CWE

Common Weakness Enumeration

A community-developed list of SW & HW weaknesses that can become vulnerabilities

New to CWE? click here!
CWE Most Important Hardware Weaknesses
CWE Top 25 Most Dangerous Weaknesses
Home > CWE List > CWE- Individual Dictionary Definition (4.16)  
ID

CWE VIEW: Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java

View ID: 1133
Vulnerability Mapping: PROHIBITED This CWE ID must not be used to map to real-world vulnerabilities
Type: Graph
Downloads: Booklet | CSV | XML
+ Objective
CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT Oracle Coding Standard for Java.
+ Audience
Stakeholder Description
Software Developers By following the SEI CERT Oracle Coding Standard for Java, developers will be able to fully or partially prevent the weaknesses that are identified in this view. In addition, developers can use a CWE coverage graph to determine which weaknesses are not directly addressed by the standard, which will help identify and resolve remaining gaps in training, tool acquisition, or other approaches for reducing weaknesses.
Product Customers If a software developer claims to be following the SEI CERT Oracle Secure Coding Standard for Java, then customers can search for the weaknesses in this view in order to formulate independent evidence of that claim.
Educators Educators can use this view in multiple ways. For example, if there is a focus on teaching weaknesses, the educator could link them to the relevant Secure Coding Standard.
+ Relationships
The following graph shows the tree-like relationships between weaknesses that exist at different levels of abstraction. At the highest level, categories and pillars exist to group weaknesses. Categories (which are not technically weaknesses) are special CWE entries used to group weaknesses that share a common characteristic. Pillars are weaknesses that are described in the most abstract fashion. Below these top-level entries are weaknesses are varying levels of abstraction. Classes are still very abstract, typically independent of any specific language or technology. Base level weaknesses are used to present a more specific type of weakness. A variant is a weakness that is described at a very low level of detail, typically limited to a specific language or technology. A chain is a set of weaknesses that must be reachable consecutively in order to produce an exploitable vulnerability. While a composite is a set of weaknesses that must all be present simultaneously in order to produce an exploitable vulnerability.
Show Details:
1133 - Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java
+ Category Category - a CWE entry that contains a set of other entries that share a common characteristic. SEI CERT Oracle Secure Coding Standard for Java - Guidelines 00. Input Validation and Data Sanitization (IDS) - (1134)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1134 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 00. Input Validation and Data Sanitization (IDS))
Weaknesses in this category are related to the rules and recommendations in the Input Validation and Data Sanitization (IDS) section of the SEI CERT Oracle Secure Coding Standard for Java.
* Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Improper Encoding or Escaping of Output - (116)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1134 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 00. Input Validation and Data Sanitization (IDS)) > 116 (Improper Encoding or Escaping of Output)
The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved. Output Sanitization Output Validation Output Encoding
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Incorrect Behavior Order: Validate Before Canonicalize - (180)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1134 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 00. Input Validation and Data Sanitization (IDS)) > 180 (Incorrect Behavior Order: Validate Before Canonicalize)
The product validates input before it is canonicalized, which prevents the product from detecting data that becomes invalid after the canonicalization step.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Authentication Bypass by Alternate Name - (289)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1134 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 00. Input Validation and Data Sanitization (IDS)) > 289 (Authentication Bypass by Alternate Name)
The product performs authentication based on the name of a resource being accessed, or the name of the actor performing the access, but it does not properly check all possible names for that resource or actor.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Output Neutralization for Logs - (117)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1134 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 00. Input Validation and Data Sanitization (IDS)) > 117 (Improper Output Neutralization for Logs)
The product does not neutralize or incorrectly neutralizes output that is written to logs.
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Improper Neutralization of Line Delimiters - (144)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1134 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 00. Input Validation and Data Sanitization (IDS)) > 144 (Improper Neutralization of Line Delimiters)
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as line delimiters when they are sent to a downstream component.
