Any change with respect to whitespace is ignored. "Minor"
changes are text changes that only affect capitalization and
punctuation. Most other changes are marked as "Major."
Simple schema changes are treated as Minor, such as the change from
AffectedResource to Affected_Resource in Draft 8, or the relationship
name change from "IsRequiredBy" to "RequiredBy" in
Version 1.0. For each mutual relationship between nodes A and B (such
as ParentOf and ChildOf), a relationship change is noted for both A
and B.
The "Version 2.12 Total" lists the total number of relationships
in Version 2.12. The "Shared" value is the total number of
relationships in entries that were in both Version 2.12 and Version 2.11. The
"New" value is the total number of relationships involving
entries that did not exist in Version 2.11. Thus, the total number of
relationships in Version 2.12 would combine stats from Shared entries and
New entries.
A node change is labeled "important" if it is a major field change and
the field is critical to the meaning of the node. The critical fields
are description, name, and relationships.
D | N | |
1 |
DEPRECATED: Location |
D | N | |
2 |
7PK - Environment |
D | N | |
3 |
DEPRECATED: Technology-specific Environment Issues |
D | | |
5 |
J2EE Misconfiguration: Data Transmission Without Encryption |
D | | R |
6 |
J2EE Misconfiguration: Insufficient Session-ID Length |
D | N | R |
10 |
DEPRECATED: ASP.NET Environment Issues |
| | R |
11 |
ASP.NET Misconfiguration: Creating Debug Binary |
| | R |
12 |
ASP.NET Misconfiguration: Missing Custom Error Page |
| | R |
13 |
ASP.NET Misconfiguration: Password in Configuration File |
| | R |
14 |
Compiler Removal of Code to Clear Buffers |
| | R |
15 |
External Control of System or Configuration Setting |
| | R |
18 |
Source Code |
| | R |
19 |
Data Processing Errors |
| | R |
20 |
Improper Input Validation |
D | | R |
21 |
Pathname Traversal and Equivalence Errors |
| | R |
22 |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
| | R |
41 |
Improper Resolution of Path Equivalence |
| | R |
59 |
Improper Link Resolution Before File Access ('Link Following') |
D | N | R |
60 |
DEPRECATED: UNIX Path Link Problems |
| | R |
61 |
UNIX Symbolic Link (Symlink) Following |
| | R |
62 |
UNIX Hard Link |
D | N | R |
63 |
DEPRECATED: Windows Path Link Problems |
| | R |
64 |
Windows Shortcut Following (.LNK) |
| | R |
65 |
Windows Hard Link |
| | R |
66 |
Improper Handling of File Names that Identify Virtual Resources |
| | R |
67 |
Improper Handling of Windows Device Names |
D | N | R |
68 |
DEPRECATED: Windows Virtual File Problems |
| | R |
69 |
Improper Handling of Windows ::DATA Alternate Data Stream |
D | N | R |
70 |
DEPRECATED: Mac Virtual File Problems |
D | N | R |
71 |
DEPRECATED: Apple '.DS_Store' |
| | R |
72 |
Improper Handling of Apple HFS+ Alternate Data Stream Path |
| | R |
73 |
External Control of File Name or Path |
| | R |
74 |
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') |
| | R |
75 |
Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) |
| | R |
76 |
Improper Neutralization of Equivalent Special Elements |
| | R |
77 |
Improper Neutralization of Special Elements used in a Command ('Command Injection') |
| | R |
78 |
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
| | R |
79 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
| | R |
80 |
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) |
| | R |
88 |
Argument Injection or Modification |
| | R |
89 |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
| | R |
90 |
Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') |
| | R |
91 |
XML Injection (aka Blind XPath Injection) |
| | R |
93 |
Improper Neutralization of CRLF Sequences ('CRLF Injection') |
| | R |
94 |
Improper Control of Generation of Code ('Code Injection') |
| | R |
95 |
Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') |
| | R |
96 |
Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') |
| | R |
97 |
Improper Neutralization of Server-Side Includes (SSI) Within a Web Page |
| | R |
98 |
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') |
| | R |
99 |
Improper Control of Resource Identifiers ('Resource Injection') |
D | N | R |
100 |
DEPRECATED: Technology-Specific Input Validation Problems |
D | N | R |
101 |
DEPRECATED: Struts Validation Problems |
| | R |
102 |
Struts: Duplicate Validation Forms |
| | R |
103 |
Struts: Incomplete validate() Method Definition |
| | R |
104 |
Struts: Form Bean Does Not Extend Validation Class |
| | R |
105 |
Struts: Form Field Without Validator |
| | R |
106 |
Struts: Plug-in Framework not in Use |
| | R |
107 |
Struts: Unused Validation Form |
| | R |
108 |
Struts: Unvalidated Action Form |
| | R |
109 |
Struts: Validator Turned Off |
| | R |
110 |
Struts: Validator Without Form Field |
| | R |
112 |
Missing XML Validation |
| | R |
114 |
Process Control |
| | R |
117 |
Improper Output Neutralization for Logs |
| | R |
119 |
Improper Restriction of Operations within the Bounds of a Memory Buffer |
| | R |
120 |
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') |
| | R |
121 |
Stack-based Buffer Overflow |
| | R |
122 |
Heap-based Buffer Overflow |
| | R |
129 |
Improper Validation of Array Index |
| | R |
134 |
Use of Externally-Controlled Format String |
| | R |
138 |
Improper Neutralization of Special Elements |
| | R |
150 |
Improper Neutralization of Escape, Meta, or Control Sequences |
| | R |
159 |
Failure to Sanitize Special Element |
| | R |
160 |
Improper Neutralization of Leading Special Elements |
| | R |
162 |
Improper Neutralization of Trailing Special Elements |
| | R |
164 |
Improper Neutralization of Internal Special Elements |
D | N | R |
169 |
DEPRECATED: Technology-Specific Special Elements |
| | R |
170 |
Improper Null Termination |
| | R |
171 |
Cleansing, Canonicalization, and Comparison Errors |
| | R |
178 |
Improper Handling of Case Sensitivity |
| | R |
189 |
Numeric Errors |
| | R |
192 |
Integer Coercion Error |
| | R |
201 |
Information Exposure Through Sent Data |
| | R |
208 |
Information Exposure Through Timing Discrepancy |
| | R |
209 |
Information Exposure Through an Error Message |
| | R |
210 |
Information Exposure Through Self-generated Error Message |
| | R |
211 |
Information Exposure Through Externally-Generated Error Message |
| | R |
212 |
Improper Cross-boundary Removal of Sensitive Data |
| | R |
214 |
Information Exposure Through Process Environment |
| | R |
216 |
Containment Errors (Container Errors) |
| | R |
219 |
Sensitive Data Under Web Root |
| | R |
220 |
Sensitive Data Under FTP Root |
| | R |
223 |
Omission of Security-relevant Information |
| | R |
224 |
Obscured Security-relevant Information by Alternate Name |
| | R |
226 |
Sensitive Information Uncleared Before Release |
D | N | R |
227 |
7PK - API Abuse |
| | R |
242 |
Use of Inherently Dangerous Function |
| | R |
243 |
Creation of chroot Jail Without Changing Working Directory |
| | R |
244 |
Improper Clearing of Heap Memory Before Release ('Heap Inspection') |
| | R |
245 |
J2EE Bad Practices: Direct Management of Connections |
| | R |
246 |
J2EE Bad Practices: Direct Use of Sockets |
| | R |
248 |
Uncaught Exception |
| | R |
250 |
Execution with Unnecessary Privileges |
| | R |
251 |
Often Misused: String Management |
| | R |
252 |
Unchecked Return Value |
| | R |
253 |
Incorrect Check of Function Return Value |
| N | R |
254 |
7PK - Security Features |
| | R |
256 |
Plaintext Storage of a Password |
| | R |
257 |
Storing Passwords in a Recoverable Format |
| | R |
258 |
Empty Password in Configuration File |
| | R |
259 |
Use of Hard-coded Password |
| | R |
260 |
Password in Configuration File |
| | R |
261 |
Weak Cryptography for Passwords |
| | R |
262 |
Not Using Password Aging |
| | R |
263 |
Password Aging with Long Expiration |
| | R |
264 |
Permissions, Privileges, and Access Controls |
| | R |
265 |
Privilege / Sandbox Issues |
| | R |
266 |
Incorrect Privilege Assignment |
| | R |
267 |
Privilege Defined With Unsafe Actions |
| | R |
268 |
Privilege Chaining |
| | R |
269 |
Improper Privilege Management |
| | R |
270 |
Privilege Context Switching Error |
| | R |
271 |
Privilege Dropping / Lowering Errors |
| | R |
272 |
Least Privilege Violation |
| | R |
273 |
Improper Check for Dropped Privileges |
| | R |
274 |
Improper Handling of Insufficient Privileges |
| | R |
275 |
Permission Issues |
| | R |
276 |
Incorrect Default Permissions |
| | R |
277 |
Insecure Inherited Permissions |
| | R |
279 |
Incorrect Execution-Assigned Permissions |
| | R |
280 |
Improper Handling of Insufficient Permissions or Privileges |
| | R |
281 |
Improper Preservation of Permissions |
| | R |
282 |
Improper Ownership Management |
| | R |
283 |
Unverified Ownership |
| | R |
284 |
Improper Access Control |
| | R |
285 |
Improper Authorization |
| | R |
286 |
Incorrect User Management |
| | R |
287 |
Improper Authentication |
| | R |
288 |
Authentication Bypass Using an Alternate Path or Channel |
| | R |
289 |
Authentication Bypass by Alternate Name |
| | R |
290 |
Authentication Bypass by Spoofing |
| | R |
291 |
Reliance on IP Address for Authentication |
| | R |
293 |
Using Referer Field for Authentication |
| | R |
294 |
Authentication Bypass by Capture-replay |
| | R |
295 |
Improper Certificate Validation |
| | R |
296 |
Improper Following of a Certificate's Chain of Trust |
| | R |
297 |
Improper Validation of Certificate with Host Mismatch |
| | R |
298 |
Improper Validation of Certificate Expiration |
| | R |
299 |
Improper Check for Certificate Revocation |
| | R |
300 |
Channel Accessible by Non-Endpoint ('Man-in-the-Middle') |
| | R |
301 |
Reflection Attack in an Authentication Protocol |
| | R |
302 |
Authentication Bypass by Assumed-Immutable Data |
| | R |
303 |
Incorrect Implementation of Authentication Algorithm |
| | R |
304 |
Missing Critical Step in Authentication |
| | R |
305 |
Authentication Bypass by Primary Weakness |
| | R |
306 |
Missing Authentication for Critical Function |
| | R |
307 |
Improper Restriction of Excessive Authentication Attempts |
| | R |
308 |
Use of Single-factor Authentication |
| | R |
311 |
Missing Encryption of Sensitive Data |
| | R |
312 |
Cleartext Storage of Sensitive Information |
| | R |
313 |
Cleartext Storage in a File or on Disk |
| | R |
314 |
Cleartext Storage in the Registry |
| | R |
315 |
Cleartext Storage of Sensitive Information in a Cookie |
| | R |
316 |
Cleartext Storage of Sensitive Information in Memory |
| | R |
317 |
Cleartext Storage of Sensitive Information in GUI |
| | R |
318 |
Cleartext Storage of Sensitive Information in Executable |
| | R |
319 |
Cleartext Transmission of Sensitive Information |
| | R |
321 |
Use of Hard-coded Cryptographic Key |
| | R |
322 |
Key Exchange without Entity Authentication |
| | R |
323 |
Reusing a Nonce, Key Pair in Encryption |
| | R |
324 |
Use of a Key Past its Expiration Date |
| | R |
325 |
Missing Required Cryptographic Step |
| | R |
326 |
Inadequate Encryption Strength |
| | R |
327 |
Use of a Broken or Risky Cryptographic Algorithm |
| | R |
328 |
Reversible One-Way Hash |
| | R |
330 |
Use of Insufficiently Random Values |
| | R |
331 |
Insufficient Entropy |
| | R |
332 |
Insufficient Entropy in PRNG |
| | R |
333 |
Improper Handling of Insufficient Entropy in TRNG |
| | R |
334 |
Small Space of Random Values |
D | N | R |
335 |
Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) |
D | N | R |
336 |
Same Seed in Pseudo-Random Number Generator (PRNG) |
D | N | R |
337 |
Predictable Seed in Pseudo-Random Number Generator (PRNG) |
D | | R |
338 |
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) |
| | R |
339 |
Small Seed Space in PRNG |
| | R |
341 |
Predictable from Observable State |
| | R |
345 |
Insufficient Verification of Data Authenticity |
| | R |
346 |
Origin Validation Error |
| | R |
347 |
Improper Verification of Cryptographic Signature |
| | R |
349 |
Acceptance of Extraneous Untrusted Data With Trusted Data |
| | R |
350 |
Reliance on Reverse DNS Resolution for a Security-Critical Action |
| | R |
352 |
Cross-Site Request Forgery (CSRF) |
| | R |
353 |
Missing Support for Integrity Check |
| | R |
354 |
Improper Validation of Integrity Check Value |
| | R |
359 |
Exposure of Private Information ('Privacy Violation') |
D | N | |
361 |
7PK - Time and State |
| | R |
364 |
Signal Handler Race Condition |
| | R |
366 |
Race Condition within a Thread |
| | R |
367 |
Time-of-check Time-of-use (TOCTOU) Race Condition |
| | R |
370 |
Missing Check for Certificate Revocation after Initial Check |
| | R |
371 |
State Issues |
| | R |
376 |
Temporary File Issues |
| | R |
382 |
J2EE Bad Practices: Use of System.exit() |
| | R |
383 |
J2EE Bad Practices: Direct Use of Threads |
| | R |
384 |
Session Fixation |
| | R |
387 |
Signal Errors |
D | N | R |
388 |
7PK - Errors |
D | | R |
389 |
Error Conditions, Return Values, Status Codes |
| | R |
390 |
Detection of Error Condition Without Action |
| | R |
391 |
Unchecked Error Condition |
| | R |
392 |
Missing Report of Error Condition |
D | N | R |
398 |
7PK - Code Quality |
| | R |
399 |
Resource Management Errors |
| | R |
400 |
Uncontrolled Resource Consumption ('Resource Exhaustion') |
| | R |
401 |
Improper Release of Memory Before Removing Last Reference ('Memory Leak') |
| | R |
403 |
Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak') |
| | R |
404 |
Improper Resource Shutdown or Release |
| | R |
412 |
Unrestricted Externally Accessible Lock |
| | R |
415 |
Double Free |
| | R |
416 |
Use After Free |
| | R |
417 |
Channel and Path Errors |
D | N | R |
418 |
DEPRECATED: Channel Errors |
| | R |
419 |
Unprotected Primary Channel |
| | R |
420 |
Unprotected Alternate Channel |
| | R |
421 |
Race Condition During Access to Alternate Channel |
| | R |
422 |
Unprotected Windows Messaging Channel ('Shatter') |
| | R |
425 |
Direct Request ('Forced Browsing') |
| | R |
426 |
Untrusted Search Path |
| | R |
434 |
Unrestricted Upload of File with Dangerous Type |
| N | R |
435 |
Improper Interaction Between Multiple Entities |
| | R |
436 |
Interpretation Conflict |
| | R |
438 |
Behavioral Problems |
| | R |
441 |
Unintended Proxy or Intermediary ('Confused Deputy') |
| | R |
442 |
Web Problems |
| | R |
451 |
User Interface (UI) Misrepresentation of Critical Information |
D | | |
454 |
External Initialization of Trusted Variables or Data Stores |
| | R |
457 |
Use of Uninitialized Variable |
| | R |
460 |
Improper Cleanup on Thrown Exception |
| | R |
468 |
Incorrect Pointer Scaling |
| | R |
472 |
External Control of Assumed-Immutable Web Parameter |
| | R |
473 |
PHP External Variable Modification |
| | R |
474 |
Use of Function with Inconsistent Implementations |
| | R |
475 |
Undefined Behavior for Input to API |
| | R |
476 |
NULL Pointer Dereference |
| N | R |
477 |
Use of Obsolete Function |
| | R |
478 |
Missing Default Case in Switch Statement |
| | R |
479 |
Signal Handler Use of a Non-reentrant Function |
| | R |
483 |
Incorrect Block Delimitation |
| | R |
484 |
Omitted Break Statement in Switch |
D | N | R |
485 |
7PK - Encapsulation |
| | R |
486 |
Comparison of Classes by Name |
| | R |
487 |
Reliance on Package-level Scope |
| | R |
488 |
Exposure of Data Element to Wrong Session |
| | R |
489 |
Leftover Debug Code |
| | R |
490 |
Mobile Code Issues |
| | R |
494 |
Download of Code Without Integrity Check |
| | R |
495 |
Private Array-Typed Field Returned From A Public Method |
| | R |
496 |
Public Data Assigned to Private Array-Typed Field |
| | R |
498 |
Cloneable Class Containing Sensitive Information |
| | R |
499 |
Serializable Class Containing Sensitive Data |
| | R |
501 |
Trust Boundary Violation |
| | R |
502 |
Deserialization of Untrusted Data |
D | N | |
503 |
DEPRECATED: Byte/Object Code |
