Any change with respect to whitespace is ignored. "Minor"
changes are text changes that only affect capitalization and
punctuation. Most other changes are marked as "Major."
Simple schema changes are treated as Minor, such as the change from
AffectedResource to Affected_Resource in Draft 8, or the relationship
name change from "IsRequiredBy" to "RequiredBy" in
Version 1.0. For each mutual relationship between nodes A and B (such
as ParentOf and ChildOf), a relationship change is noted for both A
and B.
The "Version 1.6 Total" lists the total number of relationships
in Version 1.6. The "Shared" value is the total number of
relationships in entries that were in both Version 1.6 and Version 1.5. The
"New" value is the total number of relationships involving
entries that did not exist in Version 1.5. Thus, the total number of
relationships in Version 1.6 would combine stats from Shared entries and
New entries.
A node change is labeled "important" if it is a major field change and
the field is critical to the meaning of the node. The critical fields
are description, name, and relationships.
| | | R |
20 |
Improper Input Validation |
| D | | |
73 |
External Control of File Name or Path |
| D | | |
74 |
Failure to Sanitize Data into a Different Plane ('Injection') |
| D | | |
76 |
Failure to Resolve Equivalent Special Elements into a Different Plane |
| D | | |
77 |
Improper Sanitization of Special Elements used in a Command ('Command Injection') |
| | | R |
79 |
Failure to Preserve Web Page Structure ('Cross-site Scripting') |
| | | R |
82 |
Improper Sanitization of Script in Attributes of IMG Tags in a Web Page |
| | | R |
83 |
Failure to Sanitize Script in Attributes in a Web Page |
| D | | |
86 |
Failure to Sanitize Invalid Characters in Identifiers in Web Pages |
| | | R |
92 |
DEPRECATED: Improper Sanitization of Custom Special Characters |
| | | R |
100 |
Technology-Specific Input Validation Problems |
| D | | |
111 |
Direct Use of Unsafe JNI |
| D | | |
112 |
Missing XML Validation |
| D | | |
113 |
Failure to Sanitize CRLF Sequences in HTTP Headers ('HTTP Response Splitting') |
| | | R |
115 |
Misinterpretation of Input |
| | | R |
116 |
Improper Encoding or Escaping of Output |
| | | R |
117 |
Improper Output Sanitization for Logs |
| | | R |
118 |
Improper Access of Indexable Resource ('Range Error') |
| D | | R |
119 |
Failure to Constrain Operations within the Bounds of a Memory Buffer |
| | | R |
120 |
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') |
| | | R |
121 |
Stack-based Buffer Overflow |
| | | R |
122 |
Heap-based Buffer Overflow |
| D | N | R |
124 |
Buffer Underwrite ('Buffer Underflow') |
| D | | |
125 |
Out-of-bounds Read |
| D | | R |
126 |
Buffer Over-read |
| D | | R |
127 |
Buffer Under-read |
| | | R |
128 |
Wrap-around Error |
| D | N | R |
129 |
Improper Validation of Array Index |
| | | R |
132 |
DEPRECATED (Duplicate): Miscalculated Null Termination |
| | | R |
139 |
DEPRECATED: General Special Element Problems |
| D | | |
170 |
Improper Null Termination |
| | | R |
189 |
Numeric Errors |
| | | R |
190 |
Integer Overflow or Wraparound |
| D | | R |
195 |
Signed to Unsigned Conversion Error |
| D | | |
212 |
Cross-boundary Cleansing Information Leak |
| | | R |
217 |
