CWE

Common Weakness Enumeration

A community-developed list of SW & HW weaknesses that can become vulnerabilities

New to CWE? click here!
CWE Most Important Hardware Weaknesses
CWE Top 25 Most Dangerous Weaknesses
Home > CWE List > Reports > Differences between Version 2.1 and Version 2.2  
ID

Differences between Version 2.1 and Version 2.2

Summary
Summary
Total (Version 2.2) 909
Total (Version 2.1) 886
Total new 23
Total deprecated 0
Total shared 886
Total important changes 656
Total major changes 683
Total minor changes 0
Total minor changes (no major)
Total unchanged 203

Summary of Entry Types

Type Version 2.1 Version 2.2
Category 156 177
Chain 3 3
Composite 6 6
Deprecated 12 12
View 27 29
Weakness 682 682

Field Change Summary
Field Change Summary

Any change with respect to whitespace is ignored. "Minor" changes are text changes that only affect capitalization and punctuation. Most other changes are marked as "Major." Simple schema changes are treated as Minor, such as the change from AffectedResource to Affected_Resource in Draft 8, or the relationship name change from "IsRequiredBy" to "RequiredBy" in Version 1.0. For each mutual relationship between nodes A and B (such as ParentOf and ChildOf), a relationship change is noted for both A and B.

Field Major Minor
Name 0 0
Description 0 0
Applicable_Platforms 0 0
Time_of_Introduction 0 0
Demonstrative_Examples 118 0
Detection_Factors 0 0
Likelihood_of_Exploit 0 0
Common_Consequences 85 0
Relationships 656 0
References 192 0
Potential_Mitigations 12 0
Observed_Examples 72 0
Terminology_Notes 0 0
Alternate_Terms 0 0
Related_Attack_Patterns 78 0
Relationship_Notes 0 0
Taxonomy_Mappings 95 0
Maintenance_Notes 0 0
Modes_of_Introduction 0 0
Affected_Resources 0 0
Functional_Areas 0 0
Research_Gaps 0 0
Background_Details 0 0
Theoretical_Notes 0 0
Weakness_Ordinalities 2 0
White_Box_Definitions 0 0
Enabling_Factors_for_Exploitation 0 0
Other_Notes 0 0
Relevant_Properties 0 0
View_Type 0 0
View_Structure 0 0
View_Filter 0 0
View_Audience 0 0
Common_Methods_of_Exploitation 0 0
Type 0 0
Causal_Nature 0 0
Source_Taxonomy 0 0
Context_Notes 0 0
Black_Box_Definitions 0 0

Form and Abstraction Changes

From To Total
Unchanged 886

Status Changes

From To Total
Unchanged 886

Relationship Changes

The "Version 2.2 Total" lists the total number of relationships in Version 2.2. The "Shared" value is the total number of relationships in entries that were in both Version 2.2 and Version 2.1. The "New" value is the total number of relationships involving entries that did not exist in Version 2.1. Thus, the total number of relationships in Version 2.2 would combine stats from Shared entries and New entries.

Relationship Version 2.2 Total Version 2.1 Total Version 2.2 Shared Unchanged Added to Version 2.2 Removed from Version 2.1 Version 2.2 New
ALL 7357 5797 5741 5735 6 62 1616
ChildOf 3113 2507 2484 2481 3 26 629
ParentOf 3113 2507 2484 2481 3 26 629
MemberOf 334 155 155 155 179
HasMember 334 155 155 155 179
CanPrecede 113 113 113 113
CanFollow 113 113 113 113
StartsWith 3 3 3 3
Requires 19 19 19 19
RequiredBy 19 19 19 19
CanAlsoBe 34 34 34 34
PeerOf 162 172 162 162 10

Nodes Removed from Version 2.1

CWE-ID CWE Name
None.