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Improper Neutralization of Escape, Meta, or Control Sequences - (150)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1134 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 00. Input Validation and Data Sanitization (IDS)) > 150 (Improper Neutralization of Escape, Meta, or Control Sequences)
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Handling of Highly Compressed Data (Data Amplification) - (409)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1134 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 00. Input Validation and Data Sanitization (IDS)) > 409 (Improper Handling of Highly Compressed Data (Data Amplification))
The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Use of Externally-Controlled Format String - (134)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1134 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 00. Input Validation and Data Sanitization (IDS)) > 134 (Use of Externally-Controlled Format String)
The product uses a function that accepts a format string as an argument, but the format string originates from an external source.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') - (78)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1134 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 00. Input Validation and Data Sanitization (IDS)) > 78 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'))
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. Shell injection Shell metacharacters OS Command Injection
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Collapse of Data into Unsafe Value - (182)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1134 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 00. Input Validation and Data Sanitization (IDS)) > 182 (Collapse of Data into Unsafe Value)
The product filters data in a way that causes it to be reduced or "collapsed" into an unsafe value that violates an expected security property.
+ Category Category - a CWE entry that contains a set of other entries that share a common characteristic. SEI CERT Oracle Secure Coding Standard for Java - Guidelines 01. Declarations and Initialization (DCL) - (1135)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1135 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 01. Declarations and Initialization (DCL))
Weaknesses in this category are related to the rules and recommendations in the Declarations and Initialization (DCL) section of the SEI CERT Oracle Secure Coding Standard for Java.
* Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Improper Initialization - (665)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1135 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 01. Declarations and Initialization (DCL)) > 665 (Improper Initialization)
The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.
+ Category Category - a CWE entry that contains a set of other entries that share a common characteristic. SEI CERT Oracle Secure Coding Standard for Java - Guidelines 02. Expressions (EXP) - (1136)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1136 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 02. Expressions (EXP))
Weaknesses in this category are related to the rules and recommendations in the Expressions (EXP) section of the SEI CERT Oracle Secure Coding Standard for Java.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Unchecked Return Value - (252)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1136 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 02. Expressions (EXP)) > 252 (Unchecked Return Value)
The product does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. NULL Pointer Dereference - (476)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1136 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 02. Expressions (EXP)) > 476 (NULL Pointer Dereference)
The product dereferences a pointer that it expects to be valid but is NULL. NPD null deref NPE nil pointer dereference
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Use of Wrong Operator in String Comparison - (597)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1136 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 02. Expressions (EXP)) > 597 (Use of Wrong Operator in String Comparison)
The product uses the wrong operator when comparing a string, such as using "==" when the .equals() method should be used instead.
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Comparison of Object References Instead of Object Contents - (595)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1136 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 02. Expressions (EXP)) > 595 (Comparison of Object References Instead of Object Contents)
The product compares object references instead of the contents of the objects themselves, preventing it from detecting equivalent objects.
+ Category Category - a CWE entry that contains a set of other entries that share a common characteristic. SEI CERT Oracle Secure Coding Standard for Java - Guidelines 03. Numeric Types and Operations (NUM) - (1137)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1137 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 03. Numeric Types and Operations (NUM))
Weaknesses in this category are related to the rules and recommendations in the Numeric Types and Operations (NUM) section of the SEI CERT Oracle Secure Coding Standard for Java.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Integer Overflow or Wraparound - (190)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1137 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 03. Numeric Types and Operations (NUM)) > 190 (Integer Overflow or Wraparound)
The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number. Overflow Wraparound wrap, wrap-around, wrap around
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Integer Underflow (Wrap or Wraparound) - (191)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1137 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 03. Numeric Types and Operations (NUM)) > 191 (Integer Underflow (Wrap or Wraparound))
The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result. Integer underflow
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Numeric Truncation Error - (197)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1137 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 03. Numeric Types and Operations (NUM)) > 197 (Numeric Truncation Error)
Truncation errors occur when a primitive is cast to a primitive of a smaller size and data is lost in the conversion.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Divide By Zero - (369)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1137 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 03. Numeric Types and Operations (NUM)) > 369 (Divide By Zero)
The product divides a value by zero.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Incorrect Conversion between Numeric Types - (681)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1137 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 03. Numeric Types and Operations (NUM)) > 681 (Incorrect Conversion between Numeric Types)
When converting from one data type to another, such as long to integer, data can be omitted or translated in a way that produces unexpected values. If the resulting values are used in a sensitive context, then dangerous behaviors may occur.
* Pillar Pillar - a weakness that is the most abstract type of weakness and represents a theme for all class/base/variant weaknesses related to it. A Pillar is different from a Category as a Pillar is still technically a type of weakness that describes a mistake, while a Category represents a common characteristic used to group related things. Incorrect Calculation - (682)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1137 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 03. Numeric Types and Operations (NUM)) > 682 (Incorrect Calculation)
The product performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management.
