CWE - CWE-743: CWE CATEGORY: CERT C Secure Coding Standard (2008) Chapter 10

Category ID: 743

Vulnerability Mapping: PROHIBITED This CWE ID must not be used to map to real-world vulnerabilities

Summary

Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) chapter of the CERT C Secure Coding Standard (2008).

Membership

Nature	Type	ID	Name
MemberOf	View - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries).	734	Weaknesses Addressed by the CERT C Secure Coding Standard (2008)
HasMember	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	22	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
HasMember	Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource.	37	Path Traversal: '/absolute/pathname/here'
HasMember	Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource.	38	Path Traversal: '\absolute\pathname\here'
HasMember	Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource.	39	Path Traversal: 'C:dirname'
HasMember	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	41	Improper Resolution of Path Equivalence
HasMember	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	59	Improper Link Resolution Before File Access ('Link Following')
HasMember	Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource.	62	UNIX Hard Link
HasMember	Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource.	64	Windows Shortcut Following (.LNK)
HasMember	Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource.	65	Windows Hard Link
HasMember	Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource.	67	Improper Handling of Windows Device Names
HasMember	Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.	119	Improper Restriction of Operations within the Bounds of a Memory Buffer
HasMember	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	134	Use of Externally-Controlled Format String
HasMember	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	241	Improper Handling of Unexpected Data Type
HasMember	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	276	Incorrect Default Permissions
HasMember	Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource.	279	Incorrect Execution-Assigned Permissions
HasMember	Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.	362	Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
HasMember	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	367	Time-of-check Time-of-use (TOCTOU) Race Condition
HasMember	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	379	Creation of Temporary File in Directory with Insecure Permissions
HasMember	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	391	Unchecked Error Condition
HasMember	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	403	Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')
HasMember	Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.	404	Improper Resource Shutdown or Release
HasMember	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	552	Files or Directories Accessible to External Parties
HasMember	Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.	675	Multiple Operations on Resource in Single-Operation Context
HasMember	Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.	676	Use of Potentially Dangerous Function
HasMember	Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource.	686	Function Call With Incorrect Argument Type
HasMember	Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.	732	Incorrect Permission Assignment for Critical Resource

Vulnerability Mapping Notes

Usage: PROHIBITED

(this CWE ID must not be used to map to real-world vulnerabilities)

Reason: Category

Rationale:

This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.

Comments:

See member weaknesses of this category.

Notes

Relationship

In the 2008 version of the CERT C Secure Coding standard, the following rules were mapped to the following CWE IDs:

CWE-22 FIO02-C Canonicalize path names originating from untrusted sources
CWE-37 FIO05-C Identify files using multiple file attributes
CWE-38 FIO05-C Identify files using multiple file attributes
CWE-39 FIO05-C Identify files using multiple file attributes
CWE-41 FIO02-C Canonicalize path names originating from untrusted sources
CWE-59 FIO02-C Canonicalize path names originating from untrusted sources
CWE-62 FIO05-C Identify files using multiple file attributes
CWE-64 FIO05-C Identify files using multiple file attributes
CWE-65 FIO05-C Identify files using multiple file attributes
CWE-67 FIO32-C Do not perform operations on devices that are only appropriate for files
CWE-119 FIO37-C Do not assume character data has been read
CWE-134 FIO30-C Exclude user input from format strings
CWE-134 FIO30-C Exclude user input from format strings
CWE-241 FIO37-C Do not assume character data has been read
CWE-276 FIO06-C Create files with appropriate access permissions
CWE-279 FIO06-C Create files with appropriate access permissions
CWE-362 FIO31-C Do not simultaneously open the same file multiple times
CWE-367 FIO01-C Be careful using functions that use file names for identification
CWE-379 FIO15-C Ensure that file operations are performed in a secure directory
CWE-379 FIO43-C Do not create temporary files in shared directories
CWE-391 FIO04-C Detect and handle input and output errors
CWE-391 FIO33-C Detect and handle input output errors resulting in undefined behavior
CWE-403 FIO42-C Ensure files are properly closed when they are no longer needed
CWE-404 FIO42-C Ensure files are properly closed when they are no longer needed
CWE-552 FIO15-C Ensure that file operations are performed in a secure directory
CWE-675 FIO31-C Do not simultaneously open the same file multiple times
CWE-676 FIO01-C Be careful using functions that use file names for identification
CWE-686 FIO00-C Take care when creating format strings
CWE-732 FIO06-C Create files with appropriate access permissions

References

[REF-597] Robert C. Seacord. "The CERT C Secure Coding Standard". 1st Edition. Addison-Wesley Professional. 2008-10-14.

Content History

Submissions
Submission Date	Submitter	Organization
2008-11-24 (CWE 1.1, 2008-11-24)	CWE Content Team	MITRE
2008-11-24 (CWE 1.1, 2008-11-24)
Modifications
Modification Date	Modifier	Organization
2011-09-13	CWE Content Team	MITRE
2011-09-13	updated Relationships
2017-11-08	CWE Content Team	MITRE
2017-11-08	updated Description, Name, Relationship_Notes
2019-01-03	CWE Content Team	MITRE
2019-01-03	updated Description, Name, References
2023-04-27	CWE Content Team	MITRE
2023-04-27	updated Mapping_Notes
2023-06-29	CWE Content Team	MITRE
2023-06-29	updated Mapping_Notes
Previous Entry Names
Change Date	Previous Entry Name
2017-11-08	CERT C Secure Coding Section 09 - Input Output (FIO)
2019-01-03	CERT C Secure Coding (2008 Version) Section 09 - Input Output (FIO)

Common Weakness Enumeration

CWE CATEGORY: CERT C Secure Coding Standard (2008) Chapter 10 - Input Output (FIO)


	Site Map \| Terms of Use \| Manage Cookies \| Cookie Notice \| Privacy Policy \| Contact Us \| Use of the Common Weakness Enumeration (CWE™) and the associated references from this website are subject to the Terms of Use. CWE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and managed by the Homeland Security Systems Engineering and Development Institute (HSSEDI) which is operated by The MITRE Corporation (MITRE). Copyright © 2006–2024, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.