CWE - CWE-700: Seven Pernicious Kingdoms (4.16)

View ID: 700

Vulnerability Mapping: PROHIBITED This CWE ID must not be used to map to real-world vulnerabilities
Type: Graph

Downloads: Booklet | CSV | XML

Objective

This view (graph) organizes weaknesses using a hierarchical structure that is similar to that used by Seven Pernicious Kingdoms.

Audience

Stakeholder	Description
Software Developers	This view is useful for developers because it is organized around concepts with which developers are familiar, and it focuses on weaknesses that can be detected using source code analysis tools.

Relationships

div.collapseblock { display:inline }

The following graph shows the tree-like relationships between weaknesses that exist at different levels of abstraction. At the highest level, categories and pillars exist to group weaknesses. Categories (which are not technically weaknesses) are special CWE entries used to group weaknesses that share a common characteristic. Pillars are weaknesses that are described in the most abstract fashion. Below these top-level entries are weaknesses are varying levels of abstraction. Classes are still very abstract, typically independent of any specific language or technology. Base level weaknesses are used to present a more specific type of weakness. A variant is a weakness that is described at a very low level of detail, typically limited to a specific language or technology. A chain is a set of weaknesses that must be reachable consecutively in order to produce an exploitable vulnerability. While a composite is a set of weaknesses that must all be present simultaneously in order to produce an exploitable vulnerability.

Show Details:

Expand All | Collapse All

700 - Seven Pernicious Kingdoms

Category - a CWE entry that contains a set of other entries that share a common characteristic. 7PK - Security Features - (254)

700 (Seven Pernicious Kingdoms) > 254 (7PK - Security Features)

Software security is not security software. Here we're concerned with topics like authentication, access control, confidentiality, cryptography, and privilege management.

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Plaintext Storage of a Password - (256)

700 (Seven Pernicious Kingdoms) > 254 (7PK - Security Features) > 256 (Plaintext Storage of a Password)

Storing a password in plaintext may result in a system compromise.

Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Empty Password in Configuration File - (258)

700 (Seven Pernicious Kingdoms) > 254 (7PK - Security Features) > 258 (Empty Password in Configuration File)

Using an empty string as a password is insecure.

700 (Seven Pernicious Kingdoms) > 254 (7PK - Security Features) > 259 (Use of Hard-coded Password)

The product contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components.

700 (Seven Pernicious Kingdoms) > 254 (7PK - Security Features) > 260 (Password in Configuration File)

The product stores a password in a configuration file that might be accessible to actors who do not know the password.

700 (Seven Pernicious Kingdoms) > 254 (7PK - Security Features) > 261 (Weak Encoding for Password)

Obscuring a password with a trivial encoding does not protect the password.

700 (Seven Pernicious Kingdoms) > 254 (7PK - Security Features) > 272 (Least Privilege Violation)

The elevated privilege level required to perform operations such as chroot() should be dropped immediately after the operation is performed.

Pillar - a weakness that is the most abstract type of weakness and represents a theme for all class/base/variant weaknesses related to it. A Pillar is different from a Category as a Pillar is still technically a type of weakness that describes a mistake, while a Category represents a common characteristic used to group related things. Improper Access Control - (284)

700 (Seven Pernicious Kingdoms) > 254 (7PK - Security Features) > 284 (Improper Access Control)

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. Authorization

Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Improper Authorization - (285)

700 (Seven Pernicious Kingdoms) > 254 (7PK - Security Features) > 285 (Improper Authorization)

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. AuthZ

700 (Seven Pernicious Kingdoms) > 254 (7PK - Security Features) > 330 (Use of Insufficiently Random Values)

The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.

700 (Seven Pernicious Kingdoms) > 254 (7PK - Security Features) > 359 (Exposure of Private Personal Information to an Unauthorized Actor)

The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected. Privacy violation Privacy leak Privacy leakage

700 (Seven Pernicious Kingdoms) > 254 (7PK - Security Features) > 798 (Use of Hard-coded Credentials)

The product contains hard-coded credentials, such as a password or cryptographic key.