DEPRECATED: Failure to Protect Stored Data from Modification |
| | | R |
218 |
DEPRECATED (Duplicate): Failure to provide confidentiality for stored data |
| | | R |
225 |
DEPRECATED (Duplicate): General Information Management Problems |
| D | | |
226 |
Sensitive Information Uncleared Before Release |
| D | | |
238 |
Improper Handling of Incomplete Structural Elements |
| D | | |
239 |
Failure to Handle Incomplete Element |
| D | | |
241 |
Improper Handling of Unexpected Data Type |
| D | | |
242 |
Use of Inherently Dangerous Function |
| D | | |
244 |
Failure to Clear Heap Memory Before Release ('Heap Inspection') |
| | | R |
249 |
DEPRECATED: Often Misused: Path Manipulation |
| D | | |
298 |
Improper Validation of Certificate Expiration |
| | | R |
310 |
Cryptographic Issues |
| | | R |
326 |
Inadequate Encryption Strength |
| | | R |
327 |
Use of a Broken or Risky Cryptographic Algorithm |
| | | R |
328 |
Reversible One-Way Hash |
| D | | |
333 |
Improper Handling of Insufficient Entropy in TRNG |
| D | | |
353 |
Failure to Add Integrity Check Value |
| D | | |
354 |
Improper Validation of Integrity Check Value |
| D | | |
396 |
Declaration of Catch for Generic Exception |
| D | | |
397 |
Declaration of Throws for Generic Exception |
| | | R |
398 |
Indicator of Poor Code Quality |
| | | R |
400 |
Uncontrolled Resource Consumption ('Resource Exhaustion') |
| | | R |
423 |
DEPRECATED (Duplicate): Proxied Trusted Channel |
| | | R |
436 |
Interpretation Conflict |
| | | R |
443 |
DEPRECATED (Duplicate): HTTP response splitting |
| | | R |
458 |
DEPRECATED: Incorrect Initialization |
| D | | |
462 |
Duplicate Key in Associative List (Alist) |
| D | | |
463 |
Deletion of Data Structure Sentinel |
| | | R |
470 |
Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') |
| D | | |
472 |
External Control of Assumed-Immutable Web Parameter |
| | | R |
476 |
NULL Pointer Dereference |
| D | | |
488 |
Data Leak Between Sessions |
| D | | |
497 |
Information Leak of System Data |
| D | | |
498 |
Information Leak through Class Cloning |
| D | | |
502 |
Deserialization of Untrusted Data |
| D | | |
506 |
Embedded Malicious Code |
| | | R |
516 |
DEPRECATED (Duplicate): Covert Timing Channel |
| D | | |
548 |
Information Leak Through Directory Listing |
| | | R |
565 |
Reliance on Cookies without Validation and Integrity Checking |
| D | | |
568 |
finalize() Method Without super.finalize() |
| D | | |
574 |
EJB Bad Practices: Use of Synchronization Primitives |
| D | | |
575 |
EJB Bad Practices: Use of AWT Swing |
| D | | |
576 |
EJB Bad Practices: Use of Java I/O |
| D | | |
577 |
EJB Bad Practices: Use of Sockets |
| D | | |
578 |
EJB Bad Practices: Use of Class Loader |
| D | | |
581 |
Object Model Violation: Just One of Equals and Hashcode Defined |
| D | | |
583 |
finalize() Method Declared Public |
| D | | |
586 |
Explicit Call to Finalize() |
| D | | |
602 |
Client-Side Enforcement of Server-Side Security |
| | | R |
604 |
Deprecated Entries |
| | | R |
606 |
Unchecked Input for Loop Condition |
| D | | |
618 |
Exposed Unsafe ActiveX Method |
| | | R |
682 |
Incorrect Calculation |
| | | R |
693 |
Protection Mechanism Failure |
| | | R |
759 |
Use of a One-Way Hash without a Salt |
| | | R |
760 |