D | N | |
504 |
DEPRECATED: Motivation/Intent |
D | N | R |
505 |
DEPRECATED: Intentionally Introduced Weakness |
| | R |
506 |
Embedded Malicious Code |
D | N | R |
513 |
DEPRECATED: Intentionally Introduced Nonmalicious Weakness |
| | R |
514 |
Covert Channel |
D | N | R |
517 |
DEPRECATED: Other Intentional, Nonmalicious Weakness |
D | N | R |
518 |
DEPRECATED: Inadvertently Introduced Weakness |
D | | R |
519 |
.NET Environment Issues |
| | R |
521 |
Weak Password Requirements |
| | R |
522 |
Insufficiently Protected Credentials |
| | R |
523 |
Unprotected Transport of Credentials |
| | R |
527 |
Exposure of CVS Repository to an Unauthorized Control Sphere |
| | R |
528 |
Exposure of Core Dump File to an Unauthorized Control Sphere |
| | R |
529 |
Exposure of Access Control List Files to an Unauthorized Control Sphere |
| | R |
530 |
Exposure of Backup File to an Unauthorized Control Sphere |
| | R |
532 |
Information Exposure Through Log Files |
| | R |
533 |
Information Exposure Through Server Log Files |
| | R |
538 |
File and Directory Information Exposure |
| | R |
544 |
Missing Standardized Error Handling Mechanism |
| | R |
546 |
Suspicious Comment |
| | R |
547 |
Use of Hard-coded, Security-relevant Constants |
| | R |
550 |
Information Exposure Through Server Error Message |
| | R |
551 |
Incorrect Behavior Order: Authorization Before Parsing and Canonicalization |
| | R |
552 |
Files or Directories Accessible to External Parties |
| | R |
554 |
ASP.NET Misconfiguration: Not Using Input Validation Framework |
| | R |
556 |
ASP.NET Misconfiguration: Use of Identity Impersonation |
| | R |
557 |
Concurrency Issues |
| | R |
559 |
Often Misused: Arguments and Parameters |
| | R |
561 |
Dead Code |
| | R |
562 |
Return of Stack Variable Address |
| N | R |
563 |
Assignment to Variable without Use |
| | R |
565 |
Reliance on Cookies without Validation and Integrity Checking |
| | R |
566 |
Authorization Bypass Through User-Controlled SQL Primary Key |
| | R |
570 |
Expression is Always False |
| | R |
571 |
Expression is Always True |
| | R |
572 |
Call to Thread run() instead of start() |
| | R |
573 |
Improper Following of Specification by Caller |
| | R |
579 |
J2EE Bad Practices: Non-serializable Object Stored in Session |
| | R |
580 |
clone() Method Without super.clone() |
| | R |
585 |
Empty Synchronized Block |
| | R |
586 |
Explicit Call to Finalize() |
| | R |
589 |
Call to Non-ubiquitous API |
| | R |
591 |
Sensitive Data Storage in Improperly Locked Memory |
| | R |
593 |
Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created |
| | R |
594 |
J2EE Framework: Saving Unserializable Objects to Disk |
| | R |
599 |
Missing Validation of OpenSSL Certificate |
| | R |
600 |
Uncaught Exception in Servlet |
| | R |
601 |
URL Redirection to Untrusted Site ('Open Redirect') |
| | R |
602 |
Client-Side Enforcement of Server-Side Security |
| | R |
603 |
Use of Client-Side Authentication |
D | | R |
605 |
Multiple Binds to the Same Port |
| | R |
607 |
Public Static Final Field References Mutable Object |
| | R |
608 |
Struts: Non-private Field in ActionForm Class |
| | R |
610 |
Externally Controlled Reference to a Resource in Another Sphere |
| | R |
611 |
Improper Restriction of XML External Entity Reference ('XXE') |
| | R |
613 |
Insufficient Session Expiration |
| | R |
617 |
Reachable Assertion |
| | R |
618 |
Exposed Unsafe ActiveX Method |
| | R |
619 |
Dangling Database Cursor ('Cursor Injection') |
| | R |
620 |
Unverified Password Change |
D | N | R |
630 |
DEPRECATED: Weaknesses Examined by SAMATE |
D | N | R |
631 |
DEPRECATED: Resource-specific Weaknesses |
D | N | R |
632 |
DEPRECATED: Weaknesses that Affect Files or Directories |
D | N | R |
633 |
DEPRECATED: Weaknesses that Affect Memory |
D | N | R |
634 |
DEPRECATED: Weaknesses that Affect System Processes |
D | N | |
635 |
Weaknesses Originally Used by NVD from 2008 to 2016 |
| | R |
636 |
Not Failing Securely ('Failing Open') |
D | | R |
639 |
Authorization Bypass Through User-Controlled Key |
D | | R |
640 |
Weak Password Recovery Mechanism for Forgotten Password |
D | | R |
641 |
Improper Restriction of Names for Files and Other Resources |
| | R |
642 |
External Control of Critical State Data |
| | R |
643 |
Improper Neutralization of Data within XPath Expressions ('XPath Injection') |
D | | R |
645 |
Overly Restrictive Account Lockout Mechanism |
| | R |
647 |
Use of Non-Canonical URL Paths for Authorization Decisions |
| | R |
648 |
Incorrect Use of Privileged APIs |
D | | R |
649 |
Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking |
D | | R |
650 |
Trusting HTTP Permission Methods on the Server Side |
D | | |
651 |
Information Exposure Through WSDL File |
| | R |
652 |
Improper Neutralization of Data within XQuery Expressions ('XQuery Injection') |
| | R |
653 |
Insufficient Compartmentalization |
| | R |
656 |
Reliance on Security Through Obscurity |
| | R |
664 |
Improper Control of a Resource Through its Lifetime |
| | R |
668 |
Exposure of Resource to Wrong Sphere |
| | R |
669 |
Incorrect Resource Transfer Between Spheres |
| | R |
670 |
Always-Incorrect Control Flow Implementation |
| | R |
671 |
Lack of Administrator Control over Security |
| | R |
673 |
External Influence of Sphere Definition |
| | R |
674 |
Uncontrolled Recursion |
| | R |
675 |
Duplicate Operations on Resource |
| | R |
676 |
Use of Potentially Dangerous Function |
D | | |
678 |
Composites |
D | N | |
679 |
DEPRECATED: Chain Elements |
| | R |
680 |
Integer Overflow to Buffer Overflow |
| | R |
684 |
Incorrect Provision of Specified Functionality |
| | R |
689 |
Permission Race Condition During Resource Copy |
| | R |
690 |
Unchecked Return Value to NULL Pointer Dereference |
| | R |
691 |
Insufficient Control Flow Management |
| | R |
692 |
Incomplete Blacklist to Cross-Site Scripting |
| | R |
695 |
Use of Low-Level Functionality |
| | R |
699 |
Development Concepts |
| | R |
703 |
Improper Check or Handling of Exceptional Conditions |
| | R |
705 |
Incorrect Control Flow Scoping |
| | R |
707 |
Improper Enforcement of Message or Data Structure |
| | R |
708 |
Incorrect Ownership Assignment |
D | | |
709 |
Named Chains |
| N | R |
710 |
Improper Adherence to Coding Standards |
| | R |
728 |
OWASP Top Ten 2004 Category A7 - Improper Error Handling |
| | R |
731 |
OWASP Top Ten 2004 Category A10 - Insecure Configuration Management |
| | R |
732 |
Incorrect Permission Assignment for Critical Resource |
| | R |
733 |
Compiler Optimization Removal or Modification of Security-critical Code |
D | N | |
734 |
Weaknesses Addressed by the CERT C Secure Coding Standard (2008 Version) |
D | N | |
735 |
CERT C Secure Coding (2008 Version) Section 01 - Preprocessor (PRE) |
D | N | |
736 |
CERT C Secure Coding (2008 Version) Section 02 - Declarations and Initialization (DCL) |
D | N | |
737 |
CERT C Secure Coding (2008 Version) Section 03 - Expressions (EXP) |
D | N | |
738 |
CERT C Secure Coding (2008 Version) Section 04 - Integers (INT) |
D | N | |
739 |
CERT C Secure Coding (2008 Version) Section 05 - Floating Point (FLP) |
D | N | |
740 |
CERT C Secure Coding (2008 Version) Section 06 - Arrays (ARR) |
D | N | |
741 |
CERT C Secure Coding (2008 Version) Section 07 - Characters and Strings (STR) |
D | N | |
742 |
CERT C Secure Coding (2008 Version) Section 08 - Memory Management (MEM) |
D | N | |
743 |
CERT C Secure Coding (2008 Version) Section 09 - Input Output (FIO) |
D | N | |
744 |
CERT C Secure Coding (2008 Version) Section 10 - Environment (ENV) |
D | N | |
745 |
CERT C Secure Coding (2008 Version) Section 11 - Signals (SIG) |
D | N | |
746 |
CERT C Secure Coding (2008 Version) Section 12 - Error Handling (ERR) |
D | N | |
747 |
CERT C Secure Coding (2008 Version) Section 49 - Miscellaneous (MSC) |
D | N | |
748 |
CERT C Secure Coding (2008 Version) Section 50 - POSIX (POS) |
| | R |
749 |
Exposed Dangerous Method or Function |
| | R |
754 |
Improper Check for Unusual or Exceptional Conditions |
| | R |
755 |
Improper Handling of Exceptional Conditions |
| | R |
756 |
Missing Custom Error Page |
| | R |
757 |
Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') |
| | R |
758 |
Reliance on Undefined, Unspecified, or Implementation-Defined Behavior |
| | R |
759 |
Use of a One-Way Hash without a Salt |
| | R |
760 |
Use of a One-Way Hash with a Predictable Salt |
| | R |
763 |
Release of Invalid Pointer or Reference |
| | R |
766 |
Critical Variable Declared Public |
| | R |
767 |
Access to Critical Private Variable via Public Method |
D | N | R |
769 |
Uncontrolled File Descriptor Consumption |
| | R |
770 |
Allocation of Resources Without Limits or Throttling |
| | R |
773 |
Missing Reference to Active File Descriptor or Handle |
| | R |
774 |
Allocation of File Descriptors or Handles Without Limits or Throttling |
| | R |
775 |
Missing Release of File Descriptor or Handle after Effective Lifetime |
| | R |
778 |
Insufficient Logging |
| | R |
779 |
Logging of Excessive Data |
| | R |
780 |
Use of RSA Algorithm without OAEP |
| | R |
782 |
Exposed IOCTL with Insufficient Access Control |
| | R |
784 |
Reliance on Cookies without Validation and Integrity Checking in a Security Decision |
| | R |
785 |
Use of Path Manipulation Function without Maximum-sized Buffer |
| | R |
790 |
Improper Filtering of Special Elements |
| | R |
791 |
Incomplete Filtering of Special Elements |
| | R |
792 |
Incomplete Filtering of One or More Instances of Special Elements |
| | R |
793 |
Only Filtering One Instance of a Special Element |
| | R |
794 |
Incomplete Filtering of Multiple Instances of Special Elements |
| | R |
795 |
Only Filtering Special Elements at a Specified Location |
| | R |
796 |
Only Filtering Special Elements Relative to a Marker |
| | R |
797 |
Only Filtering Special Elements at an Absolute Position |
| | R |
798 |
Use of Hard-coded Credentials |
| | R |
807 |
Reliance on Untrusted Inputs in a Security Decision |
| | R |
827 |
Improper Control of Document Type Definition |
| | R |
829 |
Inclusion of Functionality from Untrusted Control Sphere |
| | R |
830 |
Inclusion of Web Functionality from an Untrusted Source |
| | R |
834 |
Excessive Iteration |
| | R |
836 |
Use of Password Hash Instead of Password for Authentication |
D | | |
840 |
Business Logic Errors |
| | R |
841 |
Improper Enforcement of Behavioral Workflow |
| | R |
862 |
Missing Authorization |
| | R |
863 |
Incorrect Authorization |
| | R |
881 |
CERT C++ Secure Coding Section 13 - Object Oriented Programming (OOP) |
| | R |
912 |
Hidden Functionality |
| | R |
913 |
Improper Control of Dynamically-Managed Code Resources |
| | R |
916 |
Use of Password Hash With Insufficient Computational Effort |
| | R |
921 |
Storage of Sensitive Data in a Mechanism without Access Control |
| | R |
922 |
Insecure Storage of Sensitive Information |
| | R |
923 |
Improper Restriction of Communication Channel to Intended Endpoints |
| | R |
924 |
Improper Enforcement of Message Integrity During Transmission in a Communication Channel |
| | R |
939 |
Improper Authorization in Handler for Custom URL Scheme |
| | R |
940 |
Improper Verification of Source of a Communication Channel |
| | R |
941 |
Incorrectly Specified Destination in a Communication Channel |
| | R |
942 |
Overly Permissive Cross-domain Whitelist |
| | R |
943 |
Improper Neutralization of Special Elements in Data Query Logic |
| | R |
966 |
SFP Secondary Cluster: Other Exposures |
| | R |
980 |
SFP Secondary Cluster: Link in Resource Name Resolution |
| | R |
990 |
SFP Secondary Cluster: Tainted Input to Command |
| | R |
1004 |
Sensitive Cookie Without 'HttpOnly' Flag |
D | N | |
1005 |
7PK - Input Validation and Representation |
1 |
DEPRECATED: Location |
|
Major |
Description, Maintenance_Notes, Name, Type |
|
Minor |
None |
2 |
7PK - Environment |
|
Major |
Description, Maintenance_Notes, Name |
|
Minor |
None |
3 |
DEPRECATED: Technology-specific Environment Issues |
|
Major |
Description, Maintenance_Notes, Name, Type |
|
Minor |
None |
5 |
J2EE Misconfiguration: Data Transmission Without Encryption |
|
Major |
Common_Consequences, Description |
|
Minor |
None |
6 |
J2EE Misconfiguration: Insufficient Session-ID Length |
|
Major |
Description, Enabling_Factors_for_Exploitation, Modes_of_Introduction, References, Relationships |
|
Minor |
None |
7 |
J2EE Misconfiguration: Missing Custom Error Page |
|
Major |
References |
|
Minor |
None |
8 |
J2EE Misconfiguration: Entity Bean Declared Remote |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
10 |
DEPRECATED: ASP.NET Environment Issues |
|
Major |
Description, Name, Relationships, Taxonomy_Mappings, Type |
|
Minor |
None |
11 |
ASP.NET Misconfiguration: Creating Debug Binary |
|
Major |
Relationships |
|
Minor |
None |
12 |
ASP.NET Misconfiguration: Missing Custom Error Page |
|
Major |
Demonstrative_Examples, Potential_Mitigations, References, Relationships |
|
Minor |
None |
13 |
ASP.NET Misconfiguration: Password in Configuration File |
|
Major |
Relationships |
|
Minor |
None |
14 |
Compiler Removal of Code to Clear Buffers |
|
Major |
References, Relationships, Taxonomy_Mappings |
|
Minor |
None |
15 |
External Control of System or Configuration Setting |
|
Major |
Modes_of_Introduction, Relationships |
|
Minor |
None |
16 |
Configuration |
|
Major |
Detection_Factors |
|
Minor |
None |
18 |
Source Code |
|
Major |
Relationships |
|
Minor |
None |
19 |
Data Processing Errors |
|
Major |
Related_Attack_Patterns, Relationships |
|
Minor |
None |
20 |
Improper Input Validation |
|
Major |
Modes_of_Introduction, References, Relationships, Taxonomy_Mappings |
|
Minor |
Applicable_Platforms |
21 |
Pathname Traversal and Equivalence Errors |
|
Major |
Applicable_Platforms, Description, Potential_Mitigations, Related_Attack_Patterns, Relationships |
|
Minor |
None |
22 |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
|
Major |
Affected_Resources, Causal_Nature, Likelihood_of_Exploit, References, Relationships, Relevant_Properties, Taxonomy_Mappings |
|
Minor |
Applicable_Platforms, Functional_Areas |
23 |
Relative Path Traversal |
|
Major |
Applicable_Platforms |
|
Minor |
None |
24 |
Path Traversal: '../filedir' |
|
Major |
Applicable_Platforms |
|
Minor |
None |
25 |
Path Traversal: '/../filedir' |
|
Major |
Applicable_Platforms |
|
Minor |
None |
26 |
Path Traversal: '/dir/../filename' |
|
Major |
Applicable_Platforms |
|
Minor |
None |
27 |
Path Traversal: 'dir/../../filename' |
|
Major |
Applicable_Platforms |
|
Minor |
None |
28 |
Path Traversal: '..\filedir' |
|
Major |
Applicable_Platforms |
|
Minor |
None |
29 |
Path Traversal: '\..\filename' |
|
Major |
Applicable_Platforms |
|
Minor |
None |
30 |
Path Traversal: '\dir\..\filename' |
|
Major |
Applicable_Platforms |
|
Minor |
None |
31 |
Path Traversal: 'dir\..\..\filename' |
|
Major |
Applicable_Platforms |
|
Minor |
None |
32 |
Path Traversal: '...' (Triple Dot) |
|
Major |
Applicable_Platforms |
|
Minor |
None |
33 |
Path Traversal: '....' (Multiple Dot) |
|
Major |
Applicable_Platforms |
|
Minor |
None |
34 |
Path Traversal: '....//' |
|
Major |
Applicable_Platforms |
|
Minor |
None |
35 |
Path Traversal: '.../...//' |
|
Major |
Applicable_Platforms |
|
Minor |
None |
36 |
Absolute Path Traversal |
|
Major |
Applicable_Platforms |
|
Minor |
None |
37 |
Path Traversal: '/absolute/pathname/here' |
|
Major |
Applicable_Platforms, Taxonomy_Mappings |
|
Minor |
None |
38 |
Path Traversal: '\absolute\pathname\here' |
|
Major |
Applicable_Platforms, Taxonomy_Mappings |
|
Minor |
None |
39 |
Path Traversal: 'C:dirname' |
|
Major |
Applicable_Platforms, Taxonomy_Mappings |
|
Minor |
None |
40 |
Path Traversal: '\\UNC\share\name\' (Windows UNC Share) |
|
Major |
Applicable_Platforms |
|
Minor |
None |
41 |
Improper Resolution of Path Equivalence |