Category - a CWE entry that contains a set of other entries that share a common characteristic. 7PK - Time and State - (361)

700 (Seven Pernicious Kingdoms) > 361 (7PK - Time and State)

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses related to the improper management of time and state in an environment that supports simultaneous or near-simultaneous computation by multiple systems, processes, or threads. According to the authors of the Seven Pernicious Kingdoms, "Distributed computation is about time and state. That is, in order for more than one component to communicate, state must be shared, and all that takes time. Most programmers anthropomorphize their work. They think about one thread of control carrying out the entire program in the same way they would if they had to do the job themselves. Modern computers, however, switch between tasks very quickly, and in multi-core, multi-CPU, or distributed systems, two events may take place at exactly the same time. Defects rush to fill the gap between the programmer's model of how a program executes and what happens in reality. These defects are related to unexpected interactions between threads, processes, time, and information. These interactions happen through shared state: semaphores, variables, the file system, and, basically, anything that can store information."

700 (Seven Pernicious Kingdoms) > 361 (7PK - Time and State) > 364 (Signal Handler Race Condition)

The product uses a signal handler that introduces a race condition.

700 (Seven Pernicious Kingdoms) > 361 (7PK - Time and State) > 367 (Time-of-check Time-of-use (TOCTOU) Race Condition)

The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. This can cause the product to perform invalid actions when the resource is in an unexpected state. TOCTTOU TOCCTOU

700 (Seven Pernicious Kingdoms) > 361 (7PK - Time and State) > 377 (Insecure Temporary File)

Creating and using insecure temporary files can leave application and system data vulnerable to attack.

700 (Seven Pernicious Kingdoms) > 361 (7PK - Time and State) > 382 (J2EE Bad Practices: Use of System.exit())

A J2EE application uses System.exit(), which also shuts down its container.

700 (Seven Pernicious Kingdoms) > 361 (7PK - Time and State) > 383 (J2EE Bad Practices: Direct Use of Threads)

Thread management in a Web application is forbidden in some circumstances and is always highly error prone.

Composite - a Compound Element that consists of two or more distinct weaknesses, in which all weaknesses must be present at the same time in order for a potential vulnerability to arise. Removing any of the weaknesses eliminates or sharply reduces the risk. One weakness, X, can be "broken down" into component weaknesses Y and Z. There can be cases in which one weakness might not be essential to a composite, but changes the nature of the composite when it becomes a vulnerability. Session Fixation - (384)

700 (Seven Pernicious Kingdoms) > 361 (7PK - Time and State) > 384 (Session Fixation)

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

700 (Seven Pernicious Kingdoms) > 361 (7PK - Time and State) > 412 (Unrestricted Externally Accessible Lock)

The product properly checks for the existence of a lock, but the lock can be externally controlled or influenced by an actor that is outside of the intended sphere of control.

Category - a CWE entry that contains a set of other entries that share a common characteristic. 7PK - Errors - (388)

700 (Seven Pernicious Kingdoms) > 388 (7PK - Errors)

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that occur when an application does not properly handle errors that occur during processing. According to the authors of the Seven Pernicious Kingdoms, "Errors and error handling represent a class of API. Errors related to error handling are so common that they deserve a special kingdom of their own. As with 'API Abuse,' there are two ways to introduce an error-related security vulnerability: the most common one is handling errors poorly (or not at all). The second is producing errors that either give out too much information (to possible attackers) or are difficult to handle."

700 (Seven Pernicious Kingdoms) > 388 (7PK - Errors) > 391 (Unchecked Error Condition)

[PLANNED FOR DEPRECATION. SEE MAINTENANCE NOTES AND CONSIDER CWE-252, CWE-248, OR CWE-1069.] Ignoring exceptions and other error conditions may allow an attacker to induce unexpected behavior unnoticed.

700 (Seven Pernicious Kingdoms) > 388 (7PK - Errors) > 395 (Use of NullPointerException Catch to Detect NULL Pointer Dereference)

Catching NullPointerException should not be used as an alternative to programmatic checks to prevent dereferencing a null pointer.

700 (Seven Pernicious Kingdoms) > 388 (7PK - Errors) > 396 (Declaration of Catch for Generic Exception)

Catching overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities.

700 (Seven Pernicious Kingdoms) > 388 (7PK - Errors) > 397 (Declaration of Throws for Generic Exception)

Throwing overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities.