Use of a One-Way Hash with a Predictable Salt |
| | | R |
770 |
Allocation of Resources Without Limits or Throttling |
| | | R |
784 |
Reliance on Cookies without Validation and Integrity Checking in a Security Decision |
| 6 |
J2EE Misconfiguration: Insufficient Session-ID Length |
|
Major |
Background_Details, Common_Consequences, Enabling_Factors_for_Exploitation, Other_Notes, Potential_Mitigations |
|
Minor |
None |
| 15 |
External Control of System or Configuration Setting |
|
Major |
Modes_of_Introduction, Other_Notes |
|
Minor |
None |
| 20 |
Improper Input Validation |
|
Major |
Common_Consequences, Demonstrative_Examples, Maintenance_Notes, Modes_of_Introduction, Observed_Examples, Relationships, Research_Gaps, Terminology_Notes |
|
Minor |
None |
| 59 |
Improper Link Resolution Before File Access ('Link Following') |
|
Major |
Background_Details, Other_Notes |
|
Minor |
None |
| 67 |
Improper Handling of Windows Device Names |
|
Major |
Background_Details, Other_Notes |
|
Minor |
None |
| 69 |
Failure to Handle Windows ::DATA Alternate Data Stream |
|
Major |
Other_Notes, Theoretical_Notes |
|
Minor |
None |
| 72 |
Improper Handling of Apple HFS+ Alternate Data Stream Path |
|
Major |
Other_Notes, Theoretical_Notes |
|
Minor |
None |
| 73 |
External Control of File Name or Path |
|
Major |
Common_Consequences, Description |
|
Minor |
None |
| 74 |
Failure to Sanitize Data into a Different Plane ('Injection') |
|
Major |
Description, Other_Notes |
|
Minor |
None |
| 76 |
Failure to Resolve Equivalent Special Elements into a Different Plane |
|
Major |
Description, Other_Notes |
|
Minor |
None |
| 77 |
Improper Sanitization of Special Elements used in a Command ('Command Injection') |
|
Major |
Common_Consequences, Description, Other_Notes, Potential_Mitigations |
|
Minor |
None |
| 78 |
Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection') |
|
Major |
Observed_Examples, References |
|
Minor |
None |
| 79 |
Failure to Preserve Web Page Structure ('Cross-site Scripting') |
|
Major |
Observed_Examples, Relationships |
|
Minor |
None |
| 82 |
Improper Sanitization of Script in Attributes of IMG Tags in a Web Page |
|
Major |
Relationships |
|
Minor |
None |
| 83 |
Failure to Sanitize Script in Attributes in a Web Page |
|
Major |
Relationships |
|
Minor |
None |
| 86 |
Failure to Sanitize Invalid Characters in Identifiers in Web Pages |
|
Major |
Description, Other_Notes |
|
Minor |
None |
| 88 |
Argument Injection or Modification |
|
Major |
Observed_Examples |
|
Minor |
None |
| 89 |
Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection') |
|
Major |
None |
|
Minor |
Demonstrative_Examples |
| 90 |
Failure to Sanitize Data into LDAP Queries ('LDAP Injection') |
|
Major |
Other_Notes, Relationship_Notes |
|
Minor |
None |
| 92 |
DEPRECATED: Improper Sanitization of Custom Special Characters |
|
Major |
Relationships |
|
Minor |
None |
| 93 |
Failure to Sanitize CRLF Sequences ('CRLF Injection') |
|
Major |
Other_Notes |
|
Minor |
None |
| 97 |
Failure to Sanitize Server-Side Includes (SSI) Within a Web Page |
|
Major |
Other_Notes, Relationship_Notes |
|
Minor |
None |
| 100 |
Technology-Specific Input Validation Problems |
|
Major |
Relationships, Taxonomy_Mappings, Type |
|
Minor |
None |
| 111 |