|
Major |
Affected_Resources, Applicable_Platforms, Relationships, Taxonomy_Mappings |
|
Minor |
None |
42 |
Path Equivalence: 'filename.' (Trailing Dot) |
|
Major |
Applicable_Platforms |
|
Minor |
None |
43 |
Path Equivalence: 'filename....' (Multiple Trailing Dot) |
|
Major |
Applicable_Platforms, Observed_Examples |
|
Minor |
None |
44 |
Path Equivalence: 'file.name' (Internal Dot) |
|
Major |
Applicable_Platforms |
|
Minor |
None |
45 |
Path Equivalence: 'file...name' (Multiple Internal Dot) |
|
Major |
Applicable_Platforms |
|
Minor |
None |
46 |
Path Equivalence: 'filename ' (Trailing Space) |
|
Major |
Applicable_Platforms |
|
Minor |
None |
47 |
Path Equivalence: ' filename' (Leading Space) |
|
Major |
Applicable_Platforms |
|
Minor |
None |
48 |
Path Equivalence: 'file name' (Internal Whitespace) |
|
Major |
None |
|
Minor |
Applicable_Platforms |
49 |
Path Equivalence: 'filename/' (Trailing Slash) |
|
Major |
Applicable_Platforms |
|
Minor |
None |
50 |
Path Equivalence: '//multiple/leading/slash' |
|
Major |
Applicable_Platforms |
|
Minor |
None |
51 |
Path Equivalence: '/multiple//internal/slash' |
|
Major |
Applicable_Platforms |
|
Minor |
None |
52 |
Path Equivalence: '/multiple/trailing/slash//' |
|
Major |
Applicable_Platforms |
|
Minor |
None |
53 |
Path Equivalence: '\multiple\\internal\backslash' |
|
Major |
Applicable_Platforms |
|
Minor |
None |
54 |
Path Equivalence: 'filedir\' (Trailing Backslash) |
|
Major |
Applicable_Platforms |
|
Minor |
None |
55 |
Path Equivalence: '/./' (Single Dot Directory) |
|
Major |
Applicable_Platforms |
|
Minor |
None |
56 |
Path Equivalence: 'filedir*' (Wildcard) |
|
Major |
Applicable_Platforms |
|
Minor |
None |
57 |
Path Equivalence: 'fakedir/../realdir/filename' |
|
Major |
Applicable_Platforms |
|
Minor |
None |
58 |
Path Equivalence: Windows 8.3 Filename |
|
Major |
Applicable_Platforms, References |
|
Minor |
Functional_Areas |
59 |
Improper Link Resolution Before File Access ('Link Following') |
|
Major |
Affected_Resources, Applicable_Platforms, Causal_Nature, Common_Consequences, Functional_Areas, Likelihood_of_Exploit, Modes_of_Introduction, Relationships, Taxonomy_Mappings |
|
Minor |
None |
60 |
DEPRECATED: UNIX Path Link Problems |
|
Major |
Applicable_Platforms, Description, Name, Relationships, Type |
|
Minor |
None |
61 |
UNIX Symbolic Link (Symlink) Following |
|
Major |
Applicable_Platforms, Causal_Nature, Likelihood_of_Exploit, References, Relationships |
|
Minor |
None |
62 |
UNIX Hard Link |
|
Major |
Applicable_Platforms, Causal_Nature, Observed_Examples, Relationships, Taxonomy_Mappings |
|
Minor |
None |
63 |
DEPRECATED: Windows Path Link Problems |
|
Major |
Applicable_Platforms, Description, Name, Relationships, Type |
|
Minor |
None |
64 |
Windows Shortcut Following (.LNK) |
|
Major |
Applicable_Platforms, Causal_Nature, Likelihood_of_Exploit, Relationships, Taxonomy_Mappings |
|
Minor |
None |
65 |
Windows Hard Link |
|
Major |
Applicable_Platforms, Relationships, Taxonomy_Mappings |
|
Minor |
None |
66 |
Improper Handling of File Names that Identify Virtual Resources |
|
Major |
Affected_Resources, Applicable_Platforms, Relationships |
|
Minor |
Functional_Areas |
67 |
Improper Handling of Windows Device Names |
|
Major |
Affected_Resources, Applicable_Platforms, Causal_Nature, Likelihood_of_Exploit, References, Relationships, Taxonomy_Mappings |
|
Minor |
None |
68 |
DEPRECATED: Windows Virtual File Problems |
|
Major |
Applicable_Platforms, Description, Name, Relationships, Type |
|
Minor |
None |
69 |
Improper Handling of Windows ::DATA Alternate Data Stream |
|
Major |
Applicable_Platforms, References, Relationships |
|
Minor |
None |
70 |
DEPRECATED: Mac Virtual File Problems |
|
Major |
Affected_Resources, Applicable_Platforms, Description, Name, Relationships, Type |
|
Minor |
None |
71 |
DEPRECATED: Apple '.DS_Store' |
|
Major |
Applicable_Platforms, Common_Consequences, Description, Maintenance_Notes, Name, Observed_Examples, Relationships, Research_Gaps, Time_of_Introduction, Type |
|
Minor |
None |
72 |
Improper Handling of Apple HFS+ Alternate Data Stream Path |
|
Major |
Applicable_Platforms, References, Relationships, Taxonomy_Mappings |
|
Minor |
None |
73 |
External Control of File Name or Path |
|
Major |
Applicable_Platforms, Likelihood_of_Exploit, Modes_of_Introduction, Relationships, Taxonomy_Mappings |
|
Minor |
None |
74 |
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') |
|
Major |
Applicable_Platforms, Causal_Nature, Likelihood_of_Exploit, Modes_of_Introduction, Relationships |
|
Minor |
None |
75 |
Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) |
|
Major |
Applicable_Platforms, Modes_of_Introduction, Relationships |
|
Minor |
None |
76 |
Improper Neutralization of Equivalent Special Elements |
|
Major |
Applicable_Platforms, Causal_Nature, Likelihood_of_Exploit, Modes_of_Introduction, Relationships |
|
Minor |
None |
77 |
Improper Neutralization of Special Elements used in a Command ('Command Injection') |
|
Major |
Causal_Nature, Likelihood_of_Exploit, Modes_of_Introduction, References, Relationships, Taxonomy_Mappings |
|
Minor |
Applicable_Platforms |
78 |
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
|
Major |
Modes_of_Introduction, References, Relationships, Taxonomy_Mappings, White_Box_Definitions |
|
Minor |
Applicable_Platforms, Functional_Areas |
79 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
|
Major |
Applicable_Platforms, Causal_Nature, Demonstrative_Examples, Enabling_Factors_for_Exploitation, Likelihood_of_Exploit, Modes_of_Introduction, References, Relationships |
|
Minor |
None |
80 |
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) |
|
Major |
Applicable_Platforms, Causal_Nature, Likelihood_of_Exploit, Relationships, White_Box_Definitions |
|
Minor |
None |
81 |
Improper Neutralization of Script in an Error Message Web Page |
|
Major |
Applicable_Platforms, Causal_Nature |
|
Minor |
None |
82 |
Improper Neutralization of Script in Attributes of IMG Tags in a Web Page |
|
Major |
Applicable_Platforms |
|
Minor |
None |
83 |
Improper Neutralization of Script in Attributes in a Web Page |
|
Major |
Applicable_Platforms, Causal_Nature |
|
Minor |
None |
84 |
Improper Neutralization of Encoded URI Schemes in a Web Page |
|
Major |
Applicable_Platforms, Causal_Nature |
|
Minor |
None |
85 |
Doubled Character XSS Manipulations |
|
Major |
Applicable_Platforms, Causal_Nature |
|
Minor |
None |
86 |
Improper Neutralization of Invalid Characters in Identifiers in Web Pages |
|
Major |
Applicable_Platforms |
|
Minor |
None |
87 |
Improper Neutralization of Alternate XSS Syntax |
|
Major |
Applicable_Platforms |
|
Minor |
None |
88 |
Argument Injection or Modification |
|
Major |
Applicable_Platforms, Causal_Nature, Modes_of_Introduction, Relationships, Taxonomy_Mappings |
|
Minor |
None |
89 |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
|
Major |
Applicable_Platforms, Demonstrative_Examples, Enabling_Factors_for_Exploitation, Likelihood_of_Exploit, Modes_of_Introduction, Observed_Examples, References, Relationships, White_Box_Definitions |
|
Minor |
None |
90 |
Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') |
|
Major |
Applicable_Platforms, Modes_of_Introduction, Relationships |
|
Minor |
None |
91 |
XML Injection (aka Blind XPath Injection) |
|
Major |
Applicable_Platforms, Modes_of_Introduction, References, Relationships |
|
Minor |
None |
93 |
Improper Neutralization of CRLF Sequences ('CRLF Injection') |
|
Major |
Applicable_Platforms, Causal_Nature, Likelihood_of_Exploit, Modes_of_Introduction, References, Relationships |
|
Minor |
None |
94 |
Improper Control of Generation of Code ('Code Injection') |
|
Major |
Demonstrative_Examples, Modes_of_Introduction, Relationships |
|
Minor |
None |
95 |
Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') |
|
Major |
Causal_Nature, Modes_of_Introduction, References, Relationships, Taxonomy_Mappings |
|
Minor |
None |
96 |
Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') |
|
Major |
Affected_Resources, Applicable_Platforms, Causal_Nature, Demonstrative_Examples, Enabling_Factors_for_Exploitation, Modes_of_Introduction, Relationships |
|
Minor |
None |
97 |
Improper Neutralization of Server-Side Includes (SSI) Within a Web Page |
|
Major |
Applicable_Platforms, Modes_of_Introduction, Relationships |
|
Minor |
None |
98 |
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') |
|
Major |
Affected_Resources, Demonstrative_Examples, Likelihood_of_Exploit, Modes_of_Introduction, References, Relationships |
|
Minor |
None |
99 |
Improper Control of Resource Identifiers ('Resource Injection') |
|
Major |
Applicable_Platforms, Causal_Nature, Modes_of_Introduction, Relationships, White_Box_Definitions |
|
Minor |
None |
100 |
DEPRECATED: Technology-Specific Input Validation Problems |
|
Major |
Description, Name, Related_Attack_Patterns, Relationships, Taxonomy_Mappings, Time_of_Introduction, Type |
|
Minor |
None |
101 |
DEPRECATED: Struts Validation Problems |
|
Major |
Applicable_Platforms, Description, Name, Relationships, Type |
|
Minor |
None |
102 |
Struts: Duplicate Validation Forms |
|
Major |
Causal_Nature, Relationships |
|
Minor |
None |
103 |
Struts: Incomplete validate() Method Definition |
|
Major |
Causal_Nature, Relationships |
|
Minor |
None |
104 |
Struts: Form Bean Does Not Extend Validation Class |
|
Major |
Causal_Nature, Relationships |
|
Minor |
None |
105 |
Struts: Form Field Without Validator |
|
Major |
Causal_Nature, Relationships |
|
Minor |
None |
106 |
Struts: Plug-in Framework not in Use |
|
Major |
Causal_Nature, Relationships |
|
Minor |
None |
107 |
Struts: Unused Validation Form |
|
Major |
Causal_Nature, Relationships |
|
Minor |
None |
108 |
Struts: Unvalidated Action Form |
|
Major |
Causal_Nature, Relationships |
|
Minor |
None |
109 |
Struts: Validator Turned Off |
|
Major |
Causal_Nature, Relationships |
|
Minor |
None |
110 |
Struts: Validator Without Form Field |
|
Major |
Causal_Nature, Demonstrative_Examples, Detection_Factors, Potential_Mitigations, Relationships |
|
Minor |
None |
111 |
Direct Use of Unsafe JNI |
|
Major |
Causal_Nature, Potential_Mitigations, References |
|
Minor |
None |
112 |
Missing XML Validation |
|
Major |
Applicable_Platforms, Causal_Nature, Relationships |
|
Minor |
None |
113 |
Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') |
|
Major |
Applicable_Platforms, Demonstrative_Examples |
|
Minor |
None |
114 |
Process Control |
|
Major |
Applicable_Platforms, Modes_of_Introduction, Relationships |
|
Minor |
None |
115 |
Misinterpretation of Input |
|
Major |
Applicable_Platforms |
|
Minor |
None |
116 |
Improper Encoding or Escaping of Output |
|
Major |
Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Likelihood_of_Exploit, References, Taxonomy_Mappings |
|
Minor |
None |
117 |
Improper Output Neutralization for Logs |
|
Major |
Applicable_Platforms, Causal_Nature, Modes_of_Introduction, References, Relationships |
|
Minor |
None |
118 |
Incorrect Access of Indexable Resource ('Range Error') |
|
Major |
Applicable_Platforms |
|
Minor |
None |
119 |
Improper Restriction of Operations within the Bounds of a Memory Buffer |
|
Major |
Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Observed_Examples, References, Relationships, Taxonomy_Mappings |
|
Minor |
None |
120 |
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') |
|
Major |
Applicable_Platforms, Causal_Nature, Demonstrative_Examples, Likelihood_of_Exploit, References, Relationships, Taxonomy_Mappings, White_Box_Definitions |
|
Minor |
None |
121 |
Stack-based Buffer Overflow |
|
Major |
Background_Details, Causal_Nature, Likelihood_of_Exploit, References, Relationships, Taxonomy_Mappings, White_Box_Definitions |
|
Minor |
None |
122 |
Heap-based Buffer Overflow |
|
Major |
Causal_Nature, Likelihood_of_Exploit, Observed_Examples, References, Relationships, Taxonomy_Mappings, White_Box_Definitions |
|
Minor |
None |
123 |
Write-what-where Condition |
|
Major |
Causal_Nature, Common_Consequences, Demonstrative_Examples, Taxonomy_Mappings |
|
Minor |
None |
124 |
Buffer Underwrite ('Buffer Underflow') |
|
Major |
Causal_Nature, Demonstrative_Examples, References |
|
Minor |
None |
125 |
Out-of-bounds Read |
|
Major |
Causal_Nature, Observed_Examples, Taxonomy_Mappings |
|
Minor |
None |
126 |
Buffer Over-read |
|
Major |
Causal_Nature, Demonstrative_Examples |
|
Minor |
None |
127 |
Buffer Under-read |
|
Major |
Causal_Nature |
|
Minor |
None |
128 |
Wrap-around Error |
|
Major |
Causal_Nature, Taxonomy_Mappings |
|
Minor |
None |
129 |
Improper Validation of Array Index |
|
Major |
Causal_Nature, References, Relationships, Taxonomy_Mappings |
|
Minor |
Applicable_Platforms |
130 |
Improper Handling of Length Parameter Inconsistency |
|
Major |
Applicable_Platforms, Causal_Nature, Demonstrative_Examples |
|
Minor |
None |
131 |
Incorrect Calculation of Buffer Size |
|
Major |
Likelihood_of_Exploit, References, Taxonomy_Mappings |
|
Minor |
None |
133 |
String Errors |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
134 |
Use of Externally-Controlled Format String |
|
Major |
Applicable_Platforms, Causal_Nature, Functional_Areas, Likelihood_of_Exploit, Other_Notes, References, Relationships, Taxonomy_Mappings, White_Box_Definitions |
|
Minor |
None |
135 |
Incorrect Calculation of Multi-Byte String Length |
|
Major |
Enabling_Factors_for_Exploitation, Modes_of_Introduction, References, Taxonomy_Mappings |
|
Minor |
None |
138 |
Improper Neutralization of Special Elements |
|
Major |
Modes_of_Introduction, Potential_Mitigations, Relationships |
|
Minor |
Applicable_Platforms |
141 |
Improper Neutralization of Parameter/Argument Delimiters |
|
Major |
Applicable_Platforms |
|
Minor |
None |
142 |
Improper Neutralization of Value Delimiters |
|
Major |
Applicable_Platforms |
|
Minor |
None |
143 |
Improper Neutralization of Record Delimiters |
|
Major |
Applicable_Platforms |
|
Minor |
None |
144 |
Improper Neutralization of Line Delimiters |
|
Major |
Applicable_Platforms |
|
Minor |
None |
145 |
Improper Neutralization of Section Delimiters |
|
Major |
Applicable_Platforms |
|
Minor |
None |
146 |
Improper Neutralization of Expression/Command Delimiters |
|
Major |
None |
|
Minor |
Applicable_Platforms |
147 |
Improper Neutralization of Input Terminators |
|
Major |
Applicable_Platforms |
|
Minor |
None |
150 |
Improper Neutralization of Escape, Meta, or Control Sequences |
|
Major |
Applicable_Platforms, Modes_of_Introduction, Relationships |
|
Minor |
None |
151 |
Improper Neutralization of Comment Delimiters |
|
Major |
Applicable_Platforms |
|
Minor |
None |
152 |
Improper Neutralization of Macro Symbols |
|
Major |
Applicable_Platforms |
|
Minor |
None |
153 |
Improper Neutralization of Substitution Characters |
|
Major |
Applicable_Platforms |
|
Minor |
None |
154 |
Improper Neutralization of Variable Name Delimiters |
|
Major |
Applicable_Platforms |
|
Minor |
None |
155 |
Improper Neutralization of Wildcards or Matching Symbols |
|
Major |
Applicable_Platforms |
|
Minor |
None |
156 |
Improper Neutralization of Whitespace |
|
Major |
Applicable_Platforms |
|
Minor |
None |
157 |
Failure to Sanitize Paired Delimiters |
|
Major |
None |
|
Minor |
Applicable_Platforms |
158 |
Improper Neutralization of Null Byte or NUL Character |
|
Major |
Applicable_Platforms |
|
Minor |
None |
159 |
Failure to Sanitize Special Element |
|
Major |
Applicable_Platforms, Relationships |
|
Minor |
None |
160 |
Improper Neutralization of Leading Special Elements |
|
Major |
Applicable_Platforms, Relationships |
|
Minor |
None |
161 |
Improper Neutralization of Multiple Leading Special Elements |
|
Major |
Applicable_Platforms |
|
Minor |
None |
162 |
Improper Neutralization of Trailing Special Elements |