Category - a CWE entry that contains a set of other entries that share a common characteristic. 7PK - Input Validation and Representation - (1005)

700 (Seven Pernicious Kingdoms) > 1005 (7PK - Input Validation and Representation)

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that exist when an application does not properly validate or represent input. According to the authors of the Seven Pernicious Kingdoms, "Input validation and representation problems are caused by metacharacters, alternate encodings and numeric representations. Security problems result from trusting input."

700 (Seven Pernicious Kingdoms) > 1005 (7PK - Input Validation and Representation) > 20 (Improper Input Validation)

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

700 (Seven Pernicious Kingdoms) > 1005 (7PK - Input Validation and Representation) > 20 (Improper Input Validation) > 102 (Struts: Duplicate Validation Forms)

The product uses multiple validation forms with the same name, which might cause the Struts Validator to validate a form that the programmer does not expect.

700 (Seven Pernicious Kingdoms) > 1005 (7PK - Input Validation and Representation) > 20 (Improper Input Validation) > 103 (Struts: Incomplete validate() Method Definition)

The product has a validator form that either does not define a validate() method, or defines a validate() method but does not call super.validate().

700 (Seven Pernicious Kingdoms) > 1005 (7PK - Input Validation and Representation) > 20 (Improper Input Validation) > 104 (Struts: Form Bean Does Not Extend Validation Class)

If a form bean does not extend an ActionForm subclass of the Validator framework, it can expose the application to other weaknesses related to insufficient input validation.

700 (Seven Pernicious Kingdoms) > 1005 (7PK - Input Validation and Representation) > 20 (Improper Input Validation) > 105 (Struts: Form Field Without Validator)

The product has a form field that is not validated by a corresponding validation form, which can introduce other weaknesses related to insufficient input validation.

700 (Seven Pernicious Kingdoms) > 1005 (7PK - Input Validation and Representation) > 20 (Improper Input Validation) > 106 (Struts: Plug-in Framework not in Use)

When an application does not use an input validation framework such as the Struts Validator, there is a greater risk of introducing weaknesses related to insufficient input validation.

700 (Seven Pernicious Kingdoms) > 1005 (7PK - Input Validation and Representation) > 20 (Improper Input Validation) > 107 (Struts: Unused Validation Form)

An unused validation form indicates that validation logic is not up-to-date.

700 (Seven Pernicious Kingdoms) > 1005 (7PK - Input Validation and Representation) > 20 (Improper Input Validation) > 108 (Struts: Unvalidated Action Form)

Every Action Form must have a corresponding validation form.

700 (Seven Pernicious Kingdoms) > 1005 (7PK - Input Validation and Representation) > 20 (Improper Input Validation) > 109 (Struts: Validator Turned Off)

Automatic filtering via a Struts bean has been turned off, which disables the Struts Validator and custom validation logic. This exposes the application to other weaknesses related to insufficient input validation.

700 (Seven Pernicious Kingdoms) > 1005 (7PK - Input Validation and Representation) > 20 (Improper Input Validation) > 110 (Struts: Validator Without Form Field)

Validation fields that do not appear in forms they are associated with indicate that the validation logic is out of date.

700 (Seven Pernicious Kingdoms) > 1005 (7PK - Input Validation and Representation) > 20 (Improper Input Validation) > 111 (Direct Use of Unsafe JNI)

When a Java application uses the Java Native Interface (JNI) to call code written in another programming language, it can expose the application to weaknesses in that code, even if those weaknesses cannot occur in Java.

700 (Seven Pernicious Kingdoms) > 1005 (7PK - Input Validation and Representation) > 20 (Improper Input Validation) > 112 (Missing XML Validation)

The product accepts XML from an untrusted source but does not validate the XML against the proper schema.

700 (Seven Pernicious Kingdoms) > 1005 (7PK - Input Validation and Representation) > 20 (Improper Input Validation) > 113 (Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting'))

The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers. HTTP Request Splitting HTTP Response Splitting

700 (Seven Pernicious Kingdoms) > 1005 (7PK - Input Validation and Representation) > 20 (Improper Input Validation) > 114 (Process Control)

Executing commands or loading libraries from an untrusted source or in an untrusted environment can cause an application to execute malicious commands (and payloads) on behalf of an attacker.