Direct Use of Unsafe JNI |
|
Major |
Description, Other_Notes |
|
Minor |
None |
| 112 |
Missing XML Validation |
|
Major |
Description |
|
Minor |
None |
| 113 |
Failure to Sanitize CRLF Sequences in HTTP Headers ('HTTP Response Splitting') |
|
Major |
Common_Consequences, Description, Other_Notes, Theoretical_Notes |
|
Minor |
None |
| 115 |
Misinterpretation of Input |
|
Major |
Relationships |
|
Minor |
None |
| 116 |
Improper Encoding or Escaping of Output |
|
Major |
Relationships |
|
Minor |
None |
| 117 |
Improper Output Sanitization for Logs |
|
Major |
Common_Consequences, Other_Notes, Relationships |
|
Minor |
None |
| 118 |
Improper Access of Indexable Resource ('Range Error') |
|
Major |
Relationships |
|
Minor |
None |
| 119 |
Failure to Constrain Operations within the Bounds of a Memory Buffer |
|
Major |
Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Relationships, Time_of_Introduction |
|
Minor |
None |
| 120 |
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') |
|
Major |
Common_Consequences, Relationships |
|
Minor |
None |
| 121 |
Stack-based Buffer Overflow |
|
Major |
Relationships |
|
Minor |
None |
| 122 |
Heap-based Buffer Overflow |
|
Major |
Relationships |
|
Minor |
None |
| 124 |
Buffer Underwrite ('Buffer Underflow') |
|
Major |
Description, Name, Relationships |
|
Minor |
None |
| 125 |
Out-of-bounds Read |
|
Major |
Description |
|
Minor |
None |
| 126 |
Buffer Over-read |
|
Major |
Description, Relationship_Notes, Relationships |
|
Minor |
None |
| 127 |
Buffer Under-read |
|
Major |
Description, Relationships |
|
Minor |
None |
| 128 |
Wrap-around Error |
|
Major |
Common_Consequences, Relationships |
|
Minor |
None |
| 129 |
Improper Validation of Array Index |
|
Major |
Description, Name, Relationships |
|
Minor |
None |
| 132 |
DEPRECATED (Duplicate): Miscalculated Null Termination |
|
Major |
Relationships |
|
Minor |
None |
| 139 |
DEPRECATED: General Special Element Problems |
|
Major |
Relationships |
|
Minor |
None |
| 146 |
Failure to Sanitize Expression/Command Delimiters |
|
Major |
Other_Notes, Relationship_Notes |
|
Minor |
None |
| 159 |
Failure to Sanitize Special Element |
|
Major |
Maintenance_Notes, Other_Notes, Terminology_Notes |
|
Minor |
None |
| 166 |
Improper Handling of Missing Special Element |
|
Major |
Other_Notes |
|
Minor |
None |
| 170 |
Improper Null Termination |
|
Major |
Description |
|
Minor |
None |
| 188 |
Reliance on Data/Memory Layout |
|
Major |
Common_Consequences |
|
Minor |
None |
| 189 |
Numeric Errors |
|
Major |
Relationships |
|
Minor |
None |
| 190 |
Integer Overflow or Wraparound |
|
Major |
Relationships |
|
Minor |
None |
| 194 |
Unexpected Sign Extension |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
| 195 |
Signed to Unsigned Conversion Error |
|
Major |
Common_Consequences, Description, Other_Notes, Relationships |
|
Minor |
None |
| 196 |
Unsigned to Signed Conversion Error |
|
Major |
Common_Consequences |
|
Minor |
None |
| 201 |
Information Leak Through Sent Data |
|
Major |
Other_Notes, Potential_Mitigations |
|
Minor |
None |
| 212 |
Cross-boundary Cleansing Information Leak |
|
Major |
Description, Other_Notes, Relationship_Notes |
|
Minor |
None |
| 214 |
Process Environment Information Leak |