+ Category Category - a CWE entry that contains a set of other entries that share a common characteristic. SEI CERT Oracle Secure Coding Standard for Java - Guidelines 04. Characters and Strings (STR) - (1138)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1138 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 04. Characters and Strings (STR))
Weaknesses in this category are related to the rules and recommendations in the Characters and Strings (STR) section of the SEI CERT Oracle Secure Coding Standard for Java.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Inappropriate Encoding for Output Context - (838)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1138 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 04. Characters and Strings (STR)) > 838 (Inappropriate Encoding for Output Context)
The product uses or specifies an encoding when generating output to a downstream component, but the specified encoding is not the same as the encoding that is expected by the downstream component.
+ Category Category - a CWE entry that contains a set of other entries that share a common characteristic. SEI CERT Oracle Secure Coding Standard for Java - Guidelines 05. Object Orientation (OBJ) - (1139)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1139 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 05. Object Orientation (OBJ))
Weaknesses in this category are related to the rules and recommendations in the Object Orientation (OBJ) section of the SEI CERT Oracle Secure Coding Standard for Java.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Passing Mutable Objects to an Untrusted Method - (374)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1139 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 05. Object Orientation (OBJ)) > 374 (Passing Mutable Objects to an Untrusted Method)
The product sends non-cloned mutable data as an argument to a method or function.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Returning a Mutable Object to an Untrusted Caller - (375)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1139 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 05. Object Orientation (OBJ)) > 375 (Returning a Mutable Object to an Untrusted Caller)
Sending non-cloned mutable data as a return value may result in that data being altered or deleted by the calling function.
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Comparison of Classes by Name - (486)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1139 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 05. Object Orientation (OBJ)) > 486 (Comparison of Classes by Name)
The product compares classes by name, which can cause it to use the wrong class when multiple classes can have the same name.
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Public cloneable() Method Without Final ('Object Hijack') - (491)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1139 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 05. Object Orientation (OBJ)) > 491 (Public cloneable() Method Without Final ('Object Hijack'))
A class has a cloneable() method that is not declared final, which allows an object to be created without calling the constructor. This can cause the object to be in an unexpected state.
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Use of Inner Class Containing Sensitive Data - (492)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1139 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 05. Object Orientation (OBJ)) > 492 (Use of Inner Class Containing Sensitive Data)
Inner classes are translated into classes that are accessible at package scope and may expose code that the programmer intended to keep private to attackers.
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Cloneable Class Containing Sensitive Information - (498)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1139 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 05. Object Orientation (OBJ)) > 498 (Cloneable Class Containing Sensitive Information)
The code contains a class with sensitive data, but the class is cloneable. The data can then be accessed by cloning the class.
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Public Static Field Not Marked Final - (500)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1139 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 05. Object Orientation (OBJ)) > 500 (Public Static Field Not Marked Final)
An object contains a public static field that is not marked final, which might allow it to be modified in unexpected ways.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Critical Data Element Declared Public - (766)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1139 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 05. Object Orientation (OBJ)) > 766 (Critical Data Element Declared Public)
The product declares a critical variable, field, or member to be public when intended security policy requires it to be private.
+ Category Category - a CWE entry that contains a set of other entries that share a common characteristic. SEI CERT Oracle Secure Coding Standard for Java - Guidelines 06. Methods (MET) - (1140)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1140 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 06. Methods (MET))
Weaknesses in this category are related to the rules and recommendations in the Methods (MET) section of the SEI CERT Oracle Secure Coding Standard for Java.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Reachable Assertion - (617)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1140 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 06. Methods (MET)) > 617 (Reachable Assertion)
The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary. assertion failure
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Call to Non-ubiquitous API - (589)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1140 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 06. Methods (MET)) > 589 (Call to Non-ubiquitous API)
The product uses an API function that does not exist on all versions of the target platform. This could cause portability problems or inconsistencies that allow denial of service or other consequences.
* Pillar Pillar - a weakness that is the most abstract type of weakness and represents a theme for all class/base/variant weaknesses related to it. A Pillar is different from a Category as a Pillar is still technically a type of weakness that describes a mistake, while a Category represents a common characteristic used to group related things. Incorrect Comparison - (697)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1140 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 06. Methods (MET)) > 697 (Incorrect Comparison)
The product compares two entities in a security-relevant context, but the comparison is incorrect, which may lead to resultant weaknesses.