700 (Seven Pernicious Kingdoms) > 1005 (7PK - Input Validation and Representation) > 20 (Improper Input Validation) > 117 (Improper Output Neutralization for Logs)

The product does not neutralize or incorrectly neutralizes output that is written to logs.

700 (Seven Pernicious Kingdoms) > 1005 (7PK - Input Validation and Representation) > 20 (Improper Input Validation) > 119 (Improper Restriction of Operations within the Bounds of a Memory Buffer)

The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. Buffer Overflow buffer overrun memory safety

700 (Seven Pernicious Kingdoms) > 1005 (7PK - Input Validation and Representation) > 20 (Improper Input Validation) > 120 (Buffer Copy without Checking Size of Input ('Classic Buffer Overflow'))

The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow. Classic Buffer Overflow Unbounded Transfer

700 (Seven Pernicious Kingdoms) > 1005 (7PK - Input Validation and Representation) > 20 (Improper Input Validation) > 134 (Use of Externally-Controlled Format String)

The product uses a function that accepts a format string as an argument, but the format string originates from an external source.

700 (Seven Pernicious Kingdoms) > 1005 (7PK - Input Validation and Representation) > 20 (Improper Input Validation) > 15 (External Control of System or Configuration Setting)

One or more system settings or configuration elements can be externally controlled by a user.

700 (Seven Pernicious Kingdoms) > 1005 (7PK - Input Validation and Representation) > 20 (Improper Input Validation) > 170 (Improper Null Termination)

The product does not terminate or incorrectly terminates a string or array with a null character or equivalent terminator.

700 (Seven Pernicious Kingdoms) > 1005 (7PK - Input Validation and Representation) > 20 (Improper Input Validation) > 190 (Integer Overflow or Wraparound)

The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number. Overflow Wraparound wrap, wrap-around, wrap around

700 (Seven Pernicious Kingdoms) > 1005 (7PK - Input Validation and Representation) > 20 (Improper Input Validation) > 466 (Return of Pointer Value Outside of Expected Range)

A function can return a pointer to memory that is outside of the buffer that the pointer is expected to reference.

700 (Seven Pernicious Kingdoms) > 1005 (7PK - Input Validation and Representation) > 20 (Improper Input Validation) > 470 (Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection'))

The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code. Reflection Injection

700 (Seven Pernicious Kingdoms) > 1005 (7PK - Input Validation and Representation) > 20 (Improper Input Validation) > 73 (External Control of File Name or Path)

The product allows user input to control or influence paths or file names that are used in filesystem operations.

700 (Seven Pernicious Kingdoms) > 1005 (7PK - Input Validation and Representation) > 20 (Improper Input Validation) > 785 (Use of Path Manipulation Function without Maximum-sized Buffer)

The product invokes a function for normalizing paths or file names, but it provides an output buffer that is smaller than the maximum possible size, such as PATH_MAX.

700 (Seven Pernicious Kingdoms) > 1005 (7PK - Input Validation and Representation) > 77 (Improper Neutralization of Special Elements used in a Command ('Command Injection'))

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. Command injection

700 (Seven Pernicious Kingdoms) > 1005 (7PK - Input Validation and Representation) > 79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. XSS HTML Injection CSS

700 (Seven Pernicious Kingdoms) > 1005 (7PK - Input Validation and Representation) > 89 (Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'))

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. SQL injection SQLi

700 (Seven Pernicious Kingdoms) > 1005 (7PK - Input Validation and Representation) > 99 (Improper Control of Resource Identifiers ('Resource Injection'))

The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control. Insecure Direct Object Reference

Category - a CWE entry that contains a set of other entries that share a common characteristic. 7PK - API Abuse - (227)

700 (Seven Pernicious Kingdoms) > 227 (7PK - API Abuse)

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that involve the software using an API in a manner contrary to its intended use. According to the authors of the Seven Pernicious Kingdoms, "An API is a contract between a caller and a callee. The most common forms of API misuse occurs when the caller does not honor its end of this contract. For example, if a program does not call chdir() after calling chroot(), it violates the contract that specifies how to change the active root directory in a secure fashion. Another good example of library abuse is expecting the callee to return trustworthy DNS information to the caller. In this case, the caller misuses the callee API by making certain assumptions about its behavior (that the return value can be used for authentication purposes). One can also violate the caller-callee contract from the other side. For example, if a coder subclasses SecureRandom and returns a non-random value, the contract is violated."