Nodes Added to Version 2.2

CWE-ID CWE Name
884 CWE Cross-section
885 SFP Cluster: Risky Values
886 SFP Cluster: Unused entities
887 SFP Cluster: API
888 Software Fault Pattern (SFP) Clusters
889 SFP Cluster: Exception Management
890 SFP Cluster: Memory Access
891 SFP Cluster: Memory Management
892 SFP Cluster: Resource Management
893 SFP Cluster: Path Resolution
894 SFP Cluster: Synchronization
895 SFP Cluster: Information Leak
896 SFP Cluster: Tainted Input
897 SFP Cluster: Entry Points
898 SFP Cluster: Authentication
899 SFP Cluster: Access Control
901 SFP Cluster: Privilege
902 SFP Cluster: Channel
903 SFP Cluster: Cryptography
904 SFP Cluster: Malware
905 SFP Cluster: Predictability
906 SFP Cluster: UI
907 SFP Cluster: Other

Nodes Deprecated in Version 2.2

CWE-ID CWE Name
None.
Important Changes
Important Changes

A node change is labeled "important" if it is a major field change and the field is critical to the meaning of the node. The critical fields are description, name, and relationships.

Key
D Description
N Name
R Relationships

R 5 J2EE Misconfiguration: Data Transmission Without Encryption
R 6 J2EE Misconfiguration: Insufficient Session-ID Length
R 7 J2EE Misconfiguration: Missing Custom Error Page
R 8 J2EE Misconfiguration: Entity Bean Declared Remote
R 9 J2EE Misconfiguration: Weak Access Permissions for EJB Methods
R 11 ASP.NET Misconfiguration: Creating Debug Binary
R 12 ASP.NET Misconfiguration: Missing Custom Error Page
R 13 ASP.NET Misconfiguration: Password in Configuration File
R 14 Compiler Removal of Code to Clear Buffers
R 15 External Control of System or Configuration Setting
R 20 Improper Input Validation
R 22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
R 23 Relative Path Traversal
R 24 Path Traversal: '../filedir'
R 25 Path Traversal: '/../filedir'
R 26 Path Traversal: '/dir/../filename'
R 27 Path Traversal: 'dir/../../filename'
R 28 Path Traversal: '..\filedir'
R 29 Path Traversal: '\..\filename'
R 30 Path Traversal: '\dir\..\filename'
R 31 Path Traversal: 'dir\..\..\filename'
R 32 Path Traversal: '...' (Triple Dot)
R 33 Path Traversal: '....' (Multiple Dot)
R 34 Path Traversal: '....//'
R 35 Path Traversal: '.../...//'
R 36 Absolute Path Traversal
R 37 Path Traversal: '/absolute/pathname/here'
R 38 Path Traversal: '\absolute\pathname\here'
R 39 Path Traversal: 'C:dirname'
R 40 Path Traversal: '\\UNC\share\name\' (Windows UNC Share)
R 41 Improper Resolution of Path Equivalence
R 42 Path Equivalence: 'filename.' (Trailing Dot)
R 43 Path Equivalence: 'filename....' (Multiple Trailing Dot)
R 44 Path Equivalence: 'file.name' (Internal Dot)
R 45 Path Equivalence: 'file...name' (Multiple Internal Dot)
R 46 Path Equivalence: 'filename ' (Trailing Space)
R 47 Path Equivalence: ' filename' (Leading Space)
R 48 Path Equivalence: 'file name' (Internal Whitespace)
R 49 Path Equivalence: 'filename/' (Trailing Slash)
R 50 Path Equivalence: '//multiple/leading/slash'
R 51 Path Equivalence: '/multiple//internal/slash'
R 52 Path Equivalence: '/multiple/trailing/slash//'
R 53 Path Equivalence: '\multiple\\internal\backslash'
R 54 Path Equivalence: 'filedir\' (Trailing Backslash)
R 55 Path Equivalence: '/./' (Single Dot Directory)
R 56 Path Equivalence: 'filedir*' (Wildcard)
R 57 Path Equivalence: 'fakedir/../realdir/filename'
R 58 Path Equivalence: Windows 8.3 Filename
R 59 Improper Link Resolution Before File Access ('Link Following')
R 62 UNIX Hard Link
R 64 Windows Shortcut Following (.LNK)
R 65 Windows Hard Link
R 66 Improper Handling of File Names that Identify Virtual Resources
R 67 Improper Handling of Windows Device Names
R 69 Improper Handling of Windows ::DATA Alternate Data Stream
R 71 Apple '.DS_Store'
R 72 Improper Handling of Apple HFS+ Alternate Data Stream Path
R 73 External Control of File Name or Path
R 74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
R 75 Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)
R 76 Improper Neutralization of Equivalent Special Elements
R 77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
R 78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