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Object Model Violation: Just One of Equals and Hashcode Defined - (581)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1140 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 06. Methods (MET)) > 581 (Object Model Violation: Just One of Equals and Hashcode Defined)
The product does not maintain equal hashcodes for equal objects.
* Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Improper Following of Specification by Caller - (573)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1140 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 06. Methods (MET)) > 573 (Improper Following of Specification by Caller)
The product does not follow or incorrectly follows the specifications as required by the implementation language, environment, framework, protocol, or platform.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Explicit Call to Finalize() - (586)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1140 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 06. Methods (MET)) > 586 (Explicit Call to Finalize())
The product makes an explicit call to the finalize() method from outside the finalizer.
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. finalize() Method Declared Public - (583)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1140 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 06. Methods (MET)) > 583 (finalize() Method Declared Public)
The product violates secure coding principles for mobile code by declaring a finalize() method public.
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. finalize() Method Without super.finalize() - (568)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1140 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 06. Methods (MET)) > 568 (finalize() Method Without super.finalize())
The product contains a finalize() method that does not call super.finalize().
+ Category Category - a CWE entry that contains a set of other entries that share a common characteristic. SEI CERT Oracle Secure Coding Standard for Java - Guidelines 07. Exceptional Behavior (ERR) - (1141)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1141 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 07. Exceptional Behavior (ERR))
Weaknesses in this category are related to the rules and recommendations in the Exceptional Behavior (ERR) section of the SEI CERT Oracle Secure Coding Standard for Java.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Cleanup on Thrown Exception - (460)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1141 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 07. Exceptional Behavior (ERR)) > 460 (Improper Cleanup on Thrown Exception)
The product does not clean up its state or incorrectly cleans up its state when an exception is thrown, leading to unexpected state or control flow.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Return Inside Finally Block - (584)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1141 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 07. Exceptional Behavior (ERR)) > 584 (Return Inside Finally Block)
The code has a return statement inside a finally block, which will cause any thrown exception in the try block to be discarded.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Incomplete Cleanup - (459)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1141 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 07. Exceptional Behavior (ERR)) > 459 (Incomplete Cleanup)
The product does not properly "clean up" and remove temporary or supporting resources after they have been used. Insufficient Cleanup
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Uncaught Exception - (248)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1141 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 07. Exceptional Behavior (ERR)) > 248 (Uncaught Exception)
An exception is thrown from a function, but it is not caught.
* Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Incorrect Control Flow Scoping - (705)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1141 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 07. Exceptional Behavior (ERR)) > 705 (Incorrect Control Flow Scoping)
The product does not properly return control flow to the proper location after it has completed a task or detected an unusual condition.
* Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Improper Check for Unusual or Exceptional Conditions - (754)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1141 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 07. Exceptional Behavior (ERR)) > 754 (Improper Check for Unusual or Exceptional Conditions)
The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.
* Pillar Pillar - a weakness that is the most abstract type of weakness and represents a theme for all class/base/variant weaknesses related to it. A Pillar is different from a Category as a Pillar is still technically a type of weakness that describes a mistake, while a Category represents a common characteristic used to group related things. Improper Check or Handling of Exceptional Conditions - (703)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1141 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 07. Exceptional Behavior (ERR)) > 703 (Improper Check or Handling of Exceptional Conditions)
The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Declaration of Throws for Generic Exception - (397)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1141 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 07. Exceptional Behavior (ERR)) > 397 (Declaration of Throws for Generic Exception)
Throwing overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities.
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. J2EE Bad Practices: Use of System.exit() - (382)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1141 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 07. Exceptional Behavior (ERR)) > 382 (J2EE Bad Practices: Use of System.exit())
A J2EE application uses System.exit(), which also shuts down its container.
+ Category Category - a CWE entry that contains a set of other entries that share a common characteristic. SEI CERT Oracle Secure Coding Standard for Java - Guidelines 08. Visibility and Atomicity (VNA) - (1142)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1142 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 08. Visibility and Atomicity (VNA))
Weaknesses in this category are related to the rules and recommendations in the Visibility and Atomicity (VNA) section of the SEI CERT Oracle Secure Coding Standard for Java.
* Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') - (362)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1142 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 08. Visibility and Atomicity (VNA)) > 362 (Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition'))
The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently. Race Condition
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Race Condition within a Thread - (366)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1142 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 08. Visibility and Atomicity (VNA)) > 366 (Race Condition within a Thread)
If two threads of execution use a resource simultaneously, there exists the possibility that resources may be used while invalid, in turn making the state of execution undefined.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Resource Locking - (413)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1142 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 08. Visibility and Atomicity (VNA)) > 413 (Improper Resource Locking)
The product does not lock or does not correctly lock a resource when the product must have exclusive access to the resource.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Unsynchronized Access to Shared Data in a Multithreaded Context - (567)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1142 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 08. Visibility and Atomicity (VNA)) > 567 (Unsynchronized Access to Shared Data in a Multithreaded Context)
The product does not properly synchronize shared data, such as static variables across threads, which can lead to undefined behavior and unpredictable data changes.
* Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Improper Synchronization - (662)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1142 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 08. Visibility and Atomicity (VNA)) > 662 (Improper Synchronization)
The product utilizes multiple threads or processes to allow temporary access to a shared resource that can only be exclusive to one process at a time, but it does not properly synchronize these actions, which might cause simultaneous accesses of this resource by multiple threads or processes.
* Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Improper Locking - (667)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1142 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 08. Visibility and Atomicity (VNA)) > 667 (Improper Locking)
The product does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors.
+ Category Category - a CWE entry that contains a set of other entries that share a common characteristic. SEI CERT Oracle Secure Coding Standard for Java - Guidelines 09. Locking (LCK) - (1143)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1143 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 09. Locking (LCK))
Weaknesses in this category are related to the rules and recommendations in the Locking (LCK) section of the SEI CERT Oracle Secure Coding Standard for Java.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Unrestricted Externally Accessible Lock - (412)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1143 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 09. Locking (LCK)) > 412 (Unrestricted Externally Accessible Lock)
The product properly checks for the existence of a lock, but the lock can be externally controlled or influenced by an actor that is outside of the intended sphere of control.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Double-Checked Locking - (609)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1143 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 09. Locking (LCK)) > 609 (Double-Checked Locking)
The product uses double-checked locking to access a resource without the overhead of explicit synchronization, but the locking is insufficient.
* Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Improper Locking - (667)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1143 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 09. Locking (LCK)) > 667 (Improper Locking)
The product does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Missing Synchronization - (820)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1143 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 09. Locking (LCK)) > 820 (Missing Synchronization)
The product utilizes a shared resource in a concurrent manner but does not attempt to synchronize access to the resource.
+ Category Category - a CWE entry that contains a set of other entries that share a common characteristic. SEI CERT Oracle Secure Coding Standard for Java - Guidelines 10. Thread APIs (THI) - (1144)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1144 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 10. Thread APIs (THI))
Weaknesses in this category are related to the rules and recommendations in the Thread APIs (THI) section of the SEI CERT Oracle Secure Coding Standard for Java.
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Call to Thread run() instead of start() - (572)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1144 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 10. Thread APIs (THI)) > 572 (Call to Thread run() instead of start())
The product calls a thread's run() method instead of calling start(), which causes the code to run in the thread of the caller instead of the callee.
+ Category Category - a CWE entry that contains a set of other entries that share a common characteristic. SEI CERT Oracle Secure Coding Standard for Java - Guidelines 11. Thread Pools (TPS) - (1145)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1145 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 11. Thread Pools (TPS))
Weaknesses in this category are related to the rules and recommendations in the Thread Pools (TPS) section of the SEI CERT Oracle Secure Coding Standard for Java.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Missing Report of Error Condition - (392)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1145 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 11. Thread Pools (TPS)) > 392 (Missing Report of Error Condition)
The product encounters an error but does not provide a status code or return value to indicate that an error has occurred.
* Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Asymmetric Resource Consumption (Amplification) - (405)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1145 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 11. Thread Pools (TPS)) > 405 (Asymmetric Resource Consumption (Amplification))
The product does not properly control situations in which an adversary can cause the product to consume or produce excessive resources without requiring the adversary to invest equivalent work or otherwise prove authorization, i.e., the adversary's influence is "asymmetric."
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Insufficient Resource Pool - (410)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1145 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 11. Thread Pools (TPS)) > 410 (Insufficient Resource Pool)
The product's resource pool is not large enough to handle peak demand, which allows an attacker to prevent others from accessing the resource by using a (relatively) large number of requests for resources.
* Category Category - a CWE entry that contains a set of other entries that share a common characteristic. SEI CERT Oracle Secure Coding Standard for Java - Guidelines 12. Thread-Safety Miscellaneous (TSM) - (1146)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1146 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 12. Thread-Safety Miscellaneous (TSM))
Weaknesses in this category are related to the rules and recommendations in the Thread-Safety Miscellaneous (TSM) section of the SEI CERT Oracle Secure Coding Standard for Java.