|
Major |
Applicable_Platforms, Relationships |
|
Minor |
None |
163 |
Improper Neutralization of Multiple Trailing Special Elements |
|
Major |
Applicable_Platforms |
|
Minor |
None |
164 |
Improper Neutralization of Internal Special Elements |
|
Major |
Applicable_Platforms, Relationships |
|
Minor |
None |
165 |
Improper Neutralization of Multiple Internal Special Elements |
|
Major |
Applicable_Platforms |
|
Minor |
None |
166 |
Improper Handling of Missing Special Element |
|
Major |
Applicable_Platforms |
|
Minor |
None |
167 |
Improper Handling of Additional Special Element |
|
Major |
Applicable_Platforms |
|
Minor |
None |
168 |
Improper Handling of Inconsistent Special Elements |
|
Major |
Applicable_Platforms |
|
Minor |
None |
169 |
DEPRECATED: Technology-Specific Special Elements |
|
Major |
Applicable_Platforms, Description, Modes_of_Introduction, Name, Potential_Mitigations, Relationships, Taxonomy_Mappings, Type |
|
Minor |
None |
170 |
Improper Null Termination |
|
Major |
Causal_Nature, Observed_Examples, Relationships, Taxonomy_Mappings, White_Box_Definitions |
|
Minor |
None |
171 |
Cleansing, Canonicalization, and Comparison Errors |
|
Major |
Applicable_Platforms, References, Related_Attack_Patterns, Relationships |
|
Minor |
None |
172 |
Encoding Error |
|
Major |
Applicable_Platforms |
|
Minor |
None |
173 |
Improper Handling of Alternate Encoding |
|
Major |
Applicable_Platforms |
|
Minor |
None |
174 |
Double Decoding of the Same Data |
|
Major |
Applicable_Platforms |
|
Minor |
None |
175 |
Improper Handling of Mixed Encoding |
|
Major |
Applicable_Platforms |
|
Minor |
None |
176 |
Improper Handling of Unicode Encoding |
|
Major |
Applicable_Platforms, Taxonomy_Mappings |
|
Minor |
None |
177 |
Improper Handling of URL Encoding (Hex Encoding) |
|
Major |
Applicable_Platforms |
|
Minor |
None |
178 |
Improper Handling of Case Sensitivity |
|
Major |
Affected_Resources, Applicable_Platforms, Functional_Areas, Relationships |
|
Minor |
None |
179 |
Incorrect Behavior Order: Early Validation |
|
Major |
Applicable_Platforms |
|
Minor |
None |
180 |
Incorrect Behavior Order: Validate Before Canonicalize |
|
Major |
Applicable_Platforms, Functional_Areas |
|
Minor |
None |
181 |
Incorrect Behavior Order: Validate Before Filter |
|
Major |
Applicable_Platforms |
|
Minor |
None |
182 |
Collapse of Data into Unsafe Value |
|
Major |
Applicable_Platforms, Relevant_Properties |
|
Minor |
None |
183 |
Permissive Whitelist |
|
Major |
Applicable_Platforms |
|
Minor |
None |
184 |
Incomplete Blacklist |
|
Major |
Applicable_Platforms, References |
|
Minor |
None |
185 |
Incorrect Regular Expression |
|
Major |
References |
|
Minor |
Applicable_Platforms |
186 |
Overly Restrictive Regular Expression |
|
Major |
Applicable_Platforms |
|
Minor |
None |
187 |
Partial Comparison |
|
Major |
Applicable_Platforms |
|
Minor |
None |
189 |
Numeric Errors |
|
Major |
Applicable_Platforms, Relationships, Taxonomy_Mappings |
|
Minor |
None |
190 |
Integer Overflow or Wraparound |
|
Major |
Functional_Areas, Observed_Examples, References, Taxonomy_Mappings |
|
Minor |
Applicable_Platforms |
191 |
Integer Underflow (Wrap or Wraparound) |
|
Major |
Taxonomy_Mappings |
|
Minor |
None |
192 |
Integer Coercion Error |
|
Major |
Relationships, Taxonomy_Mappings, Type |
|
Minor |
None |
193 |
Off-by-one Error |
|
Major |
Applicable_Platforms, References, Taxonomy_Mappings |
|
Minor |
None |
194 |
Unexpected Sign Extension |
|
Major |
References, Taxonomy_Mappings |
|
Minor |
None |
195 |
Signed to Unsigned Conversion Error |
|
Major |
Observed_Examples, Taxonomy_Mappings |
|
Minor |
None |
197 |
Numeric Truncation Error |
|
Major |
Taxonomy_Mappings |
|
Minor |
None |
198 |
Use of Incorrect Byte Ordering |
|
Major |
Applicable_Platforms |
|
Minor |
None |
199 |
Information Management Errors |
|
Major |
Applicable_Platforms |
|
Minor |
None |
200 |
Information Exposure |
|
Major |
References |
|
Minor |
Applicable_Platforms |
201 |
Information Exposure Through Sent Data |
|
Major |
Applicable_Platforms, Modes_of_Introduction, Relationships |
|
Minor |
None |
202 |
Exposure of Sensitive Data Through Data Queries |
|
Major |
Applicable_Platforms |
|
Minor |
None |
203 |
Information Exposure Through Discrepancy |
|
Major |
Applicable_Platforms |
|
Minor |
None |
204 |
Response Discrepancy Information Exposure |
|
Major |
Applicable_Platforms |
|
Minor |
None |
205 |
Information Exposure Through Behavioral Discrepancy |
|
Major |
Applicable_Platforms |
|
Minor |
None |
206 |
Information Exposure of Internal State Through Behavioral Inconsistency |
|
Major |
Applicable_Platforms |
|
Minor |
None |
207 |
Information Exposure Through an External Behavioral Inconsistency |
|
Major |
Applicable_Platforms |
|
Minor |
None |
208 |
Information Exposure Through Timing Discrepancy |
|
Major |
Applicable_Platforms, Modes_of_Introduction, Relationships |
|
Minor |
Functional_Areas |
209 |
Information Exposure Through an Error Message |
|
Major |
Applicable_Platforms, Modes_of_Introduction, References, Relationships, Taxonomy_Mappings |
|
Minor |
None |
210 |
Information Exposure Through Self-generated Error Message |
|
Major |
Applicable_Platforms, Functional_Areas, Modes_of_Introduction, Relationships |
|
Minor |
None |
211 |
Information Exposure Through Externally-Generated Error Message |
|
Major |
Applicable_Platforms, Enabling_Factors_for_Exploitation, Modes_of_Introduction, Relationships |
|
Minor |
Functional_Areas, Name |
212 |
Improper Cross-boundary Removal of Sensitive Data |
|
Major |
Modes_of_Introduction, Relationships |
|
Minor |
Applicable_Platforms |
213 |
Intentional Information Exposure |
|
Major |
Applicable_Platforms |
|
Minor |
None |
214 |
Information Exposure Through Process Environment |
|
Major |
Applicable_Platforms, Modes_of_Introduction, Relationships |
|
Minor |
None |
215 |
Information Exposure Through Debug Information |
|
Major |
Applicable_Platforms |
|
Minor |
None |
216 |
Containment Errors (Container Errors) |
|
Major |
Applicable_Platforms, Relationships |
|
Minor |
None |
219 |
Sensitive Data Under Web Root |
|
Major |
Applicable_Platforms, Modes_of_Introduction, Relationships |
|
Minor |
None |
220 |
Sensitive Data Under FTP Root |
|
Major |
Applicable_Platforms, Modes_of_Introduction, Relationships |
|
Minor |
None |
221 |
Information Loss or Omission |
|
Major |
Applicable_Platforms |
|
Minor |
None |
222 |
Truncation of Security-relevant Information |
|
Major |
Applicable_Platforms |
|
Minor |
None |
223 |
Omission of Security-relevant Information |
|
Major |
Applicable_Platforms, Demonstrative_Examples, Modes_of_Introduction, Relationships |
|
Minor |
None |
224 |
Obscured Security-relevant Information by Alternate Name |
|
Major |
Applicable_Platforms, Demonstrative_Examples, Modes_of_Introduction, References, Relationships |
|
Minor |
None |
226 |
Sensitive Information Uncleared Before Release |
|
Major |
Causal_Nature, Functional_Areas, Relationships, Taxonomy_Mappings |
|
Minor |
Applicable_Platforms |
227 |
7PK - API Abuse |
|
Major |
Alternate_Terms, Common_Consequences, Description, Name, Observed_Examples, Potential_Mitigations, References, Related_Attack_Patterns, Relationships, Taxonomy_Mappings, Time_of_Introduction, Type |
|
Minor |
None |
228 |
Improper Handling of Syntactically Invalid Structure |
|
Major |
Relevant_Properties |
|
Minor |
None |
230 |
Improper Handling of Missing Values |
|
Major |
Applicable_Platforms |
|
Minor |
None |
231 |
Improper Handling of Extra Values |
|
Major |
Applicable_Platforms, Time_of_Introduction |
|
Minor |
None |
232 |
Improper Handling of Undefined Values |
|
Major |
Applicable_Platforms |
|
Minor |
None |
234 |
Failure to Handle Missing Parameter |
|
Major |
Applicable_Platforms, Demonstrative_Examples |
|
Minor |
None |
235 |
Improper Handling of Extra Parameters |
|
Major |
Applicable_Platforms, Time_of_Introduction |
|
Minor |
None |
236 |
Improper Handling of Undefined Parameters |
|
Major |
Applicable_Platforms |
|
Minor |
None |
238 |
Improper Handling of Incomplete Structural Elements |
|
Major |
Applicable_Platforms, Causal_Nature |
|
Minor |
None |
239 |
Failure to Handle Incomplete Element |
|
Major |
Applicable_Platforms |
|
Minor |
None |
240 |
Improper Handling of Inconsistent Structural Elements |
|
Major |
Applicable_Platforms, Type |
|
Minor |
None |
241 |
Improper Handling of Unexpected Data Type |
|
Major |
Applicable_Platforms, Taxonomy_Mappings |
|
Minor |
None |
242 |
Use of Inherently Dangerous Function |
|
Major |
Causal_Nature, References, Relationships, Taxonomy_Mappings |
|
Minor |
None |
243 |
Creation of chroot Jail Without Changing Working Directory |
|
Major |
Affected_Resources, Causal_Nature, Modes_of_Introduction, Relationships |
|
Minor |
None |
244 |
Improper Clearing of Heap Memory Before Release ('Heap Inspection') |
|
Major |
Relationships, Taxonomy_Mappings, White_Box_Definitions |
|
Minor |
None |
245 |
J2EE Bad Practices: Direct Management of Connections |
|
Major |
Causal_Nature, Relationships |
|
Minor |
None |
246 |
J2EE Bad Practices: Direct Use of Sockets |
|
Major |
Causal_Nature, Relationships |
|
Minor |
None |
248 |
Uncaught Exception |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
250 |
Execution with Unnecessary Privileges |
|
Major |
Modes_of_Introduction, References, Relationships |
|
Minor |
Applicable_Platforms |
251 |
Often Misused: String Management |
|
Major |
Affected_Resources, Applicable_Platforms, Demonstrative_Examples, Relationships, White_Box_Definitions |
|
Minor |
None |
252 |
Unchecked Return Value |
|
Major |
Applicable_Platforms, References, Relationships, Taxonomy_Mappings |
|
Minor |
None |
253 |
Incorrect Check of Function Return Value |
|
Major |
Applicable_Platforms, Demonstrative_Examples, Relationships, Taxonomy_Mappings |
|
Minor |
None |
254 |
7PK - Security Features |
|
Major |
Name, Relationships |
|
Minor |
None |
255 |
Credentials Management |
|
Major |
Applicable_Platforms, Detection_Factors |
|
Minor |
None |
256 |
Plaintext Storage of a Password |
|
Major |
Applicable_Platforms, Causal_Nature, Likelihood_of_Exploit, Modes_of_Introduction, Relationships |
|
Minor |
None |
257 |
Storing Passwords in a Recoverable Format |
|
Major |
Applicable_Platforms, Causal_Nature, Demonstrative_Examples, Likelihood_of_Exploit, Modes_of_Introduction, Relationships |
|
Minor |
None |
258 |
Empty Password in Configuration File |
|
Major |
Applicable_Platforms, Causal_Nature, Likelihood_of_Exploit, Modes_of_Introduction, Relationships |
|
Minor |
None |
259 |
Use of Hard-coded Password |
|
Major |
Causal_Nature, Demonstrative_Examples, Likelihood_of_Exploit, Modes_of_Introduction, Relationships, White_Box_Definitions |
|
Minor |
Applicable_Platforms |
260 |
Password in Configuration File |
|
Major |
Affected_Resources, Applicable_Platforms, Modes_of_Introduction, Relationships |
|
Minor |
None |
261 |
Weak Cryptography for Passwords |
|
Major |
Applicable_Platforms, Modes_of_Introduction, Relationships |
|
Minor |
None |
262 |
Not Using Password Aging |
|
Major |
Applicable_Platforms, Likelihood_of_Exploit, Modes_of_Introduction, Relationships |
|
Minor |
None |
263 |
Password Aging with Long Expiration |
|
Major |
Applicable_Platforms, Likelihood_of_Exploit, Modes_of_Introduction, Relationships |
|
Minor |
None |
264 |
Permissions, Privileges, and Access Controls |
|
Major |
Applicable_Platforms, Detection_Factors, Potential_Mitigations, References, Related_Attack_Patterns, Relationships |
|
Minor |
None |
265 |
Privilege / Sandbox Issues |
|
Major |
Detection_Factors, Potential_Mitigations, Relationships |
|
Minor |
None |
266 |
Incorrect Privilege Assignment |
|
Major |
Causal_Nature, Modes_of_Introduction, References, Relationships |
|
Minor |
Applicable_Platforms |
267 |
Privilege Defined With Unsafe Actions |
|
Major |
Applicable_Platforms, Modes_of_Introduction, References, Relationships |
|
Minor |
None |
268 |
Privilege Chaining |
|
Major |
Applicable_Platforms, Causal_Nature, Modes_of_Introduction, References, Relationships |
|
Minor |
None |
269 |
Improper Privilege Management |
|
Major |
Applicable_Platforms, Causal_Nature, Modes_of_Introduction, Relationships, Type |
|
Minor |
None |
270 |
Privilege Context Switching Error |
|
Major |
Applicable_Platforms, Modes_of_Introduction, References, Relationships |
|
Minor |
None |
271 |
Privilege Dropping / Lowering Errors |
|
Major |
Applicable_Platforms, Causal_Nature, Modes_of_Introduction, Relationships |
|
Minor |
None |
272 |
Least Privilege Violation |
|
Major |
Applicable_Platforms, Causal_Nature, Common_Consequences, Demonstrative_Examples, Modes_of_Introduction, Relationships |
|
Minor |
None |
273 |
Improper Check for Dropped Privileges |
|
Major |
Applicable_Platforms, Causal_Nature, Demonstrative_Examples, Modes_of_Introduction, Relationships, Taxonomy_Mappings |
|
Minor |
None |
274 |
Improper Handling of Insufficient Privileges |
|
Major |
Applicable_Platforms, Causal_Nature, Modes_of_Introduction, Relationships |
|
Minor |
None |
275 |
Permission Issues |
|
Major |
Affected_Resources, Detection_Factors, Functional_Areas, Related_Attack_Patterns, Relationships |
|
Minor |
None |
276 |
Incorrect Default Permissions |
|
Major |
Applicable_Platforms, Causal_Nature, Modes_of_Introduction, Relationships, Taxonomy_Mappings |
|
Minor |
None |
277 |
Insecure Inherited Permissions |
|
Major |
Applicable_Platforms, Modes_of_Introduction, Relationships |
|
Minor |
None |
278 |
Insecure Preserved Inherited Permissions |
|
Major |
Applicable_Platforms |
|
Minor |
None |
279 |
Incorrect Execution-Assigned Permissions |
|
Major |
Applicable_Platforms, Modes_of_Introduction, Relationships, Taxonomy_Mappings |
|
Minor |
None |
280 |
Improper Handling of Insufficient Permissions or Privileges |
|
Major |
Applicable_Platforms, Modes_of_Introduction, Observed_Examples, Relationships |
|
Minor |
None |
281 |
Improper Preservation of Permissions |
|
Major |
Applicable_Platforms, Modes_of_Introduction, Relationships |
|
Minor |
None |
282 |
Improper Ownership Management |
|
Major |
Affected_Resources, Applicable_Platforms, Modes_of_Introduction, Relationships |
|
Minor |
None |
283 |
Unverified Ownership |
|
Major |
Applicable_Platforms, Modes_of_Introduction, Relationships |
|
Minor |
None |
284 |
Improper Access Control |
|
Major |
Affected_Resources, Modes_of_Introduction, Observed_Examples, References, Relationships |
|
Minor |
None |
285 |
Improper Authorization |
|
Major |
Applicable_Platforms, Modes_of_Introduction, References, Relationships |
|
Minor |
None |
286 |
Incorrect User Management |
|
Major |
Modes_of_Introduction, Relationships |
|
Minor |
Applicable_Platforms |
287 |
Improper Authentication |
|
Major |
Demonstrative_Examples, Likelihood_of_Exploit, Modes_of_Introduction, References, Relationships |
|
Minor |
Applicable_Platforms |
288 |
Authentication Bypass Using an Alternate Path or Channel |
|
Major |
Applicable_Platforms, Modes_of_Introduction, Relationships |
|
Minor |
None |
289 |
Authentication Bypass by Alternate Name |
|
Major |
Applicable_Platforms, Modes_of_Introduction, Relationships |
|
Minor |
None |
290 |
Authentication Bypass by Spoofing |
|
Major |
Demonstrative_Examples, Modes_of_Introduction, Relationships |
|
Minor |
None |
291 |
Reliance on IP Address for Authentication |
|
Major |
Causal_Nature, Demonstrative_Examples, Modes_of_Introduction, Relationships |
|
Minor |
Applicable_Platforms |
293 |
Using Referer Field for Authentication |
|
Major |
Applicable_Platforms, Modes_of_Introduction, Relationships, Relevant_Properties |
|
Minor |
None |
294 |
Authentication Bypass by Capture-replay |
|
Major |
Applicable_Platforms, Modes_of_Introduction, Relationships |
|
Minor |
None |
295 |
Improper Certificate Validation |