R 79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
R 80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
R 81 Improper Neutralization of Script in an Error Message Web Page
R 82 Improper Neutralization of Script in Attributes of IMG Tags in a Web Page
R 83 Improper Neutralization of Script in Attributes in a Web Page
R 84 Improper Neutralization of Encoded URI Schemes in a Web Page
R 85 Doubled Character XSS Manipulations
R 86 Improper Neutralization of Invalid Characters in Identifiers in Web Pages
R 87 Improper Neutralization of Alternate XSS Syntax
R 88 Argument Injection or Modification
R 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
R 90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
R 91 XML Injection (aka Blind XPath Injection)
R 93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
R 94 Improper Control of Generation of Code ('Code Injection')
R 95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
R 96 Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
R 97 Improper Neutralization of Server-Side Includes (SSI) Within a Web Page
R 99 Improper Control of Resource Identifiers ('Resource Injection')
R 100 Technology-Specific Input Validation Problems
R 102 Struts: Duplicate Validation Forms
R 103 Struts: Incomplete validate() Method Definition
R 104 Struts: Form Bean Does Not Extend Validation Class
R 105 Struts: Form Field Without Validator
R 106 Struts: Plug-in Framework not in Use
R 107 Struts: Unused Validation Form
R 108 Struts: Unvalidated Action Form
R 109 Struts: Validator Turned Off
R 110 Struts: Validator Without Form Field
R 111 Direct Use of Unsafe JNI
R 112 Missing XML Validation
R 113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
R 114 Process Control
R 115 Misinterpretation of Input
R 116 Improper Encoding or Escaping of Output
R 117 Improper Output Neutralization for Logs
R 118 Improper Access of Indexable Resource ('Range Error')
R 119 Improper Restriction of Operations within the Bounds of a Memory Buffer
R 120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
R 121 Stack-based Buffer Overflow
R 122 Heap-based Buffer Overflow
R 123 Write-what-where Condition
R 124 Buffer Underwrite ('Buffer Underflow')
R 125 Out-of-bounds Read
R 126 Buffer Over-read
R 127 Buffer Under-read
R 128 Wrap-around Error
R 129 Improper Validation of Array Index
R 130 Improper Handling of Length Parameter Inconsistency
R 131 Incorrect Calculation of Buffer Size
R 134 Uncontrolled Format String
R 135 Incorrect Calculation of Multi-Byte String Length
R 138 Improper Neutralization of Special Elements
R 140 Improper Neutralization of Delimiters
R 141 Improper Neutralization of Parameter/Argument Delimiters
R 142 Improper Neutralization of Value Delimiters
R 143 Improper Neutralization of Record Delimiters
R 144 Improper Neutralization of Line Delimiters
R 145 Improper Neutralization of Section Delimiters
R 146 Improper Neutralization of Expression/Command Delimiters
R 147 Improper Neutralization of Input Terminators
R 148 Improper Neutralization of Input Leaders
R 149 Improper Neutralization of Quoting Syntax
R 150 Improper Neutralization of Escape, Meta, or Control Sequences
R 151 Improper Neutralization of Comment Delimiters
R 152 Improper Neutralization of Macro Symbols
R 153 Improper Neutralization of Substitution Characters
R 154 Improper Neutralization of Variable Name Delimiters
R 155 Improper Neutralization of Wildcards or Matching Symbols
R 156 Improper Neutralization of Whitespace
R 157 Failure to Sanitize Paired Delimiters
R 158 Improper Neutralization of Null Byte or NUL Character
R 159 Failure to Sanitize Special Element
R 160 Improper Neutralization of Leading Special Elements
R 161 Improper Neutralization of Multiple Leading Special Elements
R 162 Improper Neutralization of Trailing Special Elements
R 163 Improper Neutralization of Multiple Trailing Special Elements
R 164 Improper Neutralization of Internal Special Elements
R 165 Improper Neutralization of Multiple Internal Special Elements
R 166 Improper Handling of Missing Special Element
R 167 Improper Handling of Additional Special Element
R 168 Improper Handling of Inconsistent Special Elements
