acceptability |
|
Major |
References |
|
Minor |
Demonstrative_Examples |
656 |
Reliance on Security Through Obscurity |
|
Major |
Demonstrative_Examples, References |
|
Minor |
None |
657 |
Violation of Secure Design Principles |
|
Major |
References |
|
Minor |
None |
658 |
Weaknesses in Software Written in C |
|
Major |
View_Filter |
|
Minor |
None |
659 |
Weaknesses in Software Written in C++ |
|
Major |
View_Filter |
|
Minor |
None |
660 |
Weaknesses in Software Written in Java |
|
Major |
View_Filter |
|
Minor |
None |
661 |
Weaknesses in Software Written in PHP |
|
Major |
View_Filter |
|
Minor |
None |
665 |
Improper Initialization |
|
Major |
References |
|
Minor |
None |
672 |
Operation on a Resource after Expiration or Release |
|
Major |
Applicable_Platforms |
|
Minor |
None |
676 |
Use of Potentially Dangerous Function |
|
Major |
Detection_Factors |
|
Minor |
Potential_Mitigations, References |
677 |
Weakness Base Elements |
|
Major |
View_Filter |
|
Minor |
None |
678 |
Composites |
|
Major |
View_Filter |
|
Minor |
None |
679 |
DEPRECATED: Chain Elements |
|
Major |
View_Filter |
|
Minor |
None |
681 |
Incorrect Conversion between Numeric Types |
|
Major |
None |
|
Minor |
References |
682 |
Incorrect Calculation |
|
Major |
Potential_Mitigations |
|
Minor |
References |
689 |
Permission Race Condition During Resource Copy |
|
Major |
None |
|
Minor |
References |
692 |
Incomplete Blacklist to Cross-Site Scripting |
|
Major |
References |
|
Minor |
Description |
699 |
Development Concepts |
|
Major |
View_Audience |
|
Minor |
None |
700 |
Seven Pernicious Kingdoms |
|
Major |
View_Audience |
|
Minor |
None |
701 |
Weaknesses Introduced During Design |
|
Major |
View_Filter |
|
Minor |
None |
702 |
Weaknesses Introduced During Implementation |
|
Major |
View_Filter |
|
Minor |
None |
703 |
Improper Check or Handling of Exceptional Conditions |
|
Major |
None |
|
Minor |
Detection_Factors, References |
709 |
Named Chains |
|
Major |
View_Filter |
|
Minor |
None |
711 |
Weaknesses in OWASP Top Ten (2004) |
|
Major |
View_Audience |
|
Minor |
None |
732 |
Incorrect Permission Assignment for Critical Resource |
|
Major |
Detection_Factors, Modes_of_Introduction |
|
Minor |
Potential_Mitigations, References |
733 |
Compiler Optimization Removal or Modification of Security-critical Code |
|
Major |
Applicable_Platforms |
|
Minor |
References |
734 |
Weaknesses Addressed by the CERT C Secure Coding Standard (2008 Version) |
|
Major |
View_Audience |
|
Minor |
None |
749 |
Exposed Dangerous Method or Function |
|
Major |
None |
|
Minor |
Demonstrative_Examples |
750 |
Weaknesses in the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors |
|
Major |
View_Audience |
|
Minor |
None |
754 |
Improper Check for Unusual or Exceptional Conditions |
|
Major |
Demonstrative_Examples |
|
Minor |
References |
757 |
Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') |
|
Major |
Time_of_Introduction |
|
Minor |
None |
759 |
Use of a One-Way Hash without a Salt |
|
Major |
Detection_Factors, Time_of_Introduction |
|
Minor |
Potential_Mitigations, References |
760 |
Use of a One-Way Hash with a Predictable Salt |
|
Major |
Time_of_Introduction |
|
Minor |
Potential_Mitigations, References |
762 |
Mismatched Memory Management Routines |
|
Major |
None |
|
Minor |
Potential_Mitigations, References |
770 |
Allocation of Resources Without Limits or Throttling |
|
Major |
Demonstrative_Examples, Potential_Mitigations, References |
|
Minor |
None |
771 |
Missing Reference to Active Allocated Resource |
|
Major |
Potential_Mitigations |
|
Minor |
None |
772 |
Missing Release of Resource after Effective Lifetime |
|
Major |
Applicable_Platforms, Potential_Mitigations |
|
Minor |
None |
773 |
Missing Reference to Active File Descriptor or Handle |
|
Major |
Potential_Mitigations |