|
Major |
Modes_of_Introduction, References, Relationships |
|
Minor |
Applicable_Platforms |
296 |
Improper Following of a Certificate's Chain of Trust |
|
Major |
Demonstrative_Examples, Modes_of_Introduction, References, Relationships |
|
Minor |
Applicable_Platforms |
297 |
Improper Validation of Certificate with Host Mismatch |
|
Major |
Demonstrative_Examples, Modes_of_Introduction, References, Relationships |
|
Minor |
Applicable_Platforms |
298 |
Improper Validation of Certificate Expiration |
|
Major |
Demonstrative_Examples, Modes_of_Introduction, Relationships |
|
Minor |
Applicable_Platforms |
299 |
Improper Check for Certificate Revocation |
|
Major |
Demonstrative_Examples, Modes_of_Introduction, Relationships, Type |
|
Minor |
Applicable_Platforms |
300 |
Channel Accessible by Non-Endpoint ('Man-in-the-Middle') |
|
Major |
Applicable_Platforms, Modes_of_Introduction, Relationships |
|
Minor |
None |
301 |
Reflection Attack in an Authentication Protocol |
|
Major |
Applicable_Platforms, Demonstrative_Examples, Modes_of_Introduction, Relationships |
|
Minor |
None |
302 |
Authentication Bypass by Assumed-Immutable Data |
|
Major |
Applicable_Platforms, Modes_of_Introduction, Relationships |
|
Minor |
None |
303 |
Incorrect Implementation of Authentication Algorithm |
|
Major |
Applicable_Platforms, Modes_of_Introduction, Relationships |
|
Minor |
None |
304 |
Missing Critical Step in Authentication |
|
Major |
Applicable_Platforms, Modes_of_Introduction, Relationships |
|
Minor |
None |
305 |
Authentication Bypass by Primary Weakness |
|
Major |
Applicable_Platforms, Modes_of_Introduction, Relationships |
|
Minor |
None |
306 |
Missing Authentication for Critical Function |
|
Major |
Likelihood_of_Exploit, Modes_of_Introduction, References, Relationships |
|
Minor |
Applicable_Platforms |
307 |
Improper Restriction of Excessive Authentication Attempts |
|
Major |
Demonstrative_Examples, Modes_of_Introduction, Relationships |
|
Minor |
Applicable_Platforms |
308 |
Use of Single-factor Authentication |
|
Major |
Applicable_Platforms, Modes_of_Introduction, Relationships |
|
Minor |
None |
309 |
Use of Password System for Primary Authentication |
|
Major |
Applicable_Platforms, Likelihood_of_Exploit |
|
Minor |
None |
310 |
Cryptographic Issues |
|
Major |
Applicable_Platforms, Functional_Areas, References, Related_Attack_Patterns, Relationship_Notes |
|
Minor |
None |
311 |
Missing Encryption of Sensitive Data |
|
Major |
Likelihood_of_Exploit, Modes_of_Introduction, Potential_Mitigations, References, Relationships |
|
Minor |
Applicable_Platforms |
312 |
Cleartext Storage of Sensitive Information |
|
Major |
Modes_of_Introduction, References, Relationships |
|
Minor |
Applicable_Platforms |
313 |
Cleartext Storage in a File or on Disk |
|
Major |
Modes_of_Introduction, Relationships |
|
Minor |
Applicable_Platforms |
314 |
Cleartext Storage in the Registry |
|
Major |
Modes_of_Introduction, Relationships |
|
Minor |
Applicable_Platforms |
315 |
Cleartext Storage of Sensitive Information in a Cookie |
|
Major |
Modes_of_Introduction, Relationships |
|
Minor |
Applicable_Platforms |
316 |
Cleartext Storage of Sensitive Information in Memory |
|
Major |
Modes_of_Introduction, Observed_Examples, Relationships |
|
Minor |
Applicable_Platforms |
317 |
Cleartext Storage of Sensitive Information in GUI |
|
Major |
Modes_of_Introduction, Relationships |
|
Minor |
Applicable_Platforms |
318 |
Cleartext Storage of Sensitive Information in Executable |
|
Major |
Modes_of_Introduction, Observed_Examples, Relationships |
|
Minor |
Applicable_Platforms |
319 |
Cleartext Transmission of Sensitive Information |
|
Major |
Likelihood_of_Exploit, Modes_of_Introduction, References, Relationships |
|
Minor |
Applicable_Platforms |
320 |
Key Management Errors |
|
Major |
Applicable_Platforms, Observed_Examples |
|
Minor |
None |
321 |
Use of Hard-coded Cryptographic Key |
|
Major |
Applicable_Platforms, Demonstrative_Examples, Modes_of_Introduction, Relationships |
|
Minor |
None |
322 |
Key Exchange without Entity Authentication |
|
Major |
Modes_of_Introduction, Relationships |
|
Minor |
Applicable_Platforms |
323 |
Reusing a Nonce, Key Pair in Encryption |
|
Major |
Applicable_Platforms, Modes_of_Introduction, Relationships |
|
Minor |
None |
324 |
Use of a Key Past its Expiration Date |
|
Major |
Demonstrative_Examples, Modes_of_Introduction, Relationships |
|
Minor |
Applicable_Platforms |
325 |
Missing Required Cryptographic Step |
|
Major |
Applicable_Platforms, Modes_of_Introduction, Relationships |
|
Minor |
None |
326 |
Inadequate Encryption Strength |
|
Major |
Applicable_Platforms, Modes_of_Introduction, References, Relationships |
|
Minor |
None |
327 |
Use of a Broken or Risky Cryptographic Algorithm |
|
Major |
Demonstrative_Examples, Likelihood_of_Exploit, Modes_of_Introduction, References, Relationships, Taxonomy_Mappings |
|
Minor |
Applicable_Platforms |
328 |
Reversible One-Way Hash |
|
Major |
Applicable_Platforms, Modes_of_Introduction, References, Relationships |
|
Minor |
None |
329 |
Not Using a Random IV with CBC Mode |
|
Major |
Applicable_Platforms, Demonstrative_Examples |
|
Minor |
None |
330 |
Use of Insufficiently Random Values |
|
Major |
Functional_Areas, Likelihood_of_Exploit, Modes_of_Introduction, References, Relationships, Taxonomy_Mappings |
|
Minor |
Applicable_Platforms |
331 |
Insufficient Entropy |
|
Major |
Applicable_Platforms, Modes_of_Introduction, Relationships, Taxonomy_Mappings |
|
Minor |
None |
332 |
Insufficient Entropy in PRNG |
|
Major |
Applicable_Platforms, Modes_of_Introduction, References, Relationships |
|
Minor |
None |
333 |
Improper Handling of Insufficient Entropy in TRNG |
|
Major |
Applicable_Platforms, Likelihood_of_Exploit, Modes_of_Introduction, Relationships |
|
Minor |
None |
334 |
Small Space of Random Values |
|
Major |
Applicable_Platforms, Modes_of_Introduction, References, Relationships |
|
Minor |
None |
335 |
Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) |
|
Major |
Applicable_Platforms, Description, Modes_of_Introduction, Name, Relationships, Type |
|
Minor |
None |
336 |
Same Seed in Pseudo-Random Number Generator (PRNG) |
|
Major |
Applicable_Platforms, Description, Modes_of_Introduction, Name, References, Relationships |
|
Minor |
None |
337 |
Predictable Seed in Pseudo-Random Number Generator (PRNG) |
|
Major |
Applicable_Platforms, Demonstrative_Examples, Description, Modes_of_Introduction, Name, References, Relationships |
|
Minor |
None |
338 |
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) |
|
Major |
Demonstrative_Examples, Description, Modes_of_Introduction, Relationships, Taxonomy_Mappings |
|
Minor |
Applicable_Platforms |
339 |
Small Seed Space in PRNG |
|
Major |
Applicable_Platforms, Modes_of_Introduction, References, Relationships |
|
Minor |
None |
341 |
Predictable from Observable State |
|
Major |
Applicable_Platforms, Modes_of_Introduction, References, Relationships |
|
Minor |
None |
342 |
Predictable Exact Value from Previous Values |
|
Major |
Applicable_Platforms, References |
|
Minor |
None |
343 |
Predictable Value Range from Previous Values |
|
Major |
Applicable_Platforms, References |
|
Minor |
None |
344 |
Use of Invariant Value in Dynamically Changing Context |
|
Major |
Applicable_Platforms, References, Relevant_Properties |
|
Minor |
None |
345 |
Insufficient Verification of Data Authenticity |
|
Major |
Applicable_Platforms, Modes_of_Introduction, Relationships |
|
Minor |
None |
346 |
Origin Validation Error |
|
Major |
Modes_of_Introduction, References, Relationships |
|
Minor |
Applicable_Platforms |
347 |
Improper Verification of Cryptographic Signature |
|
Major |
Applicable_Platforms, Modes_of_Introduction, Relationships |
|
Minor |
None |
348 |
Use of Less Trusted Source |
|
Major |
Applicable_Platforms |
|
Minor |
None |
349 |
Acceptance of Extraneous Untrusted Data With Trusted Data |
|
Major |
Applicable_Platforms, Modes_of_Introduction, Relationships |
|
Minor |
None |
350 |
Reliance on Reverse DNS Resolution for a Security-Critical Action |
|
Major |
Demonstrative_Examples, Relationships |
|
Minor |
Applicable_Platforms |
351 |
Insufficient Type Distinction |
|
Major |
Applicable_Platforms |
|
Minor |
None |
352 |
Cross-Site Request Forgery (CSRF) |
|
Major |
Applicable_Platforms, Likelihood_of_Exploit, Modes_of_Introduction, References, Relationships |
|
Minor |
None |
353 |
Missing Support for Integrity Check |
|
Major |
Applicable_Platforms, Modes_of_Introduction, Relationships |
|
Minor |
None |
354 |
Improper Validation of Integrity Check Value |
|
Major |
Applicable_Platforms, Demonstrative_Examples, Modes_of_Introduction, Relationships |
|
Minor |
None |
356 |
Product UI does not Warn User of Unsafe Actions |
|
Major |
Applicable_Platforms |
|
Minor |
None |
357 |
Insufficient UI Warning of Dangerous Operations |
|
Major |
Applicable_Platforms |
|
Minor |
None |
358 |
Improperly Implemented Security Check for Standard |
|
Major |
Applicable_Platforms |
|
Minor |
None |
359 |
Exposure of Private Information ('Privacy Violation') |
|
Major |
Modes_of_Introduction, References, Relationships |
|
Minor |
Applicable_Platforms |
360 |
Trust of System Event Data |
|
Major |
Applicable_Platforms |
|
Minor |
None |
361 |
7PK - Time and State |
|
Major |
Description, Name, References, Related_Attack_Patterns, Taxonomy_Mappings |
|
Minor |
None |
362 |
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') |
|
Major |
Demonstrative_Examples, References, Research_Gaps, Taxonomy_Mappings |
|
Minor |
Applicable_Platforms |
363 |
Race Condition Enabling Link Following |
|
Major |
Applicable_Platforms, Taxonomy_Mappings |
|
Minor |
None |
364 |
Signal Handler Race Condition |
|
Major |
Observed_Examples, Relationships |
|
Minor |
Functional_Areas |
365 |
Race Condition in Switch |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
366 |
Race Condition within a Thread |
|
Major |
Demonstrative_Examples, Relationships, Taxonomy_Mappings |
|
Minor |
None |
367 |
Time-of-check Time-of-use (TOCTOU) Race Condition |
|
Major |
Applicable_Platforms, Demonstrative_Examples, Likelihood_of_Exploit, References, Relationships, Taxonomy_Mappings, White_Box_Definitions |
|
Minor |
None |
368 |
Context Switching Race Condition |
|
Major |
Applicable_Platforms |
|
Minor |
None |
369 |
Divide By Zero |
|
Major |
Demonstrative_Examples, Taxonomy_Mappings |
|
Minor |
None |
370 |
Missing Check for Certificate Revocation after Initial Check |
|
Major |
Demonstrative_Examples, Modes_of_Introduction, Relationships, Type |
|
Minor |
Applicable_Platforms |
371 |
State Issues |
|
Major |
Related_Attack_Patterns, Relationships |
|
Minor |
None |
372 |
Incomplete Internal State Distinction |
|
Major |
Applicable_Platforms |
|
Minor |
None |
374 |
Passing Mutable Objects to an Untrusted Method |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
375 |
Returning a Mutable Object to an Untrusted Caller |
|
Major |
Taxonomy_Mappings |
|
Minor |
None |
376 |
Temporary File Issues |
|
Major |
Affected_Resources, Relationships |
|
Minor |
None |
377 |
Insecure Temporary File |
|
Major |
Applicable_Platforms, References, Taxonomy_Mappings |
|
Minor |
None |
378 |
Creation of Temporary File With Insecure Permissions |
|
Major |
Applicable_Platforms, Demonstrative_Examples |
|
Minor |
None |
379 |
Creation of Temporary File in Directory with Incorrect Permissions |
|
Major |
Applicable_Platforms, Demonstrative_Examples, Taxonomy_Mappings |
|
Minor |
None |
382 |
J2EE Bad Practices: Use of System.exit() |
|
Major |
Relationships |
|
Minor |
None |
383 |
J2EE Bad Practices: Direct Use of Threads |
|
Major |
Relationships |
|
Minor |
None |
384 |
Session Fixation |
|
Major |
Applicable_Platforms, Modes_of_Introduction, Relationships |
|
Minor |
None |
385 |
Covert Timing Channel |
|
Major |
Applicable_Platforms, Demonstrative_Examples |
|
Minor |
None |
386 |
Symbolic Name not Mapping to Correct Object |
|
Major |
Applicable_Platforms |
|
Minor |
None |
387 |
Signal Errors |
|
Major |
Affected_Resources, Applicable_Platforms, Observed_Examples, Relationships |
|
Minor |
None |
388 |
7PK - Errors |
|
Major |
Common_Consequences, Demonstrative_Examples, Description, Name, Potential_Mitigations, References, Related_Attack_Patterns, Relationships, Taxonomy_Mappings |
|
Minor |
None |
389 |
Error Conditions, Return Values, Status Codes |
|
Major |
Applicable_Platforms, Description, Other_Notes, References, Relationships, Research_Gaps, Taxonomy_Mappings, Weakness_Ordinalities |
|
Minor |
None |
390 |
Detection of Error Condition Without Action |
|
Major |
Applicable_Platforms, Modes_of_Introduction, Relationships, Taxonomy_Mappings |
|
Minor |
None |
391 |
Unchecked Error Condition |
|
Major |
Applicable_Platforms, Modes_of_Introduction, Relationships, Taxonomy_Mappings, White_Box_Definitions |
|
Minor |
None |
392 |
Missing Report of Error Condition |
|
Major |
Applicable_Platforms, Modes_of_Introduction, Relationships |
|
Minor |
None |
393 |
Return of Wrong Status Code |
|
Major |
Applicable_Platforms |
|
Minor |
None |
394 |
Unexpected Status Code or Return Value |
|
Major |
Applicable_Platforms, Taxonomy_Mappings |
|
Minor |
None |
398 |
7PK - Code Quality |
|
Major |
Common_Consequences, Description, Detection_Factors, Name, References, Relationships, Taxonomy_Mappings, Time_of_Introduction, Type |
|
Minor |
None |
399 |
Resource Management Errors |
|
Major |
Applicable_Platforms, Detection_Factors, Relationships |
|
Minor |
None |
400 |
Uncontrolled Resource Consumption ('Resource Exhaustion') |
|
Major |
Applicable_Platforms, Demonstrative_Examples, Likelihood_of_Exploit, Potential_Mitigations, References, Relationships |
|
Minor |
None |
401 |
Improper Release of Memory Before Removing Last Reference ('Memory Leak') |
|
Major |
References, Relationships, Taxonomy_Mappings, White_Box_Definitions |
|
Minor |
Functional_Areas |
403 |
Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak') |
|
Major |
Affected_Resources, Applicable_Platforms, Modes_of_Introduction, References, Relationships, Taxonomy_Mappings |
|
Minor |
None |
404 |
Improper Resource Shutdown or Release |
|
Major |
Applicable_Platforms, Functional_Areas, Likelihood_of_Exploit, Relationships, Taxonomy_Mappings |
|
Minor |
None |
405 |
Asymmetric Resource Consumption (Amplification) |
|
Major |
Applicable_Platforms, Functional_Areas |
|
Minor |
None |
406 |
Insufficient Control of Network Message Volume (Network Amplification) |
|
Major |
Applicable_Platforms, Enabling_Factors_for_Exploitation, Modes_of_Introduction |
|
Minor |
None |
407 |
Algorithmic Complexity |
|
Major |
Likelihood_of_Exploit |
|
Minor |
Applicable_Platforms |
408 |
Incorrect Behavior Order: Early Amplification |
|
Major |
Applicable_Platforms |
|
Minor |
None |
409 |
Improper Handling of Highly Compressed Data (Data Amplification) |
|
Major |
Applicable_Platforms |
|
Minor |
None |
410 |
Insufficient Resource Pool |
|
Major |
Applicable_Platforms, Functional_Areas, References |
|
Minor |
None |
412 |
Unrestricted Externally Accessible Lock |
|
Major |
Applicable_Platforms, Relationships, White_Box_Definitions |
|
Minor |
None |
413 |
Improper Resource Locking |
|
Major |
Applicable_Platforms |
|
Minor |
None |
414 |
Missing Lock Check |
|
Major |
Applicable_Platforms |
|
Minor |
None |
415 |
Double Free |
|
Major |
Likelihood_of_Exploit, Relationships, Taxonomy_Mappings, White_Box_Definitions |
|
Minor |
None |
416 |
Use After Free |
|
Major |
Demonstrative_Examples, Relationships, Taxonomy_Mappings, White_Box_Definitions |
|
Minor |
None |
417 |
Channel and Path Errors |
|
Major |
Applicable_Platforms, Maintenance_Notes, Relationships |
|
Minor |
None |
418 |
DEPRECATED: Channel Errors |
|
Major |