+ Category Category - a CWE entry that contains a set of other entries that share a common characteristic. SEI CERT Oracle Secure Coding Standard for Java - Guidelines 13. Input Output (FIO) - (1147)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1147 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 13. Input Output (FIO))
Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) section of the SEI CERT Oracle Secure Coding Standard for Java.
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Improper Handling of Windows Device Names - (67)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1147 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 13. Input Output (FIO)) > 67 (Improper Handling of Windows Device Names)
The product constructs pathnames from user input, but it does not handle or incorrectly handles a pathname containing a Windows device name such as AUX or CON. This typically leads to denial of service or an information exposure when the application attempts to process the pathname as a regular file.
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Incorrect Behavior Order: Validate Before Canonicalize - (180)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1147 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 13. Input Output (FIO)) > 180 (Incorrect Behavior Order: Validate Before Canonicalize)
The product validates input before it is canonicalized, which prevents the product from detecting data that becomes invalid after the canonicalization step.
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Use of Incorrect Byte Ordering - (198)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1147 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 13. Input Output (FIO)) > 198 (Use of Incorrect Byte Ordering)
The product receives input from an upstream component, but it does not account for byte ordering (e.g. big-endian and little-endian) when processing the input, causing an incorrect number or value to be used.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Incorrect Default Permissions - (276)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1147 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 13. Input Output (FIO)) > 276 (Incorrect Default Permissions)
During installation, installed file permissions are set to allow anyone to modify those files.
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Incorrect Execution-Assigned Permissions - (279)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1147 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 13. Input Output (FIO)) > 279 (Incorrect Execution-Assigned Permissions)
While it is executing, the product sets the permissions of an object in a way that violates the intended permissions that have been specified by the user.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Exposure of Private Personal Information to an Unauthorized Actor - (359)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1147 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 13. Input Output (FIO)) > 359 (Exposure of Private Personal Information to an Unauthorized Actor)
The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected. Privacy violation Privacy leak Privacy leakage
* Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Insecure Temporary File - (377)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1147 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 13. Input Output (FIO)) > 377 (Insecure Temporary File)
Creating and using insecure temporary files can leave application and system data vulnerable to attack.
* Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Improper Resource Shutdown or Release - (404)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1147 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 13. Input Output (FIO)) > 404 (Improper Resource Shutdown or Release)
The product does not release or incorrectly releases a resource before it is made available for re-use.
* Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Asymmetric Resource Consumption (Amplification) - (405)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1147 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 13. Input Output (FIO)) > 405 (Asymmetric Resource Consumption (Amplification))
The product does not properly control situations in which an adversary can cause the product to consume or produce excessive resources without requiring the adversary to invest equivalent work or otherwise prove authorization, i.e., the adversary's influence is "asymmetric."
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Incomplete Cleanup - (459)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1147 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 13. Input Output (FIO)) > 459 (Incomplete Cleanup)
The product does not properly "clean up" and remove temporary or supporting resources after they have been used. Insufficient Cleanup
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Insertion of Sensitive Information into Log File - (532)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1147 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 13. Input Output (FIO)) > 532 (Insertion of Sensitive Information into Log File)
The product writes sensitive information to a log file.
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Use of Non-Canonical URL Paths for Authorization Decisions - (647)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1147 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 13. Input Output (FIO)) > 647 (Use of Non-Canonical URL Paths for Authorization Decisions)
The product defines policy namespaces and makes authorization decisions based on the assumption that a URL is canonical. This can allow a non-canonical URL to bypass the authorization.
* Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Incorrect Control Flow Scoping - (705)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1147 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 13. Input Output (FIO)) > 705 (Incorrect Control Flow Scoping)
The product does not properly return control flow to the proper location after it has completed a task or detected an unusual condition.
* Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Incorrect Permission Assignment for Critical Resource - (732)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1147 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 13. Input Output (FIO)) > 732 (Incorrect Permission Assignment for Critical Resource)
The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Allocation of Resources Without Limits or Throttling - (770)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1147 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 13. Input Output (FIO)) > 770 (Allocation of Resources Without Limits or Throttling)
The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.