|
Minor |
None |
774 |
Allocation of File Descriptors or Handles Without Limits or Throttling |
|
Major |
Potential_Mitigations |
|
Minor |
References |
775 |
Missing Release of File Descriptor or Handle after Effective Lifetime |
|
Major |
Potential_Mitigations |
|
Minor |
References |
776 |
Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') |
|
Major |
Applicable_Platforms, References |
|
Minor |
None |
778 |
Insufficient Logging |
|
Major |
None |
|
Minor |
References |
781 |
Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code |
|
Major |
Applicable_Platforms, References |
|
Minor |
None |
782 |
Exposed IOCTL with Insufficient Access Control |
|
Major |
Applicable_Platforms |
|
Minor |
None |
783 |
Operator Precedence Logic Error |
|
Major |
Applicable_Platforms |
|
Minor |
References |
784 |
Reliance on Cookies without Validation and Integrity Checking in a Security Decision |
|
Major |
Applicable_Platforms |
|
Minor |
References |
789 |
Uncontrolled Memory Allocation |
|
Major |
None |
|
Minor |
References |
790 |
Improper Filtering of Special Elements |
|
Major |
Time_of_Introduction |
|
Minor |
None |
791 |
Incomplete Filtering of Special Elements |
|
Major |
Time_of_Introduction |
|
Minor |
None |
792 |
Incomplete Filtering of One or More Instances of Special Elements |
|
Major |
Time_of_Introduction |
|
Minor |
None |
793 |
Only Filtering One Instance of a Special Element |
|
Major |
Time_of_Introduction |
|
Minor |
None |
794 |
Incomplete Filtering of Multiple Instances of Special Elements |
|
Major |
Time_of_Introduction |
|
Minor |
None |
795 |
Only Filtering Special Elements at a Specified Location |
|
Major |
Time_of_Introduction |
|
Minor |
None |
796 |
Only Filtering Special Elements Relative to a Marker |
|
Major |
Time_of_Introduction |
|
Minor |
None |
797 |
Only Filtering Special Elements at an Absolute Position |
|
Major |
Time_of_Introduction |
|
Minor |
None |
798 |
Use of Hard-coded Credentials |
|
Major |
Applicable_Platforms, Detection_Factors |
|
Minor |
Potential_Mitigations, References |
800 |
Weaknesses in the 2010 CWE/SANS Top 25 Most Dangerous Programming Errors |
|
Major |
View_Audience |
|
Minor |
None |
805 |
Buffer Access with Incorrect Length Value |
|
Major |
None |
|
Minor |
Potential_Mitigations, References |
806 |
Buffer Access Using Size of Source Buffer |
|
Major |
None |
|
Minor |
Potential_Mitigations, References |
807 |
Reliance on Untrusted Inputs in a Security Decision |
|
Major |
Detection_Factors |
|
Minor |
Potential_Mitigations, References |
809 |
Weaknesses in OWASP Top Ten (2010) |
|
Major |
View_Audience |
|
Minor |
None |
823 |
Use of Out-of-range Pointer Offset |
|
Major |
None |
|
Minor |
References |
824 |
Access of Uninitialized Pointer |
|
Major |
None |
|
Minor |
References |
827 |
Improper Control of Document Type Definition |
|
Major |
Applicable_Platforms, Time_of_Introduction |
|
Minor |
None |
828 |
Signal Handler with Functionality that is not Asynchronous-Safe |
|
Major |
None |
|
Minor |
Demonstrative_Examples, References |
829 |
Inclusion of Functionality from Untrusted Control Sphere |
|
Major |
Detection_Factors, Time_of_Introduction |
|
Minor |
Demonstrative_Examples, Potential_Mitigations, References |
830 |
Inclusion of Web Functionality from an Untrusted Source |
|
Major |
Time_of_Introduction |
|
Minor |
Demonstrative_Examples |
831 |
Signal Handler Function Associated with Multiple Signals |
|
Major |
None |
|
Minor |
Demonstrative_Examples, References |
833 |
Deadlock |
|
Major |
None |
|
Minor |
References |
834 |
Excessive Iteration |
|
Major |
None |
|
Minor |
Detection_Factors, References |
835 |
Loop with Unreachable Exit Condition ('Infinite Loop') |
|
Major |
None |
|
Minor |
References |
836 |
Use of Password Hash Instead of Password for Authentication |