Applicable_Platforms, Description, Name, Relationships, Taxonomy_Mappings, Type |
|
Minor |
None |
419 |
Unprotected Primary Channel |
|
Major |
Modes_of_Introduction, Relationships |
|
Minor |
Applicable_Platforms |
420 |
Unprotected Alternate Channel |
|
Major |
Modes_of_Introduction, Relationships |
|
Minor |
Applicable_Platforms |
421 |
Race Condition During Access to Alternate Channel |
|
Major |
Applicable_Platforms, Relationships |
|
Minor |
None |
422 |
Unprotected Windows Messaging Channel ('Shatter') |
|
Major |
Applicable_Platforms, Relationships |
|
Minor |
None |
424 |
Improper Protection of Alternate Path |
|
Major |
Applicable_Platforms |
|
Minor |
None |
425 |
Direct Request ('Forced Browsing') |
|
Major |
Modes_of_Introduction, Relationships |
|
Minor |
Applicable_Platforms |
426 |
Untrusted Search Path |
|
Major |
Demonstrative_Examples, Modes_of_Introduction, References, Relationships, Taxonomy_Mappings |
|
Minor |
Applicable_Platforms, Functional_Areas |
427 |
Uncontrolled Search Path Element |
|
Major |
None |
|
Minor |
Applicable_Platforms |
428 |
Unquoted Search Path or Element |
|
Major |
Applicable_Platforms, Demonstrative_Examples |
|
Minor |
Functional_Areas |
430 |
Deployment of Wrong Handler |
|
Major |
Applicable_Platforms |
|
Minor |
None |
431 |
Missing Handler |
|
Major |
Applicable_Platforms |
|
Minor |
None |
432 |
Dangerous Signal Handler not Disabled During Sensitive Operations |
|
Major |
None |
|
Minor |
Applicable_Platforms |
433 |
Unparsed Raw Web Content Delivery |
|
Major |
Applicable_Platforms, Observed_Examples |
|
Minor |
None |
434 |
Unrestricted Upload of File with Dangerous Type |
|
Major |
Affected_Resources, Applicable_Platforms, Likelihood_of_Exploit, Modes_of_Introduction, References, Relationships, Weakness_Ordinalities |
|
Minor |
None |
435 |
Improper Interaction Between Multiple Entities |
|
Major |
Applicable_Platforms, Name, Relationships |
|
Minor |
None |
436 |
Interpretation Conflict |
|
Major |
Demonstrative_Examples, Observed_Examples, References, Relationships |
|
Minor |
Applicable_Platforms |
437 |
Incomplete Model of Endpoint Features |
|
Major |
Applicable_Platforms |
|
Minor |
None |
438 |
Behavioral Problems |
|
Major |
Relationships |
|
Minor |
None |
439 |
Behavioral Change in New Version or Environment |
|
Major |
Applicable_Platforms |
|
Minor |
None |
440 |
Expected Behavior Violation |
|
Major |
Applicable_Platforms, Relevant_Properties |
|
Minor |
None |
441 |
Unintended Proxy or Intermediary ('Confused Deputy') |
|
Major |
Modes_of_Introduction, Relationships |
|
Minor |
Applicable_Platforms |
442 |
Web Problems |
|
Major |
Relationships |
|
Minor |
None |
444 |
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') |
|
Major |
Applicable_Platforms |
|
Minor |
None |
446 |
UI Discrepancy for Security Feature |
|
Major |
Applicable_Platforms |
|
Minor |
None |
447 |
Unimplemented or Unsupported Feature in UI |
|
Major |
Applicable_Platforms |
|
Minor |
None |
448 |
Obsolete Feature in UI |
|
Major |
Applicable_Platforms |
|
Minor |
None |
449 |
The UI Performs the Wrong Action |
|
Major |
Applicable_Platforms |
|
Minor |
None |
450 |
Multiple Interpretations of UI Input |
|
Major |
Applicable_Platforms |
|
Minor |
None |
451 |
User Interface (UI) Misrepresentation of Critical Information |
|
Major |
Observed_Examples, References, Relationships, Type |
|
Minor |
Applicable_Platforms |
452 |
Initialization and Cleanup Errors |
|
Major |
Applicable_Platforms, Research_Gaps |
|
Minor |
None |
453 |
Insecure Default Variable Initialization |
|
Major |
Applicable_Platforms |
|
Minor |
None |
454 |
External Initialization of Trusted Variables or Data Stores |
|
Major |
Description |
|
Minor |
Applicable_Platforms |
455 |
Non-exit on Failed Initialization |
|
Major |
Applicable_Platforms |
|
Minor |
None |
456 |
Missing Initialization of a Variable |
|
Major |
Taxonomy_Mappings |
|
Minor |
Applicable_Platforms |
457 |
Use of Uninitialized Variable |
|
Major |
References, Relationships, Taxonomy_Mappings, White_Box_Definitions |
|
Minor |
Applicable_Platforms |
459 |
Incomplete Cleanup |
|
Major |
Applicable_Platforms, Taxonomy_Mappings |
|
Minor |
Functional_Areas |
460 |
Improper Cleanup on Thrown Exception |
|
Major |
Demonstrative_Examples, Modes_of_Introduction, Relationships, Taxonomy_Mappings |
|
Minor |
None |
462 |
Duplicate Key in Associative List (Alist) |
|
Major |
Taxonomy_Mappings |
|
Minor |
None |
463 |
Deletion of Data Structure Sentinel |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
464 |
Addition of Data Structure Sentinel |
|
Major |
Demonstrative_Examples, Likelihood_of_Exploit, Taxonomy_Mappings |
|
Minor |
None |
466 |
Return of Pointer Value Outside of Expected Range |
|
Major |
Taxonomy_Mappings, White_Box_Definitions |
|
Minor |
None |
467 |
Use of sizeof() on a Pointer Type |
|
Major |
Demonstrative_Examples, Taxonomy_Mappings, White_Box_Definitions |
|
Minor |
None |
468 |
Incorrect Pointer Scaling |
|
Major |
Relationships, Taxonomy_Mappings, White_Box_Definitions |
|
Minor |
None |
469 |
Use of Pointer Subtraction to Determine Size |
|
Major |
Demonstrative_Examples, Taxonomy_Mappings, White_Box_Definitions |
|
Minor |
None |
470 |
Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') |
|
Major |
White_Box_Definitions |
|
Minor |
None |
471 |
Modification of Assumed-Immutable Data (MAID) |
|
Major |
None |
|
Minor |
Applicable_Platforms |
472 |
External Control of Assumed-Immutable Web Parameter |
|
Major |
Applicable_Platforms, Demonstrative_Examples, Modes_of_Introduction, Relationships |
|
Minor |
None |
473 |
PHP External Variable Modification |
|
Major |
Modes_of_Introduction, Relationships |
|
Minor |
None |
474 |
Use of Function with Inconsistent Implementations |
|
Major |
Relationships |
|
Minor |
Applicable_Platforms |
475 |
Undefined Behavior for Input to API |
|
Major |
Applicable_Platforms, Relationships |
|
Minor |
None |
476 |
NULL Pointer Dereference |
|
Major |
Relationships, Taxonomy_Mappings, White_Box_Definitions |
|
Minor |
None |
477 |
Use of Obsolete Function |
|
Major |
Applicable_Platforms, Name, Relationships, Taxonomy_Mappings |
|
Minor |
None |
478 |
Missing Default Case in Switch Statement |
|
Major |
Relationships |
|
Minor |
None |
479 |
Signal Handler Use of a Non-reentrant Function |
|
Major |
Observed_Examples, Relationships, Taxonomy_Mappings |
|
Minor |
None |
480 |
Use of Incorrect Operator |
|
Major |
Demonstrative_Examples, Taxonomy_Mappings |
|
Minor |
Applicable_Platforms |
481 |
Assigning instead of Comparing |
|
Major |
Demonstrative_Examples, Taxonomy_Mappings |
|
Minor |
None |
482 |
Comparing instead of Assigning |
|
Major |
Demonstrative_Examples, Taxonomy_Mappings |
|
Minor |
None |
483 |
Incorrect Block Delimitation |
|
Major |
Relationships |
|
Minor |
None |
484 |
Omitted Break Statement in Switch |
|
Major |
Demonstrative_Examples, Relationships |
|
Minor |
None |
485 |
7PK - Encapsulation |
|
Major |
Common_Consequences, Description, Maintenance_Notes, Name, Other_Notes, References, Relationships, Taxonomy_Mappings, Terminology_Notes, Time_of_Introduction, Type |
|
Minor |
None |
486 |
Comparison of Classes by Name |
|
Major |
Relationships, Relevant_Properties |
|
Minor |
None |
487 |
Reliance on Package-level Scope |
|
Major |
Demonstrative_Examples, Relationships |
|
Minor |
None |
488 |
Exposure of Data Element to Wrong Session |
|
Major |
Applicable_Platforms, Modes_of_Introduction, Relationships, Taxonomy_Mappings |
|
Minor |
None |
489 |
Leftover Debug Code |
|
Major |
Applicable_Platforms, Relationships, White_Box_Definitions |
|
Minor |
None |
490 |
Mobile Code Issues |
|
Major |
Other_Notes, Relationships |
|
Minor |
None |
494 |
Download of Code Without Integrity Check |
|
Major |
Modes_of_Introduction, References, Relationships |
|
Minor |
Applicable_Platforms |
495 |
Private Array-Typed Field Returned From A Public Method |
|
Major |
Relationships, White_Box_Definitions |
|
Minor |
None |
496 |
Public Data Assigned to Private Array-Typed Field |
|
Major |
Relationships, White_Box_Definitions |
|
Minor |
None |
497 |
Exposure of System Data to an Unauthorized Control Sphere |
|
Major |
Applicable_Platforms, Taxonomy_Mappings |
|
Minor |
None |
498 |
Cloneable Class Containing Sensitive Information |
|
Major |
Demonstrative_Examples, Potential_Mitigations, Relationships |
|
Minor |
None |
499 |
Serializable Class Containing Sensitive Data |
|
Major |
Relationships |
|
Minor |
None |
500 |
Public Static Field Not Marked Final |
|
Major |
White_Box_Definitions |
|
Minor |
None |
501 |
Trust Boundary Violation |
|
Major |
Applicable_Platforms, Relationships |
|
Minor |
None |
502 |
Deserialization of Untrusted Data |
|
Major |
Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Modes_of_Introduction, Potential_Mitigations, References, Relationships |
|
Minor |
None |
503 |
DEPRECATED: Byte/Object Code |
|
Major |
Description, Maintenance_Notes, Name, Type |
|
Minor |
None |
504 |
DEPRECATED: Motivation/Intent |
|
Major |
Description, Maintenance_Notes, Name, Type |
|
Minor |
None |
505 |
DEPRECATED: Intentionally Introduced Weakness |
|
Major |
Demonstrative_Examples, Description, Maintenance_Notes, Name, Relationships, Taxonomy_Mappings, Type |
|
Minor |
None |
506 |
Embedded Malicious Code |
|
Major |
Demonstrative_Examples, Relationships |
|
Minor |
None |
507 |
Trojan Horse |
|
Major |
References, Terminology_Notes |
|
Minor |
None |
511 |
Logic/Time Bomb |
|
Major |
References |
|
Minor |
Applicable_Platforms |
513 |
DEPRECATED: Intentionally Introduced Nonmalicious Weakness |
|
Major |
Description, Name, Relationships, Taxonomy_Mappings, Type |
|
Minor |
None |
514 |
Covert Channel |
|
Major |
Relationships |
|
Minor |
None |
517 |
DEPRECATED: Other Intentional, Nonmalicious Weakness |
|
Major |
Description, Name, Relationships, Taxonomy_Mappings, Type |
|
Minor |
None |
518 |
DEPRECATED: Inadvertently Introduced Weakness |
|
Major |
Description, Maintenance_Notes, Name, Relationships, Taxonomy_Mappings, Time_of_Introduction, Type |
|
Minor |
None |
519 |
.NET Environment Issues |
|
Major |
Description, Relationships, Taxonomy_Mappings |
|
Minor |
None |
520 |
.NET Misconfiguration: Use of Impersonation |
|
Major |
Taxonomy_Mappings |
|
Minor |
None |
521 |
Weak Password Requirements |
|
Major |
Modes_of_Introduction, Relationships, Taxonomy_Mappings |
|
Minor |
None |
522 |
Insufficiently Protected Credentials |
|
Major |
Demonstrative_Examples, Modes_of_Introduction, Relationships, Taxonomy_Mappings |
|
Minor |
None |
523 |
Unprotected Transport of Credentials |
|
Major |
Modes_of_Introduction, Relationships, Taxonomy_Mappings |
|
Minor |
None |
524 |
Information Exposure Through Caching |
|
Major |
Taxonomy_Mappings |
|
Minor |
None |
525 |
Information Exposure Through Browser Caching |
|
Major |
Taxonomy_Mappings |
|
Minor |
None |
527 |
Exposure of CVS Repository to an Unauthorized Control Sphere |
|
Major |
Modes_of_Introduction, Relationships, Taxonomy_Mappings |
|
Minor |
None |
528 |
Exposure of Core Dump File to an Unauthorized Control Sphere |
|
Major |
Modes_of_Introduction, Relationships, Taxonomy_Mappings, Time_of_Introduction |
|
Minor |
None |
529 |
Exposure of Access Control List Files to an Unauthorized Control Sphere |
|
Major |
Modes_of_Introduction, Relationships, Taxonomy_Mappings |
|
Minor |
None |
530 |
Exposure of Backup File to an Unauthorized Control Sphere |
|
Major |
Modes_of_Introduction, Relationships, Taxonomy_Mappings, Time_of_Introduction |
|
Minor |
None |
531 |
Information Exposure Through Test Code |
|
Major |
Taxonomy_Mappings |
|
Minor |
None |
532 |
Information Exposure Through Log Files |
|
Major |
Modes_of_Introduction, Relationships, Taxonomy_Mappings |
|
Minor |
None |
533 |
Information Exposure Through Server Log Files |
|
Major |
Affected_Resources, Relationships, Taxonomy_Mappings |
|
Minor |
None |
534 |
Information Exposure Through Debug Log Files |
|
Major |
Taxonomy_Mappings |
|
Minor |
None |
535 |
Information Exposure Through Shell Error Message |
|
Major |
Taxonomy_Mappings |
|
Minor |
None |
536 |
Information Exposure Through Servlet Runtime Error Message |
|
Major |
Taxonomy_Mappings |
|
Minor |
None |
537 |
Information Exposure Through Java Runtime Error Message |
|
Major |
Taxonomy_Mappings |
|
Minor |
None |
538 |
File and Directory Information Exposure |
|
Major |
Applicable_Platforms, Modes_of_Introduction, Relationships |
|
Minor |
None |
539 |
Information Exposure Through Persistent Cookies |
|
Major |
Taxonomy_Mappings |
|
Minor |
None |
540 |
Information Exposure Through Source Code |
|
Major |
Taxonomy_Mappings |
|
Minor |
None |
541 |
Information Exposure Through Include Source Code |
|
Major |
Taxonomy_Mappings |
|
Minor |
None |
542 |
Information Exposure Through Cleanup Log Files |
|
Major |
Taxonomy_Mappings |
|
Minor |
None |
544 |
Missing Standardized Error Handling Mechanism |
|
Major |
Modes_of_Introduction, Relationships, Taxonomy_Mappings |
|
Minor |
None |
546 |
Suspicious Comment |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
547 |
Use of Hard-coded, Security-relevant Constants |
|
Major |
Demonstrative_Examples, Relationships, Taxonomy_Mappings |
|
Minor |
None |
548 |
Information Exposure Through Directory Listing |
|
Major |
Taxonomy_Mappings |
|
Minor |
None |
549 |
Missing Password Field Masking |
|
Major |
Taxonomy_Mappings |
|
Minor |
None |
550 |
Information Exposure Through Server Error Message |
|
Major |
Modes_of_Introduction, Relationships, Taxonomy_Mappings |
|
Minor |
None |
551 |
Incorrect Behavior Order: Authorization Before Parsing and Canonicalization |
|
Major |
Modes_of_Introduction, Relationships, Taxonomy_Mappings |
|
Minor |
None |
552 |
Files or Directories Accessible to External Parties |
|
Major |
Affected_Resources, Modes_of_Introduction, Relationships, Taxonomy_Mappings |
|
Minor |
None |
553 |
Command Shell in Externally Accessible Directory |
|
Major |
Taxonomy_Mappings |
|
Minor |
None |
554 |
ASP.NET Misconfiguration: Not Using Input Validation Framework |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
555 |
J2EE Misconfiguration: Plaintext Password in Configuration File |
|
Major |
Taxonomy_Mappings |
|
Minor |
None |
556 |
ASP.NET Misconfiguration: Use of Identity Impersonation |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
557 |
Concurrency Issues |
|
Major |
Relationships |
|
Minor |
None |
559 |
Often Misused: Arguments and Parameters |
|
Major |
Related_Attack_Patterns, Relationships |
|
Minor |
None |
560 |
Use of umask() with chmod-style Argument |
|
Major |
Taxonomy_Mappings |
|
Minor |
None |
561 |
Dead Code |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
562 |
Return of Stack Variable Address |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
563 |
Assignment to Variable without Use |
|
Major |
Alternate_Terms, Name, Relationships, Taxonomy_Mappings |
|
Minor |
None |
564 |
SQL Injection: Hibernate |
|
Major |
Taxonomy_Mappings |
|
Minor |
None |
565 |
Reliance on Cookies without Validation and Integrity Checking |
|
Major |
Modes_of_Introduction, Relationships |
|
Minor |
None |
566 |
Authorization Bypass Through User-Controlled SQL Primary Key |
|
Major |
Applicable_Platforms, Modes_of_Introduction, Relationships |
|
Minor |
None |
567 |
Unsynchronized Access to Shared Data in a Multithreaded Context |
|
Major |
Applicable_Platforms |
|
Minor |
None |
570 |
Expression is Always False |
|
Major |
Applicable_Platforms, Demonstrative_Examples, Relationships, Taxonomy_Mappings |
|
Minor |
None |
571 |
Expression is Always True |
|
Major |
Applicable_Platforms, Relationships, Taxonomy_Mappings |
|
Minor |
None |
572 |
Call to Thread run() instead of start() |
|
Major |
Relationships |
|
Minor |
None |
573 |
Improper Following of Specification by Caller |