R 170 Improper Null Termination
R 172 Encoding Error
R 173 Improper Handling of Alternate Encoding
R 174 Double Decoding of the Same Data
R 175 Improper Handling of Mixed Encoding
R 176 Improper Handling of Unicode Encoding
R 177 Improper Handling of URL Encoding (Hex Encoding)
R 178 Improper Handling of Case Sensitivity
R 179 Incorrect Behavior Order: Early Validation
R 180 Incorrect Behavior Order: Validate Before Canonicalize
R 181 Incorrect Behavior Order: Validate Before Filter
R 182 Collapse of Data into Unsafe Value
R 183 Permissive Whitelist
R 184 Incomplete Blacklist
R 185 Incorrect Regular Expression
R 186 Overly Restrictive Regular Expression
R 187 Partial Comparison
R 188 Reliance on Data/Memory Layout
R 190 Integer Overflow or Wraparound
R 191 Integer Underflow (Wrap or Wraparound)
R 193 Off-by-one Error
R 194 Unexpected Sign Extension
R 195 Signed to Unsigned Conversion Error
R 196 Unsigned to Signed Conversion Error
R 197 Numeric Truncation Error
R 198 Use of Incorrect Byte Ordering
R 200 Information Exposure
R 201 Information Exposure Through Sent Data
R 202 Exposure of Sensitive Data Through Data Queries
R 203 Information Exposure Through Discrepancy
R 204 Response Discrepancy Information Exposure
R 205 Information Exposure Through Behavioral Discrepancy
R 206 Information Exposure of Internal State Through Behavioral Inconsistency
R 207 Information Exposure Through an External Behavioral Inconsistency
R 208 Information Exposure Through Timing Discrepancy
R 209 Information Exposure Through an Error Message
R 210 Information Exposure Through Generated Error Message
R 211 Information Exposure Through External Error Message
R 212 Improper Cross-boundary Removal of Sensitive Data
R 213 Intentional Information Exposure
R 214 Information Exposure Through Process Environment
R 215 Information Exposure Through Debug Information
R 216 Containment Errors (Container Errors)
R 219 Sensitive Data Under Web Root
R 220 Sensitive Data Under FTP Root
R 221 Information Loss or Omission
R 222 Truncation of Security-relevant Information
R 223 Omission of Security-relevant Information
R 224 Obscured Security-relevant Information by Alternate Name
R 226 Sensitive Information Uncleared Before Release
R 227 Improper Fulfillment of API Contract ('API Abuse')
R 228 Improper Handling of Syntactically Invalid Structure
R 229 Improper Handling of Values
R 230 Improper Handling of Missing Values
R 231 Improper Handling of Extra Values
R 232 Improper Handling of Undefined Values
R 233 Parameter Problems
R 234 Failure to Handle Missing Parameter
R 235 Improper Handling of Extra Parameters
R 236 Improper Handling of Undefined Parameters
R 237 Improper Handling of Structural Elements
R 238 Improper Handling of Incomplete Structural Elements
R 239 Failure to Handle Incomplete Element
R 240 Improper Handling of Inconsistent Structural Elements
R 241 Improper Handling of Unexpected Data Type
R 242 Use of Inherently Dangerous Function
R 243 Creation of chroot Jail Without Changing Working Directory
R 244 Improper Clearing of Heap Memory Before Release ('Heap Inspection')
R 245 J2EE Bad Practices: Direct Management of Connections
R 246 J2EE Bad Practices: Direct Use of Sockets
R 247 Reliance on DNS Lookups in a Security Decision
R 248 Uncaught Exception
R 250 Execution with Unnecessary Privileges
R 252 Unchecked Return Value
R 253 Incorrect Check of Function Return Value
R 256 Plaintext Storage of a Password
R 257 Storing Passwords in a Recoverable Format
R 258 Empty Password in Configuration File
R 259 Use of Hard-coded Password
R 260 Password in Configuration File
R 261 Weak Cryptography for Passwords
R 262 Not Using Password Aging
R 263 Password Aging with Long Expiration
R 266 Incorrect Privilege Assignment
R 267 Privilege Defined With Unsafe Actions
R 268 Privilege Chaining
R 269 Improper Privilege Management
R 270 Privilege Context Switching Error
R 271 Privilege Dropping / Lowering Errors
R 272 Least Privilege Violation
R 273 Improper Check for Dropped Privileges
R 274 Improper Handling of Insufficient Privileges
R 276 Incorrect Default Permissions