|
Major |
Time_of_Introduction |
|
Minor |
None |
838 |
Inappropriate Encoding for Output Context |
|
Major |
None |
|
Minor |
Potential_Mitigations, References |
839 |
Numeric Range Comparison Without Minimum Check |
|
Major |
None |
|
Minor |
References |
840 |
Business Logic Errors |
|
Major |
References |
|
Minor |
None |
841 |
Improper Enforcement of Behavioral Workflow |
|
Major |
References, Time_of_Introduction |
|
Minor |
None |
843 |
Access of Resource Using Incompatible Type ('Type Confusion') |
|
Major |
None |
|
Minor |
References |
844 |
Weaknesses Addressed by the CERT Java Secure Coding Standard |
|
Major |
View_Audience |
|
Minor |
None |
862 |
Missing Authorization |
|
Major |
Detection_Factors, Modes_of_Introduction |
|
Minor |
Potential_Mitigations, References |
863 |
Incorrect Authorization |
|
Major |
Detection_Factors, Modes_of_Introduction |
|
Minor |
Potential_Mitigations, References |
868 |
Weaknesses Addressed by the CERT C++ Secure Coding Standard |
|
Major |
View_Audience |
|
Minor |
None |
884 |
CWE Cross-section |
|
Major |
View_Structure |
|
Minor |
None |
888 |
Software Fault Pattern (SFP) Clusters |
|
Major |
View_Audience |
|
Minor |
None |
900 |
Weaknesses in the 2011 CWE/SANS Top 25 Most Dangerous Software Errors |
|
Major |
View_Audience |
|
Minor |
None |
908 |
Use of Uninitialized Resource |
|
Major |
References |
|
Minor |
None |
911 |
Improper Update of Reference Count |
|
Major |
References |
|
Minor |
None |
916 |
Use of Password Hash With Insufficient Computational Effort |
|
Major |
Detection_Factors, References |
|
Minor |
Potential_Mitigations |
918 |
Server-Side Request Forgery (SSRF) |
|
Major |
Applicable_Platforms, References |
|
Minor |
None |
919 |
Weaknesses in Mobile Applications |
|
Major |
View_Filter |
|
Minor |
None |
920 |
Improper Restriction of Power Consumption |
|
Major |
Applicable_Platforms |
|
Minor |
None |
921 |
Storage of Sensitive Data in a Mechanism without Access Control |
|
Major |
Applicable_Platforms |
|
Minor |
None |
925 |
Improper Verification of Intent by Broadcast Receiver |
|
Major |
Applicable_Platforms |
|
Minor |
References |
926 |
Improper Export of Android Application Components |
|
Major |
Applicable_Platforms, Background_Details, Potential_Mitigations |
|
Minor |
References |
927 |
Use of Implicit Intent for Sensitive Communication |
|
Major |
Applicable_Platforms |
|
Minor |
References |
928 |
Weaknesses in OWASP Top Ten (2013) |
|
Major |
View_Audience |
|
Minor |
None |
939 |
Improper Authorization in Handler for Custom URL Scheme |
|
Major |
Applicable_Platforms, Time_of_Introduction |
|
Minor |
Demonstrative_Examples |
940 |
Improper Verification of Source of a Communication Channel |
|
Major |
Applicable_Platforms |
|
Minor |
Demonstrative_Examples |
941 |
Incorrectly Specified Destination in a Communication Channel |
|
Major |
Applicable_Platforms |
|
Minor |
None |
942 |
Overly Permissive Cross-domain Whitelist |
|
Major |
Applicable_Platforms, Potential_Mitigations |
|
Minor |
None |
999 |
Weaknesses without Software Fault Patterns |
|
Major |
View_Audience, View_Filter |
|
Minor |
None |
1000 |
Research Concepts |
|
Major |
View_Audience |
|
Minor |
None |
1004 |
Sensitive Cookie Without 'HttpOnly' Flag |
|
Major |
Applicable_Platforms, Observed_Examples |
|
Minor |
Demonstrative_Examples |
1007 |
Insufficient Visual Distinction of Homoglyphs Presented to User |
|
Major |
Applicable_Platforms, Demonstrative_Examples |
|
Minor |
References |
1008 |
Architectural Concepts |
|
Major |
View_Audience |
|
Minor |
None |
1022 |
Improper Restriction of Cross-Origin Permission to window.opener.location |
|
Major |
Applicable_Platforms, Modes_of_Introduction |
|
Minor |
Demonstrative_Examples |
2000 |
Comprehensive CWE Dictionary |
|
Major |
View_Filter |
|
Minor |
None |