|
Major |
Observed_Examples, Relationships |
|
Minor |
None |
579 |
J2EE Bad Practices: Non-serializable Object Stored in Session |
|
Major |
Modes_of_Introduction, Relationships |
|
Minor |
None |
580 |
clone() Method Without super.clone() |
|
Major |
Relationships |
|
Minor |
None |
585 |
Empty Synchronized Block |
|
Major |
Relationships |
|
Minor |
None |
586 |
Explicit Call to Finalize() |
|
Major |
Relationships |
|
Minor |
None |
587 |
Assignment of a Fixed Address to a Pointer |
|
Major |
Applicable_Platforms, Taxonomy_Mappings, White_Box_Definitions |
|
Minor |
None |
588 |
Attempt to Access Child of a Non-structure Pointer |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
589 |
Call to Non-ubiquitous API |
|
Major |
Relationships |
|
Minor |
None |
590 |
Free of Memory not on the Heap |
|
Major |
Taxonomy_Mappings |
|
Minor |
None |
591 |
Sensitive Data Storage in Improperly Locked Memory |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
593 |
Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created |
|
Major |
Demonstrative_Examples, Modes_of_Introduction, Relationships |
|
Minor |
None |
594 |
J2EE Framework: Saving Unserializable Objects to Disk |
|
Major |
Relationships |
|
Minor |
None |
595 |
Comparison of Object References Instead of Object Contents |
|
Major |
None |
|
Minor |
Applicable_Platforms |
597 |
Use of Wrong Operator in String Comparison |
|
Major |
Taxonomy_Mappings |
|
Minor |
None |
599 |
Missing Validation of OpenSSL Certificate |
|
Major |
Modes_of_Introduction, Relationships |
|
Minor |
None |
600 |
Uncaught Exception in Servlet |
|
Major |
Relationships |
|
Minor |
None |
601 |
URL Redirection to Untrusted Site ('Open Redirect') |
|
Major |
Likelihood_of_Exploit, Modes_of_Introduction, References, Relationships, Taxonomy_Mappings |
|
Minor |
Applicable_Platforms |
602 |
Client-Side Enforcement of Server-Side Security |
|
Major |
Applicable_Platforms, Enabling_Factors_for_Exploitation, Modes_of_Introduction, References, Relationships |
|
Minor |
None |
603 |
Use of Client-Side Authentication |
|
Major |
Modes_of_Introduction, Relationships, Taxonomy_Mappings |
|
Minor |
None |
605 |
Multiple Binds to the Same Port |
|
Major |
Applicable_Platforms, Description, Enabling_Factors_for_Exploitation, Relationships, Taxonomy_Mappings |
|
Minor |
None |
606 |
Unchecked Input for Loop Condition |
|
Major |
Demonstrative_Examples, Taxonomy_Mappings |
|
Minor |
None |
607 |
Public Static Final Field References Mutable Object |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
608 |
Struts: Non-private Field in ActionForm Class |
|
Major |
Causal_Nature, Relationships, Taxonomy_Mappings |
|
Minor |
None |
610 |
Externally Controlled Reference to a Resource in Another Sphere |
|
Major |
Modes_of_Introduction, Relationships, Taxonomy_Mappings |
|
Minor |
None |
611 |
Improper Restriction of XML External Entity Reference ('XXE') |
|
Major |
Modes_of_Introduction, References, Relationships, Relevant_Properties |
|
Minor |
None |
612 |
Information Exposure Through Indexing of Private Data |
|
Major |
Applicable_Platforms, Taxonomy_Mappings |
|
Minor |
None |
613 |
Insufficient Session Expiration |
|
Major |
Modes_of_Introduction, Relationships |
|
Minor |
None |
614 |
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute |
|
Major |
Taxonomy_Mappings |
|
Minor |
None |
615 |
Information Exposure Through Comments |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
617 |
Reachable Assertion |
|
Major |
Relationships |
|
Minor |
None |
618 |
Exposed Unsafe ActiveX Method |
|
Major |
References, Relationships |
|
Minor |
None |
619 |
Dangling Database Cursor ('Cursor Injection') |
|
Major |
Relationships |
|
Minor |
None |
620 |
Unverified Password Change |
|
Major |
Applicable_Platforms, Modes_of_Introduction, Relationships |
|
Minor |
None |
622 |
Improper Validation of Function Hook Arguments |
|
Major |
Applicable_Platforms |
|
Minor |
None |
623 |
Unsafe ActiveX Control Marked Safe For Scripting |
|
Major |
References |
|
Minor |
None |
624 |
Executable Regular Expression Error |
|
Major |
Observed_Examples |
|
Minor |
None |
625 |
Permissive Regular Expression |
|
Major |
Demonstrative_Examples, Observed_Examples |
|
Minor |
None |
627 |
Dynamic Variable Evaluation |
|
Major |
References |
|
Minor |
None |
628 |
Function Call with Incorrectly Specified Arguments |
|
Major |
Applicable_Platforms, Taxonomy_Mappings |
|
Minor |
None |
629 |
Weaknesses in OWASP Top Ten (2007) |
|
Major |
References |
|
Minor |
None |
630 |
DEPRECATED: Weaknesses Examined by SAMATE |
|
Major |
Description, Name, References, Relationships, Type |
|
Minor |
None |
631 |
DEPRECATED: Resource-specific Weaknesses |
|
Major |
Description, Name, Relationships, Type |
|
Minor |
None |
632 |
DEPRECATED: Weaknesses that Affect Files or Directories |
|
Major |
Description, Name, Relationships, Type |
|
Minor |
None |
633 |
DEPRECATED: Weaknesses that Affect Memory |
|
Major |
Description, Name, Relationships, Type |
|
Minor |
None |
634 |
DEPRECATED: Weaknesses that Affect System Processes |
|
Major |
Description, Name, Relationships, Type |
|
Minor |
None |
635 |
Weaknesses Originally Used by NVD from 2008 to 2016 |
|
Major |
Description, Maintenance_Notes, Name |
|
Minor |
None |
636 |
Not Failing Securely ('Failing Open') |
|
Major |
Applicable_Platforms, Causal_Nature, Relationships |
|
Minor |
None |
637 |
Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism') |
|
Major |
Applicable_Platforms, Causal_Nature |
|
Minor |
None |
638 |
Not Using Complete Mediation |
|
Major |
Applicable_Platforms, Causal_Nature |
|
Minor |
None |
639 |
Authorization Bypass Through User-Controlled Key |
|
Major |
Description, Enabling_Factors_for_Exploitation, Modes_of_Introduction, Relationships |
|
Minor |
Applicable_Platforms |
640 |
Weak Password Recovery Mechanism for Forgotten Password |
|
Major |
Applicable_Platforms, Demonstrative_Examples, Description, Enabling_Factors_for_Exploitation, Modes_of_Introduction, Observed_Examples, Relationships |
|
Minor |
None |
641 |
Improper Restriction of Names for Files and Other Resources |
|
Major |
Applicable_Platforms, Description, Enabling_Factors_for_Exploitation, Modes_of_Introduction, Relationships |
|
Minor |
None |
642 |
External Control of Critical State Data |
|
Major |
Applicable_Platforms, Demonstrative_Examples, Enabling_Factors_for_Exploitation, Modes_of_Introduction, References, Relationships, Relevant_Properties |
|
Minor |
None |
643 |
Improper Neutralization of Data within XPath Expressions ('XPath Injection') |
|
Major |
Applicable_Platforms, Enabling_Factors_for_Exploitation, Modes_of_Introduction, Relationships |
|
Minor |
None |
644 |
Improper Neutralization of HTTP Headers for Scripting Syntax |
|
Major |
Applicable_Platforms, Enabling_Factors_for_Exploitation |
|
Minor |
None |
645 |
Overly Restrictive Account Lockout Mechanism |
|
Major |
Applicable_Platforms, Demonstrative_Examples, Description, Enabling_Factors_for_Exploitation, Modes_of_Introduction, Observed_Examples, Relationships |
|
Minor |
None |
646 |
Reliance on File Name or Extension of Externally-Supplied File |
|
Major |
Enabling_Factors_for_Exploitation |
|
Minor |
Applicable_Platforms |
647 |
Use of Non-Canonical URL Paths for Authorization Decisions |
|
Major |
Demonstrative_Examples, Enabling_Factors_for_Exploitation, Modes_of_Introduction, Observed_Examples, Relationships |
|
Minor |
Applicable_Platforms |
648 |
Incorrect Use of Privileged APIs |
|
Major |
Applicable_Platforms, Enabling_Factors_for_Exploitation, Observed_Examples, Relationships |
|
Minor |
None |
649 |
Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking |
|
Major |
Applicable_Platforms, Description, Enabling_Factors_for_Exploitation, Modes_of_Introduction, Observed_Examples, Relationships |
|
Minor |
None |
650 |
Trusting HTTP Permission Methods on the Server Side |
|
Major |
Applicable_Platforms, Description, Enabling_Factors_for_Exploitation, Observed_Examples, Relationships |
|
Minor |
None |
651 |
Information Exposure Through WSDL File |
|
Major |
Applicable_Platforms, Demonstrative_Examples, Description, Enabling_Factors_for_Exploitation, Observed_Examples |
|
Minor |
None |
652 |
Improper Neutralization of Data within XQuery Expressions ('XQuery Injection') |
|
Major |
Applicable_Platforms, Demonstrative_Examples, Enabling_Factors_for_Exploitation, Modes_of_Introduction, Observed_Examples, Relationships |
|
Minor |
None |
653 |
Insufficient Compartmentalization |
|
Major |
Applicable_Platforms, Causal_Nature, Modes_of_Introduction, Relationships |
|
Minor |
None |
654 |
Reliance on a Single Factor in a Security Decision |
|
Major |
Applicable_Platforms, Causal_Nature |
|
Minor |
None |
655 |
Insufficient Psychological Acceptability |
|
Major |
Applicable_Platforms, Causal_Nature |
|
Minor |
None |
656 |
Reliance on Security Through Obscurity |
|
Major |
Applicable_Platforms, Causal_Nature, Modes_of_Introduction, Relationships |
|
Minor |
None |
662 |
Improper Synchronization |
|
Major |
Taxonomy_Mappings |
|
Minor |
None |
663 |
Use of a Non-reentrant Function in a Concurrent Context |
|
Major |
Observed_Examples |
|
Minor |
None |
664 |
Improper Control of a Resource Through its Lifetime |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
665 |
Improper Initialization |
|
Major |
References, Taxonomy_Mappings |
|
Minor |
Applicable_Platforms |
666 |
Operation on Resource in Wrong Phase of Lifetime |
|
Major |
Taxonomy_Mappings |
|
Minor |
None |
667 |
Improper Locking |
|
Major |
Taxonomy_Mappings |
|
Minor |
None |
668 |
Exposure of Resource to Wrong Sphere |
|
Major |
Modes_of_Introduction, Relationships, Relevant_Properties |
|
Minor |
None |
669 |
Incorrect Resource Transfer Between Spheres |
|
Major |
Modes_of_Introduction, Relationships, Relevant_Properties |
|
Minor |
None |
670 |
Always-Incorrect Control Flow Implementation |
|
Major |
Relationships |
|
Minor |
None |
671 |
Lack of Administrator Control over Security |
|
Major |
Modes_of_Introduction, Relationships, Relevant_Properties |
|
Minor |
None |
672 |
Operation on a Resource after Expiration or Release |
|
Major |
Demonstrative_Examples, Taxonomy_Mappings |
|
Minor |
Applicable_Platforms |
673 |
External Influence of Sphere Definition |
|
Major |
Modes_of_Introduction, Relationships, Relevant_Properties |
|
Minor |
None |
674 |
Uncontrolled Recursion |
|
Major |
Applicable_Platforms, Relationships |
|
Minor |
None |
675 |
Duplicate Operations on Resource |
|
Major |
Applicable_Platforms, Relationships, Relevant_Properties, Taxonomy_Mappings |
|
Minor |
None |
676 |
Use of Potentially Dangerous Function |
|
Major |
Causal_Nature, References, Relationships, Taxonomy_Mappings |
|
Minor |
None |
678 |
Composites |
|
Major |
Description, View_Structure |
|
Minor |
None |
679 |
DEPRECATED: Chain Elements |
|
Major |
Description, Name, Type, View_Filter |
|
Minor |
None |
680 |
Integer Overflow to Buffer Overflow |
|
Major |
Applicable_Platforms, Observed_Examples, Relationships, Relevant_Properties, Taxonomy_Mappings |
|
Minor |
None |
681 |
Incorrect Conversion between Numeric Types |
|
Major |
Likelihood_of_Exploit, Observed_Examples, Taxonomy_Mappings, Type |
|
Minor |
Applicable_Platforms |
682 |
Incorrect Calculation |
|
Major |
Taxonomy_Mappings |
|
Minor |
Applicable_Platforms |
684 |
Incorrect Provision of Specified Functionality |
|
Major |
Relationships, Type |
|
Minor |
None |
685 |
Function Call With Incorrect Number of Arguments |
|
Major |
Taxonomy_Mappings |
|
Minor |
None |
686 |
Function Call With Incorrect Argument Type |
|
Major |
Taxonomy_Mappings |
|
Minor |
None |
687 |
Function Call With Incorrectly Specified Argument Value |
|
Major |
Taxonomy_Mappings |
|
Minor |
None |
689 |
Permission Race Condition During Resource Copy |
|
Major |
Relationships |
|
Minor |
None |
690 |
Unchecked Return Value to NULL Pointer Dereference |
|
Major |
Relationships, Relevant_Properties, Taxonomy_Mappings, Time_of_Introduction |
|
Minor |
None |
691 |
Insufficient Control Flow Management |
|
Major |
Applicable_Platforms, Relationships, Relevant_Properties |
|
Minor |
None |
692 |
Incomplete Blacklist to Cross-Site Scripting |
|
Major |
Relationships, Relevant_Properties |
|
Minor |
Applicable_Platforms |
693 |
Protection Mechanism Failure |
|
Major |
Applicable_Platforms |
|
Minor |
None |
694 |
Use of Multiple Resources with Duplicate Identifier |
|
Major |
Relevant_Properties |
|
Minor |
Applicable_Platforms |
695 |
Use of Low-Level Functionality |
|
Major |
Relationships |
|
Minor |
None |
696 |
Incorrect Behavior Order |
|
Major |
Taxonomy_Mappings |
|
Minor |
None |
697 |
Insufficient Comparison |
|
Major |
Taxonomy_Mappings |
|
Minor |
None |
699 |
Development Concepts |
|
Major |
Maintenance_Notes, Relationships |
|
Minor |
None |
700 |
Seven Pernicious Kingdoms |
|
Major |
Alternate_Terms, Other_Notes |
|
Minor |
None |
703 |
Improper Check or Handling of Exceptional Conditions |
|
Major |
Applicable_Platforms, Modes_of_Introduction, References, Relationships, Taxonomy_Mappings |
|
Minor |
None |
704 |
Incorrect Type Conversion or Cast |
|
Major |
Applicable_Platforms, Taxonomy_Mappings |
|
Minor |
None |
705 |
Incorrect Control Flow Scoping |
|
Major |
Applicable_Platforms, Relationships, Taxonomy_Mappings |
|
Minor |
None |
706 |
Use of Incorrectly-Resolved Name or Reference |
|
Major |
Applicable_Platforms |
|
Minor |
None |
707 |
Improper Enforcement of Message or Data Structure |
|
Major |
Modes_of_Introduction, Relationships |
|
Minor |
Applicable_Platforms |
708 |
Incorrect Ownership Assignment |
|
Major |
Applicable_Platforms, Modes_of_Introduction, Relationships |
|
Minor |
None |
709 |
Named Chains |
|
Major |
Description, View_Structure |
|
Minor |
None |
710 |
Improper Adherence to Coding Standards |
|
Major |
Applicable_Platforms, Name, Relationships |
|
Minor |
None |
711 |
Weaknesses in OWASP Top Ten (2004) |
|
Major |
References |
|
Minor |
None |
712 |
OWASP Top Ten 2007 Category A1 - Cross Site Scripting (XSS) |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
713 |
OWASP Top Ten 2007 Category A2 - Injection Flaws |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
714 |
OWASP Top Ten 2007 Category A3 - Malicious File Execution |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
715 |
OWASP Top Ten 2007 Category A4 - Insecure Direct Object Reference |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
716 |
OWASP Top Ten 2007 Category A5 - Cross Site Request Forgery (CSRF) |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
717 |
OWASP Top Ten 2007 Category A6 - Information Leakage and Improper Error Handling |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
718 |
OWASP Top Ten 2007 Category A7 - Broken Authentication and Session Management |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
719 |
OWASP Top Ten 2007 Category A8 - Insecure Cryptographic Storage |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
721 |
OWASP Top Ten 2007 Category A10 - Failure to Restrict URL Access |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
724 |
OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
728 |
OWASP Top Ten 2004 Category A7 - Improper Error Handling |
|
Major |
Relationships |
|
Minor |
None |
731 |
OWASP Top Ten 2004 Category A10 - Insecure Configuration Management |
|
Major |
Relationships |
|
Minor |
None |
732 |
Incorrect Permission Assignment for Critical Resource |
|
Major |
Likelihood_of_Exploit, Modes_of_Introduction, References, Relationships, Taxonomy_Mappings |
|
Minor |
Applicable_Platforms |
733 |
Compiler Optimization Removal or Modification of Security-critical Code |
|
Major |
References, Relationships |
|
Minor |
None |
734 |
Weaknesses Addressed by the CERT C Secure Coding Standard (2008 Version) |