|
Major |
Other_Notes |
|
Minor |
None |
| 217 |
DEPRECATED: Failure to Protect Stored Data from Modification |
|
Major |
Relationships |
|
Minor |
None |
| 218 |
DEPRECATED (Duplicate): Failure to provide confidentiality for stored data |
|
Major |
Relationships |
|
Minor |
None |
| 225 |
DEPRECATED (Duplicate): General Information Management Problems |
|
Major |
Relationships |
|
Minor |
None |
| 226 |
Sensitive Information Uncleared Before Release |
|
Major |
Description, Other_Notes |
|
Minor |
None |
| 230 |
Improper Handling of Missing Values |
|
Major |
Other_Notes, Research_Gaps |
|
Minor |
None |
| 237 |
Improper Handling of Structural Elements |
|
Major |
None |
|
Minor |
Description |
| 238 |
Improper Handling of Incomplete Structural Elements |
|
Major |
Description |
|
Minor |
None |
| 239 |
Failure to Handle Incomplete Element |
|
Major |
Description |
|
Minor |
None |
| 241 |
Improper Handling of Unexpected Data Type |
|
Major |
Description |
|
Minor |
None |
| 242 |
Use of Inherently Dangerous Function |
|
Major |
Description, Other_Notes, References |
|
Minor |
None |
| 244 |
Failure to Clear Heap Memory Before Release ('Heap Inspection') |
|
Major |
Common_Consequences, Description, Other_Notes |
|
Minor |
None |
| 249 |
DEPRECATED: Often Misused: Path Manipulation |
|
Major |
Relationships |
|
Minor |
None |
| 258 |
Empty Password in Configuration File |
|
Major |
Other_Notes, Potential_Mitigations |
|
Minor |
None |
| 285 |
Improper Access Control (Authorization) |
|
Major |
Type |
|
Minor |
None |
| 287 |
Improper Authentication |
|
Major |
Common_Consequences, Observed_Examples |
|
Minor |
None |
| 292 |
Trusting Self-reported DNS Name |
|
Major |
Observed_Examples |
|
Minor |
None |
| 294 |
Authentication Bypass by Capture-replay |
|
Major |
Observed_Examples |
|
Minor |
None |
| 298 |
Improper Validation of Certificate Expiration |
|
Major |
Description, Other_Notes |
|
Minor |
None |
| 310 |
Cryptographic Issues |
|
Major |
Relationships |
|
Minor |
None |
| 311 |
Failure to Encrypt Sensitive Data |
|
Major |
Common_Consequences, Other_Notes |
|
Minor |
None |
| 326 |
Inadequate Encryption Strength |
|
Major |
Relationships |
|
Minor |
None |
| 327 |
Use of a Broken or Risky Cryptographic Algorithm |
|
Major |
Relationships |
|
Minor |
None |
| 328 |
Reversible One-Way Hash |
|
Major |
Relationships |
|
Minor |
None |
| 333 |
Improper Handling of Insufficient Entropy in TRNG |
|
Major |
Description, Other_Notes |
|
Minor |
None |
| 353 |
Failure to Add Integrity Check Value |
|
Major |
Description, Other_Notes |
|
Minor |
None |
| 354 |
Improper Validation of Integrity Check Value |
|
Major |
Description, Other_Notes |
|
Minor |
None |
| 358 |
Improperly Implemented Security Check for Standard |
|
Major |
Modes_of_Introduction, Observed_Examples, Other_Notes, Relationship_Notes |
|
Minor |
None |
| 369 |
Divide By Zero |
|
Major |
Other_Notes |
|
Minor |
None |
| 378 |
Creation of Temporary File With Insecure Permissions |
|
Major |
Common_Consequences, Other_Notes |
|
Minor |
None |
| 388 |
Error Handling |
|
Major |
Common_Consequences |
|
Minor |
None |
| 392 |
Failure to Report Error in Status Code |
|
Major |
Other_Notes, Weakness_Ordinalities |
|
Minor |
None |
| 396 |