R 277 Insecure Inherited Permissions
R 278 Insecure Preserved Inherited Permissions
R 279 Incorrect Execution-Assigned Permissions
R 280 Improper Handling of Insufficient Permissions or Privileges
R 281 Improper Preservation of Permissions
R 282 Improper Ownership Management
R 283 Unverified Ownership
R 284 Improper Access Control
R 285 Improper Authorization
R 286 Incorrect User Management
R 287 Improper Authentication
R 288 Authentication Bypass Using an Alternate Path or Channel
R 289 Authentication Bypass by Alternate Name
R 290 Authentication Bypass by Spoofing
R 291 Trusting Self-reported IP Address
R 292 Trusting Self-reported DNS Name
R 293 Using Referer Field for Authentication
R 294 Authentication Bypass by Capture-replay
R 296 Improper Following of Chain of Trust for Certificate Validation
R 297 Improper Validation of Host-specific Certificate Data
R 298 Improper Validation of Certificate Expiration
R 299 Improper Check for Certificate Revocation
R 300 Channel Accessible by Non-Endpoint ('Man-in-the-Middle')
R 301 Reflection Attack in an Authentication Protocol
R 302 Authentication Bypass by Assumed-Immutable Data
R 303 Incorrect Implementation of Authentication Algorithm
R 304 Missing Critical Step in Authentication
R 305 Authentication Bypass by Primary Weakness
R 306 Missing Authentication for Critical Function
R 307 Improper Restriction of Excessive Authentication Attempts
R 308 Use of Single-factor Authentication
R 309 Use of Password System for Primary Authentication
R 311 Missing Encryption of Sensitive Data
R 312 Cleartext Storage of Sensitive Information
R 313 Plaintext Storage in a File or on Disk
R 314 Plaintext Storage in the Registry
R 315 Plaintext Storage in a Cookie
R 316 Plaintext Storage in Memory
R 317 Plaintext Storage in GUI
R 318 Plaintext Storage in Executable
R 319 Cleartext Transmission of Sensitive Information
R 321 Use of Hard-coded Cryptographic Key
R 322 Key Exchange without Entity Authentication
R 323 Reusing a Nonce, Key Pair in Encryption
R 324 Use of a Key Past its Expiration Date
R 325 Missing Required Cryptographic Step
R 326 Inadequate Encryption Strength
R 327 Use of a Broken or Risky Cryptographic Algorithm
R 328 Reversible One-Way Hash
R 329 Not Using a Random IV with CBC Mode
R 330 Use of Insufficiently Random Values
R 331 Insufficient Entropy
R 332 Insufficient Entropy in PRNG
R 333 Improper Handling of Insufficient Entropy in TRNG
R 334 Small Space of Random Values
R 335 PRNG Seed Error
R 336 Same Seed in PRNG
R 337 Predictable Seed in PRNG
R 338 Use of Cryptographically Weak PRNG
R 339 Small Seed Space in PRNG
R 340 Predictability Problems
R 341 Predictable from Observable State
R 342 Predictable Exact Value from Previous Values
R 343 Predictable Value Range from Previous Values
R 344 Use of Invariant Value in Dynamically Changing Context
R 345 Insufficient Verification of Data Authenticity
R 346 Origin Validation Error
R 347 Improper Verification of Cryptographic Signature
R 348 Use of Less Trusted Source
R 349 Acceptance of Extraneous Untrusted Data With Trusted Data
R 350 Improperly Trusted Reverse DNS
R 351 Insufficient Type Distinction
R 352 Cross-Site Request Forgery (CSRF)
R 353 Missing Support for Integrity Check
R 354 Improper Validation of Integrity Check Value
R 356 Product UI does not Warn User of Unsafe Actions
R 357 Insufficient UI Warning of Dangerous Operations
R 358 Improperly Implemented Security Check for Standard
R 359 Privacy Violation
R 360 Trust of System Event Data
R 362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
R 363 Race Condition Enabling Link Following
R 364 Signal Handler Race Condition
R 365 Race Condition in Switch
R 366 Race Condition within a Thread
R 367 Time-of-check Time-of-use (TOCTOU) Race Condition
R 368 Context Switching Race Condition
R 369 Divide By Zero
R 370 Missing Check for Certificate Revocation after Initial Check
R 372 Incomplete Internal State Distinction
R 374 Passing Mutable Objects to an Untrusted Method
R 375 Returning a Mutable Object to an Untrusted Caller
R 377 Insecure Temporary File
R 378 Creation of Temporary File With Insecure Permissions