+ Category Category - a CWE entry that contains a set of other entries that share a common characteristic. SEI CERT Oracle Secure Coding Standard for Java - Guidelines 14. Serialization (SER) - (1148)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1148 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 14. Serialization (SER))
Weaknesses in this category are related to the rules and recommendations in the Serialization (SER) section of the SEI CERT Oracle Secure Coding Standard for Java.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Cleartext Transmission of Sensitive Information - (319)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1148 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 14. Serialization (SER)) > 319 (Cleartext Transmission of Sensitive Information)
The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.
* Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Uncontrolled Resource Consumption - (400)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1148 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 14. Serialization (SER)) > 400 (Uncontrolled Resource Consumption)
The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources. Resource Exhaustion
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Serializable Class Containing Sensitive Data - (499)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1148 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 14. Serialization (SER)) > 499 (Serializable Class Containing Sensitive Data)
The code contains a class with sensitive data, but the class does not explicitly deny serialization. The data can be accessed by serializing the class through another class.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Deserialization of Untrusted Data - (502)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1148 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 14. Serialization (SER)) > 502 (Deserialization of Untrusted Data)
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. Marshaling, Unmarshaling Pickling, Unpickling PHP Object Injection
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Allocation of Resources Without Limits or Throttling - (770)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1148 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 14. Serialization (SER)) > 770 (Allocation of Resources Without Limits or Throttling)
The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.
+ Category Category - a CWE entry that contains a set of other entries that share a common characteristic. SEI CERT Oracle Secure Coding Standard for Java - Guidelines 15. Platform Security (SEC) - (1149)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1149 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 15. Platform Security (SEC))
Weaknesses in this category are related to the rules and recommendations in the Platform Security (SEC) section of the SEI CERT Oracle Secure Coding Standard for Java.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Incorrect Privilege Assignment - (266)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1149 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 15. Platform Security (SEC)) > 266 (Incorrect Privilege Assignment)
A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Least Privilege Violation - (272)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1149 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 15. Platform Security (SEC)) > 272 (Least Privilege Violation)
The elevated privilege level required to perform operations such as chroot() should be dropped immediately after the operation is performed.
* Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Incorrect Permission Assignment for Critical Resource - (732)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1149 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 15. Platform Security (SEC)) > 732 (Incorrect Permission Assignment for Critical Resource)
The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.
+ Category Category - a CWE entry that contains a set of other entries that share a common characteristic. SEI CERT Oracle Secure Coding Standard for Java - Guidelines 16. Runtime Environment (ENV) - (1150)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1150 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 16. Runtime Environment (ENV))
Weaknesses in this category are related to the rules and recommendations in the Runtime Environment (ENV) section of the SEI CERT Oracle Secure Coding Standard for Java.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Acceptance of Extraneous Untrusted Data With Trusted Data - (349)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1150 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 16. Runtime Environment (ENV)) > 349 (Acceptance of Extraneous Untrusted Data With Trusted Data)
The product, when processing trusted data, accepts any untrusted data that is also included with the trusted data, treating the untrusted data as if it were trusted.
* Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Incorrect Permission Assignment for Critical Resource - (732)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1150 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 16. Runtime Environment (ENV)) > 732 (Incorrect Permission Assignment for Critical Resource)
The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.
+ Category Category - a CWE entry that contains a set of other entries that share a common characteristic. SEI CERT Oracle Secure Coding Standard for Java - Guidelines 17. Java Native Interface (JNI) - (1151)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1151 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 17. Java Native Interface (JNI))
Weaknesses in this category are related to the rules and recommendations in the Java Native Interface (JNI) section of the SEI CERT Oracle Secure Coding Standard for Java.
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Direct Use of Unsafe JNI - (111)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1151 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 17. Java Native Interface (JNI)) > 111 (Direct Use of Unsafe JNI)
When a Java application uses the Java Native Interface (JNI) to call code written in another programming language, it can expose the application to weaknesses in that code, even if those weaknesses cannot occur in Java.
+ Category Category - a CWE entry that contains a set of other entries that share a common characteristic. SEI CERT Oracle Secure Coding Standard for Java - Guidelines 49. Miscellaneous (MSC) - (1152)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1152 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 49. Miscellaneous (MSC))
Weaknesses in this category are related to the rules and recommendations in the Miscellaneous (MSC) section of the SEI CERT Oracle Secure Coding Standard for Java.
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Use of Hard-coded Password - (259)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1152 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 49. Miscellaneous (MSC)) > 259 (Use of Hard-coded Password)
The product contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components.
* Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Missing Encryption of Sensitive Data - (311)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1152 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 49. Miscellaneous (MSC)) > 311 (Missing Encryption of Sensitive Data)
The product does not encrypt sensitive or critical information before storage or transmission.
* Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Use of a Broken or Risky Cryptographic Algorithm - (327)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1152 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 49. Miscellaneous (MSC)) > 327 (Use of a Broken or Risky Cryptographic Algorithm)
The product uses a broken or risky cryptographic algorithm or protocol.
* Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Use of Insufficiently Random Values - (330)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1152 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 49. Miscellaneous (MSC)) > 330 (Use of Insufficiently Random Values)
The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Insufficient Entropy in PRNG - (332)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1152 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 49. Miscellaneous (MSC)) > 332 (Insufficient Entropy in PRNG)
The lack of entropy available for, or used by, a Pseudo-Random Number Generator (PRNG) can be a stability and security threat.
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Same Seed in Pseudo-Random Number Generator (PRNG) - (336)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1152 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 49. Miscellaneous (MSC)) > 336 (Same Seed in Pseudo-Random Number Generator (PRNG))
A Pseudo-Random Number Generator (PRNG) uses the same seed each time the product is initialized.
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Predictable Seed in Pseudo-Random Number Generator (PRNG) - (337)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1152 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 49. Miscellaneous (MSC)) > 337 (Predictable Seed in Pseudo-Random Number Generator (PRNG))
A Pseudo-Random Number Generator (PRNG) is initialized from a predictable seed, such as the process ID or system time.
* Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Uncontrolled Resource Consumption - (400)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1152 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 49. Miscellaneous (MSC)) > 400 (Uncontrolled Resource Consumption)
The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources. Resource Exhaustion
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Missing Release of Memory after Effective Lifetime - (401)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1152 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 49. Miscellaneous (MSC)) > 401 (Missing Release of Memory after Effective Lifetime)
The product does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory. Memory Leak
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Allocation of Resources Without Limits or Throttling - (770)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1152 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 49. Miscellaneous (MSC)) > 770 (Allocation of Resources Without Limits or Throttling)
The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Use of Hard-coded Credentials - (798)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1152 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 49. Miscellaneous (MSC)) > 798 (Use of Hard-coded Credentials)
The product contains hard-coded credentials, such as a password or cryptographic key.
* Category Category - a CWE entry that contains a set of other entries that share a common characteristic. SEI CERT Oracle Secure Coding Standard for Java - Guidelines 50. Android (DRD) - (1153)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1153 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 50. Android (DRD))
Weaknesses in this category are related to the rules and recommendations in the Android (DRD) section of the SEI CERT Oracle Secure Coding Standard for Java.
* Category Category - a CWE entry that contains a set of other entries that share a common characteristic. SEI CERT Oracle Secure Coding Standard for Java - Guidelines 18. Concurrency (CON) - (1175)
1133 (Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java) > 1175 (SEI CERT Oracle Secure Coding Standard for Java - Guidelines 18. Concurrency (CON))
Weaknesses in this category are related to the rules and recommendations in the Concurrency (CON) section of the SEI CERT Oracle Secure Coding Standard for Java.
+ Vulnerability Mapping Notes

Usage: PROHIBITED

(this CWE ID must not be used to map to real-world vulnerabilities)

Reason: View

Rationale:

This entry is a View. Views are not weaknesses and therefore inappropriate to describe the root causes of vulnerabilities.

Comments:

Use this View or other Views to search and navigate for the appropriate weakness.
+ Notes

Relationship

The relationships in this view were determined based on specific statements within the rules from the standard. Not all rules have direct relationships to individual weaknesses, although they likely have chaining relationships in specific circumstances.
+ References
[REF-970] The Software Engineering Institute. "SEI CERT Oracle Coding Standard for Java". <https://wiki.sei.cmu.edu/confluence/display/java/SEI+CERT+Oracle+Coding+Standard+for+Java>.
+ View Metrics
CWEs in this view Total CWEs
Weaknesses 88 out of 940
Categories 21 out of 374
Views 0 out of 51
Total 109 out of 1365
+ Content History
+ Submissions
Submission Date Submitter Organization
2018-12-11
(CWE 3.2, 2019-01-03)
CWE Content Team MITRE
+ Modifications
Modification Date Modifier Organization
2020-02-24 CWE Content Team MITRE
updated View_Audience
2023-06-29 CWE Content Team MITRE
updated Mapping_Notes
Page Last Updated: November 19, 2024