700 (Seven Pernicious Kingdoms) > 227 (7PK - API Abuse) > 242 (Use of Inherently Dangerous Function)

The product calls a function that can never be guaranteed to work safely.

700 (Seven Pernicious Kingdoms) > 227 (7PK - API Abuse) > 243 (Creation of chroot Jail Without Changing Working Directory)

The product uses the chroot() system call to create a jail, but does not change the working directory afterward. This does not prevent access to files outside of the jail.

700 (Seven Pernicious Kingdoms) > 227 (7PK - API Abuse) > 244 (Improper Clearing of Heap Memory Before Release ('Heap Inspection'))

Using realloc() to resize buffers that store sensitive information can leave the sensitive information exposed to attack, because it is not removed from memory.

700 (Seven Pernicious Kingdoms) > 227 (7PK - API Abuse) > 245 (J2EE Bad Practices: Direct Management of Connections)

The J2EE application directly manages connections, instead of using the container's connection management facilities.

700 (Seven Pernicious Kingdoms) > 227 (7PK - API Abuse) > 246 (J2EE Bad Practices: Direct Use of Sockets)

The J2EE application directly uses sockets instead of using framework method calls.

700 (Seven Pernicious Kingdoms) > 227 (7PK - API Abuse) > 248 (Uncaught Exception)

An exception is thrown from a function, but it is not caught.

700 (Seven Pernicious Kingdoms) > 227 (7PK - API Abuse) > 250 (Execution with Unnecessary Privileges)

The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.

Category - a CWE entry that contains a set of other entries that share a common characteristic. Often Misused: String Management - (251)

700 (Seven Pernicious Kingdoms) > 227 (7PK - API Abuse) > 251 (Often Misused: String Management)

Functions that manipulate strings encourage buffer overflows.

700 (Seven Pernicious Kingdoms) > 227 (7PK - API Abuse) > 252 (Unchecked Return Value)

The product does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions.

700 (Seven Pernicious Kingdoms) > 227 (7PK - API Abuse) > 558 (Use of getlogin() in Multithreaded Application)

The product uses the getlogin() function in a multithreaded context, potentially causing it to return incorrect values.

Category - a CWE entry that contains a set of other entries that share a common characteristic. 7PK - Code Quality - (398)

700 (Seven Pernicious Kingdoms) > 398 (7PK - Code Quality)

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that do not directly introduce a weakness or vulnerability, but indicate that the product has not been carefully developed or maintained. According to the authors of the Seven Pernicious Kingdoms, "Poor code quality leads to unpredictable behavior. From a user's perspective that often manifests itself as poor usability. For an adversary it provides an opportunity to stress the system in unexpected ways."

700 (Seven Pernicious Kingdoms) > 398 (7PK - Code Quality) > 401 (Missing Release of Memory after Effective Lifetime)

The product does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory. Memory Leak

700 (Seven Pernicious Kingdoms) > 398 (7PK - Code Quality) > 404 (Improper Resource Shutdown or Release)

The product does not release or incorrectly releases a resource before it is made available for re-use.

700 (Seven Pernicious Kingdoms) > 398 (7PK - Code Quality) > 415 (Double Free)

The product calls free() twice on the same memory address, potentially leading to modification of unexpected memory locations. Double-free

700 (Seven Pernicious Kingdoms) > 398 (7PK - Code Quality) > 416 (Use After Free)

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer. Dangling pointer UAF Use-After-Free

700 (Seven Pernicious Kingdoms) > 398 (7PK - Code Quality) > 457 (Use of Uninitialized Variable)

The code uses a variable that has not been initialized, leading to unpredictable or unintended results.

700 (Seven Pernicious Kingdoms) > 398 (7PK - Code Quality) > 474 (Use of Function with Inconsistent Implementations)

The code uses a function that has inconsistent implementations across operating systems and versions.

700 (Seven Pernicious Kingdoms) > 398 (7PK - Code Quality) > 475 (Undefined Behavior for Input to API)

The behavior of this function is undefined unless its control parameter is set to a specific value.