R 379 Creation of Temporary File in Directory with Incorrect Permissions
R 382 J2EE Bad Practices: Use of System.exit()
R 383 J2EE Bad Practices: Direct Use of Threads
R 385 Covert Timing Channel
R 386 Symbolic Name not Mapping to Correct Object
R 390 Detection of Error Condition Without Action
R 391 Unchecked Error Condition
R 392 Missing Report of Error Condition
R 393 Return of Wrong Status Code
R 394 Unexpected Status Code or Return Value
R 395 Use of NullPointerException Catch to Detect NULL Pointer Dereference
R 396 Declaration of Catch for Generic Exception
R 397 Declaration of Throws for Generic Exception
R 398 Indicator of Poor Code Quality
R 400 Uncontrolled Resource Consumption ('Resource Exhaustion')
R 401 Improper Release of Memory Before Removing Last Reference ('Memory Leak')
R 402 Transmission of Private Resources into a New Sphere ('Resource Leak')
R 403 Exposure of File Descriptor to Unintended Control Sphere
R 404 Improper Resource Shutdown or Release
R 405 Asymmetric Resource Consumption (Amplification)
R 406 Insufficient Control of Network Message Volume (Network Amplification)
R 407 Algorithmic Complexity
R 408 Incorrect Behavior Order: Early Amplification
R 409 Improper Handling of Highly Compressed Data (Data Amplification)
R 410 Insufficient Resource Pool
R 412 Unrestricted Externally Accessible Lock
R 413 Improper Resource Locking
R 414 Missing Lock Check
R 415 Double Free
R 416 Use After Free
R 419 Unprotected Primary Channel
R 420 Unprotected Alternate Channel
R 421 Race Condition During Access to Alternate Channel
R 422 Unprotected Windows Messaging Channel ('Shatter')
R 424 Improper Protection of Alternate Path
R 425 Direct Request ('Forced Browsing')
R 427 Uncontrolled Search Path Element
R 428 Unquoted Search Path or Element
R 430 Deployment of Wrong Handler
R 431 Missing Handler
R 432 Dangerous Signal Handler not Disabled During Sensitive Operations
R 433 Unparsed Raw Web Content Delivery
R 434 Unrestricted Upload of File with Dangerous Type
R 435 Interaction Error
R 436 Interpretation Conflict
R 437 Incomplete Model of Endpoint Features
R 439 Behavioral Change in New Version or Environment
R 440 Expected Behavior Violation
R 441 Unintended Proxy/Intermediary
R 444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
R 446 UI Discrepancy for Security Feature
R 447 Unimplemented or Unsupported Feature in UI
R 448 Obsolete Feature in UI
R 449 The UI Performs the Wrong Action
R 450 Multiple Interpretations of UI Input
R 451 UI Misrepresentation of Critical Information
R 453 Insecure Default Variable Initialization
R 454 External Initialization of Trusted Variables or Data Stores
R 455 Non-exit on Failed Initialization
R 456 Missing Initialization
R 457 Use of Uninitialized Variable
R 459 Incomplete Cleanup
R 460 Improper Cleanup on Thrown Exception
R 462 Duplicate Key in Associative List (Alist)
R 463 Deletion of Data Structure Sentinel
R 464 Addition of Data Structure Sentinel
R 466 Return of Pointer Value Outside of Expected Range
R 467 Use of sizeof() on a Pointer Type
R 468 Incorrect Pointer Scaling
R 469 Use of Pointer Subtraction to Determine Size
R 470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
R 471 Modification of Assumed-Immutable Data (MAID)
R 472 External Control of Assumed-Immutable Web Parameter
R 473 PHP External Variable Modification
R 474 Use of Function with Inconsistent Implementations
R 475 Undefined Behavior for Input to API
R 476 NULL Pointer Dereference
R 477 Use of Obsolete Functions
R 478 Missing Default Case in Switch Statement
R 479 Signal Handler Use of a Non-reentrant Function
R 480 Use of Incorrect Operator
R 481 Assigning instead of Comparing
R 482 Comparing instead of Assigning
R 483 Incorrect Block Delimitation
R 484 Omitted Break Statement in Switch
R 485 Insufficient Encapsulation
R 486 Comparison of Classes by Name
R 487 Reliance on Package-level Scope
R 488 Exposure of Data Element to Wrong Session
R 489 Leftover Debug Code
R 491 Public cloneable() Method Without Final ('Object Hijack')
R 492 Use of Inner Class Containing Sensitive Data
R 493 Critical Public Variable Without Final Modifier