Declaration of Catch for Generic Exception |
|
Major |
Description, Other_Notes |
|
Minor |
None |
| 397 |
Declaration of Throws for Generic Exception |
|
Major |
Description, Other_Notes |
|
Minor |
None |
| 398 |
Indicator of Poor Code Quality |
|
Major |
Relationships |
|
Minor |
None |
| 400 |
Uncontrolled Resource Consumption ('Resource Exhaustion') |
|
Major |
Relationships |
|
Minor |
None |
| 401 |
Failure to Release Memory Before Removing Last Reference ('Memory Leak') |
|
Major |
Modes_of_Introduction, Other_Notes |
|
Minor |
None |
| 404 |
Improper Resource Shutdown or Release |
|
Major |
Other_Notes |
|
Minor |
None |
| 407 |
Algorithmic Complexity |
|
Major |
Common_Consequences |
|
Minor |
None |
| 410 |
Insufficient Resource Pool |
|
Major |
Common_Consequences |
|
Minor |
None |
| 415 |
Double Free |
|
Major |
Other_Notes |
|
Minor |
None |
| 416 |
Use After Free |
|
Major |
Common_Consequences |
|
Minor |
None |
| 423 |
DEPRECATED (Duplicate): Proxied Trusted Channel |
|
Major |
Relationships |
|
Minor |
None |
| 424 |
Failure to Protect Alternate Path |
|
Major |
Other_Notes |
|
Minor |
None |
| 429 |
Handler Errors |
|
Major |
Other_Notes |
|
Minor |
None |
| 430 |
Deployment of Wrong Handler |
|
Major |
Other_Notes, Weakness_Ordinalities |
|
Minor |
None |
| 436 |
Interpretation Conflict |
|
Major |
Relationships |
|
Minor |
None |
| 440 |
Expected Behavior Violation |
|
Major |
Other_Notes, Relevant_Properties, Theoretical_Notes |
|
Minor |
None |
| 443 |
DEPRECATED (Duplicate): HTTP response splitting |
|
Major |
Relationships |
|
Minor |
None |
| 454 |
External Initialization of Trusted Variables |
|
Major |
Other_Notes, Relationship_Notes |
|
Minor |
None |
| 458 |
DEPRECATED: Incorrect Initialization |
|
Major |
Relationships |
|
Minor |
None |
| 462 |
Duplicate Key in Associative List (Alist) |
|
Major |
Demonstrative_Examples, Description, Other_Notes |
|
Minor |
None |
| 463 |
Deletion of Data Structure Sentinel |
|
Major |
Description, Other_Notes |
|
Minor |
None |
| 466 |
Return of Pointer Value Outside of Expected Range |
|
Major |
Maintenance_Notes |
|
Minor |
None |
| 468 |
Incorrect Pointer Scaling |
|
Major |
Common_Consequences |
|
Minor |
None |
| 470 |
Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') |
|
Major |
Alternate_Terms, Relationships |
|
Minor |
None |
| 472 |
External Control of Assumed-Immutable Web Parameter |
|
Major |
Common_Consequences, Demonstrative_Examples, Description, Other_Notes, Relationship_Notes, Theoretical_Notes |
|
Minor |
None |
| 476 |
NULL Pointer Dereference |
|
Major |
Relationships |
|
Minor |
None |
| 482 |
Comparing instead of Assigning |
|
Major |
Other_Notes |
|
Minor |
None |
| 483 |
Incorrect Block Delimitation |
|
Major |
Common_Consequences |
|
Minor |
None |
| 488 |
Data Leak Between Sessions |
|
Major |
Description, Other_Notes |
|
Minor |
None |
| 489 |
Leftover Debug Code |
|
Major |
Common_Consequences |
|
Minor |
None |
| 497 |
Information Leak of System Data |
|
Major |
Description, Other_Notes |
|
Minor |
None |
| 498 |
Information Leak through Class Cloning |
|
Major |
Common_Consequences, Description, Other_Notes, Potential_Mitigations |
|
Minor |
None |
| 502 |
Deserialization of Untrusted Data |
|
Major |