700 (Seven Pernicious Kingdoms) > 398 (7PK - Code Quality) > 476 (NULL Pointer Dereference)

The product dereferences a pointer that it expects to be valid but is NULL. NPD null deref NPE nil pointer dereference

700 (Seven Pernicious Kingdoms) > 398 (7PK - Code Quality) > 477 (Use of Obsolete Function)

The code uses deprecated or obsolete functions, which suggests that the code has not been actively reviewed or maintained.

Category - a CWE entry that contains a set of other entries that share a common characteristic. 7PK - Encapsulation - (485)

700 (Seven Pernicious Kingdoms) > 485 (7PK - Encapsulation)

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that occur when the product does not sufficiently encapsulate critical data or functionality. According to the authors of the Seven Pernicious Kingdoms, "Encapsulation is about drawing strong boundaries. In a web browser that might mean ensuring that your mobile code cannot be abused by other mobile code. On the server it might mean differentiation between validated data and unvalidated data, between one user's data and another's, or between data users are allowed to see and data that they are not."

700 (Seven Pernicious Kingdoms) > 485 (7PK - Encapsulation) > 486 (Comparison of Classes by Name)

The product compares classes by name, which can cause it to use the wrong class when multiple classes can have the same name.

700 (Seven Pernicious Kingdoms) > 485 (7PK - Encapsulation) > 488 (Exposure of Data Element to Wrong Session)

The product does not sufficiently enforce boundaries between the states of different sessions, causing data to be provided to, or used by, the wrong session.

700 (Seven Pernicious Kingdoms) > 485 (7PK - Encapsulation) > 489 (Active Debug Code)

The product is deployed to unauthorized actors with debugging code still enabled or active, which can create unintended entry points or expose sensitive information. Leftover debug code

700 (Seven Pernicious Kingdoms) > 485 (7PK - Encapsulation) > 491 (Public cloneable() Method Without Final ('Object Hijack'))

A class has a cloneable() method that is not declared final, which allows an object to be created without calling the constructor. This can cause the object to be in an unexpected state.

700 (Seven Pernicious Kingdoms) > 485 (7PK - Encapsulation) > 492 (Use of Inner Class Containing Sensitive Data)

Inner classes are translated into classes that are accessible at package scope and may expose code that the programmer intended to keep private to attackers.

700 (Seven Pernicious Kingdoms) > 485 (7PK - Encapsulation) > 493 (Critical Public Variable Without Final Modifier)

The product has a critical public variable that is not final, which allows the variable to be modified to contain unexpected values.

700 (Seven Pernicious Kingdoms) > 485 (7PK - Encapsulation) > 495 (Private Data Structure Returned From A Public Method)

The product has a method that is declared public, but returns a reference to a private data structure, which could then be modified in unexpected ways.

700 (Seven Pernicious Kingdoms) > 485 (7PK - Encapsulation) > 496 (Public Data Assigned to Private Array-Typed Field)

Assigning public data to a private array is equivalent to giving public access to the array.

700 (Seven Pernicious Kingdoms) > 485 (7PK - Encapsulation) > 497 (Exposure of Sensitive System Information to an Unauthorized Control Sphere)

The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does.

700 (Seven Pernicious Kingdoms) > 485 (7PK - Encapsulation) > 501 (Trust Boundary Violation)

The product mixes trusted and untrusted data in the same data structure or structured message.

Category - a CWE entry that contains a set of other entries that share a common characteristic. 7PK - Environment - (2)

700 (Seven Pernicious Kingdoms) > 2 (7PK - Environment)

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that are typically introduced during unexpected environmental conditions. According to the authors of the Seven Pernicious Kingdoms, "This section includes everything that is outside of the source code but is still critical to the security of the product that is being created. Because the issues covered by this kingdom are not directly related to source code, we separated it from the rest of the kingdoms."

700 (Seven Pernicious Kingdoms) > 2 (7PK - Environment) > 11 (ASP.NET Misconfiguration: Creating Debug Binary)

Debugging messages help attackers learn about the system and plan a form of attack.

700 (Seven Pernicious Kingdoms) > 2 (7PK - Environment) > 12 (ASP.NET Misconfiguration: Missing Custom Error Page)

An ASP .NET application must enable custom error pages in order to prevent attackers from mining information from the framework's built-in responses.