R 494 Download of Code Without Integrity Check
R 495 Private Array-Typed Field Returned From A Public Method
R 496 Public Data Assigned to Private Array-Typed Field
R 497 Exposure of System Data to an Unauthorized Control Sphere
R 498 Cloneable Class Containing Sensitive Information
R 499 Serializable Class Containing Sensitive Data
R 500 Public Static Field Not Marked Final
R 501 Trust Boundary Violation
R 502 Deserialization of Untrusted Data
R 506 Embedded Malicious Code
R 507 Trojan Horse
R 508 Non-Replicating Malicious Code
R 509 Replicating Malicious Code (Virus or Worm)
R 510 Trapdoor
R 511 Logic/Time Bomb
R 512 Spyware
R 514 Covert Channel
R 515 Covert Storage Channel
R 520 .NET Misconfiguration: Use of Impersonation
R 521 Weak Password Requirements
R 522 Insufficiently Protected Credentials
R 523 Unprotected Transport of Credentials
R 524 Information Exposure Through Caching
R 525 Information Exposure Through Browser Caching
R 526 Information Exposure Through Environmental Variables
R 527 Exposure of CVS Repository to an Unauthorized Control Sphere
R 528 Exposure of Core Dump File to an Unauthorized Control Sphere
R 529 Exposure of Access Control List Files to an Unauthorized Control Sphere
R 530 Exposure of Backup File to an Unauthorized Control Sphere
R 531 Information Exposure Through Test Code
R 532 Information Exposure Through Log Files
R 533 Information Exposure Through Server Log Files
R 534 Information Exposure Through Debug Log Files
R 535 Information Exposure Through Shell Error Message
R 536 Information Exposure Through Servlet Runtime Error Message
R 537 Information Exposure Through Java Runtime Error Message
R 538 File and Directory Information Exposure
R 539 Information Exposure Through Persistent Cookies
R 540 Information Exposure Through Source Code
R 541 Information Exposure Through Include Source Code
R 542 Information Exposure Through Cleanup Log Files
R 543 Use of Singleton Pattern Without Synchronization in a Multithreaded Context
R 544 Missing Standardized Error Handling Mechanism
R 545 Use of Dynamic Class Loading
R 546 Suspicious Comment
R 547 Use of Hard-coded, Security-relevant Constants
R 548 Information Exposure Through Directory Listing
R 549 Missing Password Field Masking
R 550 Information Exposure Through Server Error Message
R 551 Incorrect Behavior Order: Authorization Before Parsing and Canonicalization
R 552 Files or Directories Accessible to External Parties
R 553 Command Shell in Externally Accessible Directory
R 554 ASP.NET Misconfiguration: Not Using Input Validation Framework
R 555 J2EE Misconfiguration: Plaintext Password in Configuration File
R 556 ASP.NET Misconfiguration: Use of Identity Impersonation
R 558 Use of getlogin() in Multithreaded Application
R 560 Use of umask() with chmod-style Argument
R 561 Dead Code
R 562 Return of Stack Variable Address
R 563 Unused Variable
R 564 SQL Injection: Hibernate
R 565 Reliance on Cookies without Validation and Integrity Checking
R 566 Authorization Bypass Through User-Controlled SQL Primary Key
R 567 Unsynchronized Access to Shared Data in a Multithreaded Context
R 568 finalize() Method Without super.finalize()
R 570 Expression is Always False
R 571 Expression is Always True
R 572 Call to Thread run() instead of start()
R 573 Improper Following of Specification by Caller
R 574 EJB Bad Practices: Use of Synchronization Primitives
R 575 EJB Bad Practices: Use of AWT Swing
R 576 EJB Bad Practices: Use of Java I/O
R 577 EJB Bad Practices: Use of Sockets
R 578 EJB Bad Practices: Use of Class Loader
R 579 J2EE Bad Practices: Non-serializable Object Stored in Session
R 580 clone() Method Without super.clone()
R 581 Object Model Violation: Just One of Equals and Hashcode Defined
R 582 Array Declared Public, Final, and Static
R 583 finalize() Method Declared Public
R 584 Return Inside Finally Block
R 585 Empty Synchronized Block
R 586 Explicit Call to Finalize()
R 587 Assignment of a Fixed Address to a Pointer
R 588 Attempt to Access Child of a Non-structure Pointer
R 589 Call to Non-ubiquitous API
R 590 Free of Memory not on the Heap