Description, Other_Notes, Potential_Mitigations |
|
Minor |
None |
| 506 |
Embedded Malicious Code |
|
Major |
Description, Other_Notes |
|
Minor |
None |
| 515 |
Covert Storage Channel |
|
Major |
Other_Notes |
|
Minor |
None |
| 516 |
DEPRECATED (Duplicate): Covert Timing Channel |
|
Major |
Relationships |
|
Minor |
None |
| 525 |
Information Leak Through Browser Caching |
|
Major |
Common_Consequences, Other_Notes, Potential_Mitigations |
|
Minor |
None |
| 530 |
Information Leak Through Backup (.~bk) Files |
|
Major |
Common_Consequences |
|
Minor |
None |
| 536 |
Information Leak Through Servlet Runtime Error Message |
|
Major |
Common_Consequences |
|
Minor |
None |
| 544 |
Failure to Use a Standardized Error Handling Mechanism |
|
Major |
Potential_Mitigations, Time_of_Introduction |
|
Minor |
None |
| 548 |
Information Leak Through Directory Listing |
|
Major |
Description, Other_Notes |
|
Minor |
None |
| 561 |
Dead Code |
|
Major |
Common_Consequences, Other_Notes |
|
Minor |
None |
| 565 |
Reliance on Cookies without Validation and Integrity Checking |
|
Major |
Relationships |
|
Minor |
None |
| 568 |
finalize() Method Without super.finalize() |
|
Major |
Description, Other_Notes |
|
Minor |
None |
| 570 |
Expression is Always False |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
| 574 |
EJB Bad Practices: Use of Synchronization Primitives |
|
Major |
Description, Other_Notes |
|
Minor |
None |
| 575 |
EJB Bad Practices: Use of AWT Swing |
|
Major |
Description, Other_Notes |
|
Minor |
None |
| 576 |
EJB Bad Practices: Use of Java I/O |
|
Major |
Description, Other_Notes |
|
Minor |
None |
| 577 |
EJB Bad Practices: Use of Sockets |
|
Major |
Description, Other_Notes |
|
Minor |
None |
| 578 |
EJB Bad Practices: Use of Class Loader |
|
Major |
Description, Other_Notes |
|
Minor |
None |
| 581 |
Object Model Violation: Just One of Equals and Hashcode Defined |
|
Major |
Common_Consequences, Description, Other_Notes |
|
Minor |
None |
| 583 |
finalize() Method Declared Public |
|
Major |
Description, Other_Notes |
|
Minor |
None |
| 586 |
Explicit Call to Finalize() |
|
Major |
Description, Other_Notes |
|
Minor |
None |
| 602 |
Client-Side Enforcement of Server-Side Security |
|
Major |
Applicable_Platforms, Common_Consequences, Description |
|
Minor |
None |
| 604 |
Deprecated Entries |
|
Major |
Relationships, View_Filter, View_Structure |
|
Minor |
None |
| 605 |
Multiple Binds to the Same Port |
|
Major |
Common_Consequences |
|
Minor |
None |
| 606 |
Unchecked Input for Loop Condition |
|
Major |
Relationships |
|
Minor |
None |
| 609 |
Double-Checked Locking |
|
Major |
Taxonomy_Mappings |
|
Minor |
References |
| 610 |
Externally Controlled Reference to a Resource in Another Sphere |
|
Major |
Other_Notes, Relationship_Notes |
|
Minor |
None |
| 612 |
Information Leak Through Indexing of Private Data |
|
Major |
Other_Notes, Research_Gaps |
|
Minor |
None |
| 618 |
Exposed Unsafe ActiveX Method |
|
Major |
Description, Other_Notes |
|
Minor |
None |
| 619 |
Dangling Database Cursor ('Cursor Injection') |
|
Major |
Modes_of_Introduction, Other_Notes, Weakness_Ordinalities |
|
Minor |
None |
| 628 |
Function Call with Incorrectly Specified Arguments |
|
Major |
