Questions tagged [cwe]
For CWE, Common Weakness Enumeration. Not to be confused with CVE.
10
questions
0
votes
1
answer
158
views
CWE for "Misconfigured server allows insecure https request to IP-addressed URL"?
I'm doing a vulnerability assessment for a whole slew of web servers, and almost every single one of them (hundreds) are misconfigured like the following two examples:
Case 1: one or more hostnames ...
1
vote
0
answers
123
views
CWEs for Language Machine Learning Models
I'm looking for the relevant CWE's for specific attacks against prompt-based language ML models, such as GPT-3, GPT-4 etc.
Specifically:
Prompt Injection: Amending prompts with malicious input to ...
6
votes
3
answers
2k
views
Why are there multiple "Hardcoded Password" Entries in CWE instead of single one?
When I looked up hardcoded password vulnerability in software world, I saw there are three kinds of vulnerabilities. These are that:
CWE-798: Use of Hard-coded Credentials
The Hardcoded Creds ...
0
votes
2
answers
145
views
What types of software can have "Hardcoded Password" vulnerability?
When I investigated the Google results, the software vulnerability "Hardcoded Password" (cwe-798 & cwe-259) is a vulnerability for IoT devices' software (see: link1) and thick client ...
0
votes
2
answers
3k
views
How can I map CVEs to their underlying CWE?
I was tasked with developing a consistent, relatively complete map for CVEs to CWEs at my internship, and I'm kind of at a loss finding a method to find a 1-to-1 way to map CVEs onto CWEs. Ideally, ...
1
vote
0
answers
259
views
CWE-611: Improper Restriction of XML External Entity Reference with XSL include
Veracode reports that the below code is susceptible to CWE-611: Improper Restriction of XML External Entity Reference.
XslCompiledTransform transform = new XslCompiledTransform();
transform.Load(...
3
votes
1
answer
214
views
Faults vs weaknesses
I am trying to make the link between faults and weaknesses (As defined by Common Weaknesses Enumeration).
The word "fault" is generally used in the reliability domain, to designate the cause ...
0
votes
1
answer
350
views
CWE-234 - Snprintf Missing Parameter issues
We are scanning a third party library using a well know static analysis tool here.
We keep getting:
"Failure to Handle Missing Parameter CWE ID 234"
I'm not a C developer but I can't see what is ...
4
votes
1
answer
1k
views
How to find CAPEC items related to a CVE
Vulnerabilities with a CVE usually also have a CWE associated with them, but almost never CAPEC. CWE's site also only very rarely points to related CAPEC items.
Is there a way to find a CVE's ...
5
votes
1
answer
254
views
Categorizing a data leak which is intentionally / by carelessness / by design
I have found a publicly accessible web page which discloses person-related data when queried with matching input data. This is against the company's own data protection promise. I want to report ...