700 (Seven Pernicious Kingdoms) > 2 (7PK - Environment) > 13 (ASP.NET Misconfiguration: Password in Configuration File)

Storing a plaintext password in a configuration file allows anyone who can read the file access to the password-protected resource making them an easy target for attackers.

700 (Seven Pernicious Kingdoms) > 2 (7PK - Environment) > 14 (Compiler Removal of Code to Clear Buffers)

Sensitive memory is cleared according to the source code, but compiler optimizations leave the memory untouched when it is not read from again, aka "dead store removal."

700 (Seven Pernicious Kingdoms) > 2 (7PK - Environment) > 5 (J2EE Misconfiguration: Data Transmission Without Encryption)

Information sent over a network can be compromised while in transit. An attacker may be able to read or modify the contents if the data are sent in plaintext or are weakly encrypted.

700 (Seven Pernicious Kingdoms) > 2 (7PK - Environment) > 6 (J2EE Misconfiguration: Insufficient Session-ID Length)

The J2EE application is configured to use an insufficient session ID length.

700 (Seven Pernicious Kingdoms) > 2 (7PK - Environment) > 7 (J2EE Misconfiguration: Missing Custom Error Page)

The default error page of a web application should not display sensitive information about the product.

700 (Seven Pernicious Kingdoms) > 2 (7PK - Environment) > 8 (J2EE Misconfiguration: Entity Bean Declared Remote)

When an application exposes a remote interface for an entity bean, it might also expose methods that get or set the bean's data. These methods could be leveraged to read sensitive information, or to change data in ways that violate the application's expectations, potentially leading to other vulnerabilities.

700 (Seven Pernicious Kingdoms) > 2 (7PK - Environment) > 9 (J2EE Misconfiguration: Weak Access Permissions for EJB Methods)

If elevated access rights are assigned to EJB methods, then an attacker can take advantage of the permissions to exploit the product.

Vulnerability Mapping Notes

Usage: PROHIBITED

(this CWE ID must not be used to map to real-world vulnerabilities)

Reason: View

Rationale:

This entry is a View. Views are not weaknesses and therefore inappropriate to describe the root causes of vulnerabilities.

Comments:

Use this View or other Views to search and navigate for the appropriate weakness.

Notes

Other

The MITRE CWE team frequently uses "7PK" as an abbreviation for Seven Pernicious Kingdoms.

References

[REF-6] Katrina Tsipenyuk, Brian Chess and Gary McGraw. "Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors". NIST Workshop on Software Security Assurance Tools Techniques and Metrics. NIST. 2005-11-07. <https://samate.nist.gov/SSATTM_Content/papers/Seven%20Pernicious%20Kingdoms%20-%20Taxonomy%20of%20Sw%20Security%20Errors%20-%20Tsipenyuk%20-%20Chess%20-%20McGraw.pdf>.

View Metrics

	CWEs in this view		Total CWEs
Weaknesses	88	out of	940
Categories	9	out of	374
Views	0	out of	51
Total	97	out of	1365

Content History

Submissions
Submission Date	Submitter	Organization
2008-09-09 (CWE 1.0, 2008-09-09)	CWE Content Team	MITRE
2008-09-09 (CWE 1.0, 2008-09-09)
Modifications
Modification Date	Modifier	Organization
2017-05-03	CWE Content Team	MITRE
2017-05-03	updated Relationships
2017-11-08	CWE Content Team	MITRE
2017-11-08	updated Alternate_Terms, Other_Notes
2020-02-24	CWE Content Team	MITRE
2020-02-24	updated References
2023-06-29	CWE Content Team	MITRE
2023-06-29	updated Mapping_Notes

Common Weakness Enumeration

CWE VIEW: Seven Pernicious Kingdoms


	Site Map \| Terms of Use \| Manage Cookies \| Cookie Notice \| Privacy Policy \| Contact Us \| Use of the Common Weakness Enumeration (CWE™) and the associated references from this website are subject to the Terms of Use. CWE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and managed by the Homeland Security Systems Engineering and Development Institute (HSSEDI) which is operated by The MITRE Corporation (MITRE). Copyright © 2006–2025, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.