Detection_Factors, Other_Notes, Weakness_Ordinalities |
|
Minor |
None |
| 639 |
Access Control Bypass Through User-Controlled Key |
|
Major |
Common_Consequences |
|
Minor |
None |
| 641 |
Insufficient Filtering of File and Other Resource Names for Executable Content |
|
Major |
Common_Consequences |
|
Minor |
None |
| 643 |
Failure to Sanitize Data within XPath Expressions ('XPath injection') |
|
Major |
Common_Consequences |
|
Minor |
None |
| 644 |
Improper Sanitization of HTTP Headers for Scripting Syntax |
|
Major |
Common_Consequences |
|
Minor |
None |
| 646 |
Reliance on File Name or Extension of Externally-Supplied File |
|
Major |
Common_Consequences |
|
Minor |
None |
| 647 |
Use of Non-Canonical URL Paths for Authorization Decisions |
|
Major |
Common_Consequences |
|
Minor |
None |
| 648 |
Incorrect Use of Privileged APIs |
|
Major |
Common_Consequences |
|
Minor |
None |
| 649 |
Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking |
|
Major |
Common_Consequences |
|
Minor |
None |
| 650 |
Trusting HTTP Permission Methods on the Server Side |
|
Major |
Common_Consequences |
|
Minor |
None |
| 651 |
Information Leak through WSDL File |
|
Major |
Common_Consequences |
|
Minor |
None |
| 652 |
Failure to Sanitize Data within XQuery Expressions ('XQuery Injection') |
|
Major |
Common_Consequences |
|
Minor |
None |
| 665 |
Improper Initialization |
|
Major |
Common_Consequences |
|
Minor |
None |
| 668 |
Exposure of Resource to Wrong Sphere |
|
Major |
Other_Notes, Theoretical_Notes |
|
Minor |
None |
| 669 |
Incorrect Resource Transfer Between Spheres |
|
Major |
Background_Details, Other_Notes |
|
Minor |
None |
| 673 |
External Influence of Sphere Definition |
|
Major |
Other_Notes, Theoretical_Notes |
|
Minor |
None |
| 675 |
Duplicate Operations on Resource |
|
Major |
Other_Notes, Relationship_Notes |
|
Minor |
None |
| 682 |
Incorrect Calculation |
|
Major |
Demonstrative_Examples, Relationships |
|
Minor |
None |
| 683 |
Function Call With Incorrect Order of Arguments |
|
Major |
Modes_of_Introduction, Other_Notes, Potential_Mitigations |
|
Minor |
None |
| 685 |
Function Call With Incorrect Number of Arguments |
|
Major |
Modes_of_Introduction, Other_Notes, Potential_Mitigations |
|
Minor |
None |
| 686 |
Function Call With Incorrect Argument Type |
|
Major |
Other_Notes, Potential_Mitigations |
|
Minor |
None |
| 687 |
Function Call With Incorrectly Specified Argument Value |
|
Major |
Other_Notes, Relationship_Notes |
|
Minor |
None |
| 688 |
Function Call With Incorrect Variable or Reference as Argument |
|
Major |
Modes_of_Introduction, Other_Notes, Potential_Mitigations |
|
Minor |
None |
| 693 |
Protection Mechanism Failure |
|
Major |
Relationships |
|
Minor |
None |
| 703 |
Failure to Handle Exceptional Conditions |
|
Major |
Other_Notes |
|
Minor |
None |
| 759 |
Use of a One-Way Hash without a Salt |
|
Major |
Relationships |
|
Minor |
None |
| 760 |
Use of a One-Way Hash with a Predictable Salt |
|
Major |
Observed_Examples, Relationships |
|
Minor |
None |
| 770 |
Allocation of Resources Without Limits or Throttling |
|
Major |
Relationships |
|
Minor |
None |
| 784 |
Reliance on Cookies without Validation and Integrity Checking in a Security Decision |
|
Major |
Relationships |
|
Minor |
None |