|
Major |
Description, Maintenance_Notes, Name, References |
|
Minor |
None |
735 |
CERT C Secure Coding (2008 Version) Section 01 - Preprocessor (PRE) |
|
Major |
Description, Name, Relationship_Notes |
|
Minor |
None |
736 |
CERT C Secure Coding (2008 Version) Section 02 - Declarations and Initialization (DCL) |
|
Major |
Description, Name, Relationship_Notes |
|
Minor |
None |
737 |
CERT C Secure Coding (2008 Version) Section 03 - Expressions (EXP) |
|
Major |
Description, Name, Relationship_Notes |
|
Minor |
None |
738 |
CERT C Secure Coding (2008 Version) Section 04 - Integers (INT) |
|
Major |
Description, Name, Relationship_Notes |
|
Minor |
None |
739 |
CERT C Secure Coding (2008 Version) Section 05 - Floating Point (FLP) |
|
Major |
Description, Name, References, Relationship_Notes |
|
Minor |
None |
740 |
CERT C Secure Coding (2008 Version) Section 06 - Arrays (ARR) |
|
Major |
Description, Name, Relationship_Notes |
|
Minor |
None |
741 |
CERT C Secure Coding (2008 Version) Section 07 - Characters and Strings (STR) |
|
Major |
Description, Name, Relationship_Notes |
|
Minor |
None |
742 |
CERT C Secure Coding (2008 Version) Section 08 - Memory Management (MEM) |
|
Major |
Description, Name, Relationship_Notes |
|
Minor |
None |
743 |
CERT C Secure Coding (2008 Version) Section 09 - Input Output (FIO) |
|
Major |
Description, Name, Relationship_Notes |
|
Minor |
None |
744 |
CERT C Secure Coding (2008 Version) Section 10 - Environment (ENV) |
|
Major |
Description, Name, Relationship_Notes |
|
Minor |
None |
745 |
CERT C Secure Coding (2008 Version) Section 11 - Signals (SIG) |
|
Major |
Description, Name, Relationship_Notes |
|
Minor |
None |
746 |
CERT C Secure Coding (2008 Version) Section 12 - Error Handling (ERR) |
|
Major |
Description, Name, Relationship_Notes |
|
Minor |
None |
747 |
CERT C Secure Coding (2008 Version) Section 49 - Miscellaneous (MSC) |
|
Major |
Description, Name, Relationship_Notes |
|
Minor |
None |
748 |
CERT C Secure Coding (2008 Version) Section 50 - POSIX (POS) |
|
Major |
Description, Name, Relationship_Notes |
|
Minor |
None |
749 |
Exposed Dangerous Method or Function |
|
Major |
Likelihood_of_Exploit, References, Relationships |
|
Minor |
Applicable_Platforms |
750 |
Weaknesses in the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors |
|
Major |
References |
|
Minor |
None |
751 |
2009 Top 25 - Insecure Interaction Between Components |
|
Major |
References |
|
Minor |
None |
752 |
2009 Top 25 - Risky Resource Management |
|
Major |
References |
|
Minor |
None |
753 |
2009 Top 25 - Porous Defenses |
|
Major |
References |
|
Minor |
None |
754 |
Improper Check for Unusual or Exceptional Conditions |
|
Major |
Modes_of_Introduction, References, Relationships, Taxonomy_Mappings |
|
Minor |
Applicable_Platforms |
755 |
Improper Handling of Exceptional Conditions |
|
Major |
Likelihood_of_Exploit, Modes_of_Introduction, Relationships, Taxonomy_Mappings |
|
Minor |
Applicable_Platforms |
756 |
Missing Custom Error Page |
|
Major |
Relationships |
|
Minor |
None |
757 |
Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') |
|
Major |
Modes_of_Introduction, Relationships |
|
Minor |
None |
758 |
Reliance on Undefined, Unspecified, or Implementation-Defined Behavior |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
759 |
Use of a One-Way Hash without a Salt |
|
Major |
Modes_of_Introduction, References, Relationships |
|
Minor |
None |
760 |
Use of a One-Way Hash with a Predictable Salt |
|
Major |
Modes_of_Introduction, References, Relationships |
|
Minor |
None |
762 |
Mismatched Memory Management Routines |
|
Major |
Applicable_Platforms, References, Taxonomy_Mappings |
|
Minor |
None |
763 |
Release of Invalid Pointer or Reference |
|
Major |
Relationships |
|
Minor |
None |
766 |
Critical Variable Declared Public |
|
Major |
Likelihood_of_Exploit, Relationships |
|
Minor |
None |
767 |
Access to Critical Private Variable via Public Method |
|
Major |
Likelihood_of_Exploit, Relationships, Taxonomy_Mappings |
|
Minor |
None |
768 |
Incorrect Short Circuit Evaluation |
|
Major |
Likelihood_of_Exploit, Taxonomy_Mappings |
|
Minor |
None |
769 |
Uncontrolled File Descriptor Consumption |
|
Major |
Alternate_Terms, Description, Likelihood_of_Exploit, Name, Relationships, Type |
|
Minor |
None |
770 |
Allocation of Resources Without Limits or Throttling |
|
Major |
Demonstrative_Examples, Likelihood_of_Exploit, Modes_of_Introduction, Potential_Mitigations, References, Relationships, Taxonomy_Mappings |
|
Minor |
Applicable_Platforms |
771 |
Missing Reference to Active Allocated Resource |
|
Major |
Likelihood_of_Exploit, Taxonomy_Mappings |
|
Minor |
None |
772 |
Missing Release of Resource after Effective Lifetime |
|
Major |
Likelihood_of_Exploit, Taxonomy_Mappings |
|
Minor |
None |
773 |
Missing Reference to Active File Descriptor or Handle |
|
Major |
Likelihood_of_Exploit, Relationships, Taxonomy_Mappings |
|
Minor |
None |
774 |
Allocation of File Descriptors or Handles Without Limits or Throttling |
|
Major |
Likelihood_of_Exploit, Relationships |
|
Minor |
None |
775 |
Missing Release of File Descriptor or Handle after Effective Lifetime |
|
Major |
Likelihood_of_Exploit, Relationships, Taxonomy_Mappings |
|
Minor |
None |
776 |
Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') |
|
Major |
Likelihood_of_Exploit, References |
|
Minor |
None |
777 |
Regular Expression without Anchors |
|
Major |
Likelihood_of_Exploit |
|
Minor |
None |
778 |
Insufficient Logging |
|
Major |
Modes_of_Introduction, Relationships |
|
Minor |
Applicable_Platforms |
779 |
Logging of Excessive Data |
|
Major |
Likelihood_of_Exploit, Modes_of_Introduction, Relationships |
|
Minor |
Applicable_Platforms |
780 |
Use of RSA Algorithm without OAEP |
|
Major |
Modes_of_Introduction, References, Relationships |
|
Minor |
None |
781 |
Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code |
|
Major |
Applicable_Platforms, Likelihood_of_Exploit, References |
|
Minor |
None |
782 |
Exposed IOCTL with Insufficient Access Control |
|
Major |
Likelihood_of_Exploit, Modes_of_Introduction, Relationships |
|
Minor |
None |
783 |
Operator Precedence Logic Error |
|
Major |
Taxonomy_Mappings, Time_of_Introduction |
|
Minor |
None |
784 |
Reliance on Cookies without Validation and Integrity Checking in a Security Decision |
|
Major |
Modes_of_Introduction, References, Relationships |
|
Minor |
Applicable_Platforms |
785 |
Use of Path Manipulation Function without Maximum-sized Buffer |
|
Major |
Affected_Resources, Demonstrative_Examples, Relationships, White_Box_Definitions |
|
Minor |
None |
786 |
Access of Memory Location Before Start of Buffer |
|
Major |
Common_Consequences, Demonstrative_Examples, Taxonomy_Mappings |
|
Minor |
None |
788 |
Access of Memory Location After End of Buffer |
|
Major |
Common_Consequences, Demonstrative_Examples, Observed_Examples |
|
Minor |
None |
789 |
Uncontrolled Memory Allocation |
|
Major |
Applicable_Platforms, Taxonomy_Mappings |
|
Minor |
None |
790 |
Improper Filtering of Special Elements |
|
Major |
Modes_of_Introduction, Relationships |
|
Minor |
None |
791 |
Incomplete Filtering of Special Elements |
|
Major |
Modes_of_Introduction, Relationships |
|
Minor |
None |
792 |
Incomplete Filtering of One or More Instances of Special Elements |
|
Major |
Modes_of_Introduction, Relationships |
|
Minor |
None |
793 |
Only Filtering One Instance of a Special Element |
|
Major |
Modes_of_Introduction, Relationships |
|
Minor |
None |
794 |
Incomplete Filtering of Multiple Instances of Special Elements |
|
Major |
Modes_of_Introduction, Relationships |
|
Minor |
None |
795 |
Only Filtering Special Elements at a Specified Location |
|
Major |
Modes_of_Introduction, Relationships |
|
Minor |
None |
796 |
Only Filtering Special Elements Relative to a Marker |
|
Major |
Modes_of_Introduction, Relationships |
|
Minor |
None |
797 |
Only Filtering Special Elements at an Absolute Position |
|
Major |
Modes_of_Introduction, Relationships |
|
Minor |
None |
798 |
Use of Hard-coded Credentials |
|
Major |
Causal_Nature, Demonstrative_Examples, Likelihood_of_Exploit, Modes_of_Introduction, References, Relationships |
|
Minor |
Applicable_Platforms |
799 |
Improper Control of Interaction Frequency |
|
Major |
Demonstrative_Examples |
|
Minor |
Applicable_Platforms |
800 |
Weaknesses in the 2010 CWE/SANS Top 25 Most Dangerous Programming Errors |
|
Major |
References |
|
Minor |
None |
801 |
2010 Top 25 - Insecure Interaction Between Components |
|
Major |
References |
|
Minor |
None |
802 |
2010 Top 25 - Risky Resource Management |
|
Major |
References |
|
Minor |
None |
803 |
2010 Top 25 - Porous Defenses |
|
Major |
References |
|
Minor |
None |
804 |
Guessable CAPTCHA |
|
Major |
Applicable_Platforms, Likelihood_of_Exploit |
|
Minor |
None |
805 |
Buffer Access with Incorrect Length Value |
|
Major |
Applicable_Platforms, Causal_Nature, Demonstrative_Examples, Likelihood_of_Exploit, References, Taxonomy_Mappings |
|
Minor |
None |
806 |
Buffer Access Using Size of Source Buffer |
|
Major |
Causal_Nature, Demonstrative_Examples, Likelihood_of_Exploit, References |
|
Minor |
None |
807 |
Reliance on Untrusted Inputs in a Security Decision |
|
Major |
Likelihood_of_Exploit, Modes_of_Introduction, References, Relationships, Taxonomy_Mappings |
|
Minor |
Applicable_Platforms |
808 |
2010 Top 25 - Weaknesses On the Cusp |
|
Major |
References |
|
Minor |
None |
809 |
Weaknesses in OWASP Top Ten (2010) |
|
Major |
References |
|
Minor |
None |
820 |
Missing Synchronization |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
822 |
Untrusted Pointer Dereference |
|
Major |
Taxonomy_Mappings |
|
Minor |
None |
827 |
Improper Control of Document Type Definition |
|
Major |
Modes_of_Introduction, Relationships |
|
Minor |
None |
828 |
Signal Handler with Functionality that is not Asynchronous-Safe |
|
Major |
Observed_Examples |
|
Minor |
None |
829 |
Inclusion of Functionality from Untrusted Control Sphere |
|
Major |
Modes_of_Introduction, Relationships |
|
Minor |
None |
830 |
Inclusion of Web Functionality from an Untrusted Source |
|
Major |
Modes_of_Introduction, Relationships |
|
Minor |
None |
834 |
Excessive Iteration |
|
Major |
Relationships |
|
Minor |
None |
835 |
Loop with Unreachable Exit Condition ('Infinite Loop') |
|
Major |
Demonstrative_Examples |
|
Minor |
Applicable_Platforms |
836 |
Use of Password Hash Instead of Password for Authentication |
|
Major |
Modes_of_Introduction, Relationships |
|
Minor |
Applicable_Platforms |
837 |
Improper Enforcement of a Single, Unique Action |
|
Major |
None |
|
Minor |
Applicable_Platforms |
838 |
Inappropriate Encoding for Output Context |
|
Major |
References, Taxonomy_Mappings |
|
Minor |
Applicable_Platforms |
840 |
Business Logic Errors |
|
Major |
Description, Observed_Examples, References, Taxonomy_Mappings |
|
Minor |
None |
841 |
Improper Enforcement of Behavioral Workflow |
|
Major |
Modes_of_Introduction, References, Relationships |
|
Minor |
None |
842 |
Placement of User into Incorrect Group |
|
Major |
None |
|
Minor |
Applicable_Platforms |
843 |
Access of Resource Using Incompatible Type ('Type Confusion') |
|
Major |
Applicable_Platforms, Taxonomy_Mappings |
|
Minor |
None |
862 |
Missing Authorization |
|
Major |
Applicable_Platforms, Modes_of_Introduction, References, Relationships |
|
Minor |
None |
863 |
Incorrect Authorization |
|
Major |
Applicable_Platforms, Modes_of_Introduction, References, Relationships |
|
Minor |
None |
864 |
2011 Top 25 - Insecure Interaction Between Components |
|
Major |
References |
|
Minor |
None |
865 |
2011 Top 25 - Risky Resource Management |
|
Major |
References |
|
Minor |
None |
866 |
2011 Top 25 - Porous Defenses |
|
Major |
References |
|
Minor |
None |
867 |
2011 Top 25 - Weaknesses On the Cusp |
|
Major |
References |
|
Minor |
None |
881 |
CERT C++ Secure Coding Section 13 - Object Oriented Programming (OOP) |
|
Major |
Relationships |
|
Minor |
None |
893 |
SFP Primary Cluster: Path Resolution |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
900 |
Weaknesses in the 2011 CWE/SANS Top 25 Most Dangerous Software Errors |
|
Major |
References |
|
Minor |
None |
908 |
Use of Uninitialized Resource |
|
Major |
Taxonomy_Mappings |
|
Minor |
Applicable_Platforms |
909 |
Missing Initialization of Resource |
|
Major |
None |
|
Minor |
Applicable_Platforms |
910 |
Use of Expired File Descriptor |
|
Major |
Taxonomy_Mappings |
|
Minor |
Applicable_Platforms |
911 |
Improper Update of Reference Count |
|
Major |
None |
|
Minor |
Applicable_Platforms |
912 |
Hidden Functionality |
|
Major |
Relationships |
|
Minor |
None |
913 |
Improper Control of Dynamically-Managed Code Resources |
|
Major |
Relationships |
|
Minor |
None |
915 |
Improperly Controlled Modification of Dynamically-Determined Object Attributes |
|
Major |
References |
|
Minor |
Applicable_Platforms |
916 |
Use of Password Hash With Insufficient Computational Effort |
|
Major |
Modes_of_Introduction, References, Relationships |
|
Minor |
Applicable_Platforms |
917 |
Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') |
|
Major |
References |
|
Minor |
None |
918 |
Server-Side Request Forgery (SSRF) |
|
Major |
Applicable_Platforms, References |
|
Minor |
None |
920 |
Improper Restriction of Power Consumption |
|
Major |
None |
|
Minor |
Applicable_Platforms |
921 |
Storage of Sensitive Data in a Mechanism without Access Control |
|
Major |
Modes_of_Introduction, References, Relationships |
|
Minor |
Applicable_Platforms |
922 |
Insecure Storage of Sensitive Information |
|
Major |
Modes_of_Introduction, Relationships |
|
Minor |
Applicable_Platforms |
923 |
Improper Restriction of Communication Channel to Intended Endpoints |
|
Major |
Modes_of_Introduction, Relationships |
|
Minor |
Applicable_Platforms |
924 |
Improper Enforcement of Message Integrity During Transmission in a Communication Channel |
|
Major |
Modes_of_Introduction, Relationships |
|
Minor |
Applicable_Platforms |
925 |
Improper Verification of Intent by Broadcast Receiver |
|
Major |
Demonstrative_Examples |
|
Minor |
Applicable_Platforms |
926 |
Improper Export of Android Application Components |
|
Major |
References |
|
Minor |
Applicable_Platforms |
927 |
Use of Implicit Intent for Sensitive Communication |
|
Major |
References |
|
Minor |
Applicable_Platforms |
928 |
Weaknesses in OWASP Top Ten (2013) |
|
Major |
References |
|
Minor |
None |
939 |
Improper Authorization in Handler for Custom URL Scheme |
|
Major |
Modes_of_Introduction, References, Relationships |
|
Minor |
None |
940 |
Improper Verification of Source of a Communication Channel |
|
Major |
Modes_of_Introduction, References, Relationships |
|
Minor |
Applicable_Platforms |
941 |
Incorrectly Specified Destination in a Communication Channel |
|
Major |
Modes_of_Introduction, References, Relationships |
|
Minor |
Applicable_Platforms |
942 |
Overly Permissive Cross-domain Whitelist |
|
Major |
Modes_of_Introduction, References, Relationships |
|
Minor |
Applicable_Platforms |
943 |
Improper Neutralization of Special Elements in Data Query Logic |
|
Major |
Modes_of_Introduction, Observed_Examples, Relationships |
|
Minor |
Applicable_Platforms |
966 |
SFP Secondary Cluster: Other Exposures |
|
Major |
Relationships |
|
Minor |
None |
980 |
SFP Secondary Cluster: Link in Resource Name Resolution |
|
Major |
Relationships |
|
Minor |
None |
990 |
SFP Secondary Cluster: Tainted Input to Command |
|
Major |
Relationships |
|
Minor |
None |
1004 |
Sensitive Cookie Without 'HttpOnly' Flag |
|
Major |
Applicable_Platforms, References, Relationships |
|
Minor |
None |
1005 |
7PK - Input Validation and Representation |
|
Major |
Description, Name, References |
|
Minor |
None |