R 591 Sensitive Data Storage in Improperly Locked Memory
R 592 Authentication Bypass Issues
R 593 Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created
R 594 J2EE Framework: Saving Unserializable Objects to Disk
R 595 Comparison of Object References Instead of Object Contents
R 596 Incorrect Semantic Object Comparison
R 597 Use of Wrong Operator in String Comparison
R 598 Information Exposure Through Query Strings in GET Request
R 599 Trust of OpenSSL Certificate Without Validation
R 600 Uncaught Exception in Servlet
R 601 URL Redirection to Untrusted Site ('Open Redirect')
R 602 Client-Side Enforcement of Server-Side Security
R 603 Use of Client-Side Authentication
R 605 Multiple Binds to the Same Port
R 606 Unchecked Input for Loop Condition
R 607 Public Static Final Field References Mutable Object
R 608 Struts: Non-private Field in ActionForm Class
R 609 Double-Checked Locking
R 610 Externally Controlled Reference to a Resource in Another Sphere
R 611 Information Exposure Through XML External Entity Reference
R 612 Information Exposure Through Indexing of Private Data
R 613 Insufficient Session Expiration
R 614 Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
R 615 Information Exposure Through Comments
R 616 Incomplete Identification of Uploaded File Variables (PHP)
R 617 Reachable Assertion
R 618 Exposed Unsafe ActiveX Method
R 619 Dangling Database Cursor ('Cursor Injection')
R 620 Unverified Password Change
R 621 Variable Extraction Error
R 622 Unvalidated Function Hook Arguments
R 623 Unsafe ActiveX Control Marked Safe For Scripting
R 624 Executable Regular Expression Error
R 625 Permissive Regular Expression
R 626 Null Byte Interaction Error (Poison Null Byte)
R 627 Dynamic Variable Evaluation
R 628 Function Call with Incorrectly Specified Arguments
R 636 Not Failing Securely ('Failing Open')
R 637 Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')
R 638 Not Using Complete Mediation
R 639 Authorization Bypass Through User-Controlled Key
R 640 Weak Password Recovery Mechanism for Forgotten Password
R 641 Improper Restriction of Names for Files and Other Resources
R 642 External Control of Critical State Data
R 643 Improper Neutralization of Data within XPath Expressions ('XPath Injection')
R 644 Improper Neutralization of HTTP Headers for Scripting Syntax
R 645 Overly Restrictive Account Lockout Mechanism
R 646 Reliance on File Name or Extension of Externally-Supplied File
R 647 Use of Non-Canonical URL Paths for Authorization Decisions
R 648 Incorrect Use of Privileged APIs
R 649 Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking
R 650 Trusting HTTP Permission Methods on the Server Side
R 651 Information Exposure Through WSDL File
R 652 Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')
R 653 Insufficient Compartmentalization
R 654 Reliance on a Single Factor in a Security Decision
R 655 Insufficient Psychological Acceptability
R 656 Reliance on Security Through Obscurity
R 657 Violation of Secure Design Principles
R 662 Improper Synchronization
R 663 Use of a Non-reentrant Function in a Concurrent Context
R 664 Improper Control of a Resource Through its Lifetime
R 665 Improper Initialization
R 666 Operation on Resource in Wrong Phase of Lifetime
R 667 Improper Locking
R 668 Exposure of Resource to Wrong Sphere
R 669 Incorrect Resource Transfer Between Spheres
R 670 Always-Incorrect Control Flow Implementation
R 671 Lack of Administrator Control over Security
R 672 Operation on a Resource after Expiration or Release
R 673 External Influence of Sphere Definition
R 674 Uncontrolled Recursion
R 675 Duplicate Operations on Resource
R 676 Use of Potentially Dangerous Function
R 681 Incorrect Conversion between Numeric Types
R 682 Incorrect Calculation
R 683 Function Call With Incorrect Order of Arguments
R 684 Incorrect Provision of Specified Functionality
R 685 Function Call With Incorrect Number of Arguments
R 686 Function Call With Incorrect Argument Type
R 687 Function Call With Incorrectly Specified Argument Value
R 688 Function Call With Incorrect Variable or Reference as Argument
R 691 Insufficient Control Flow Management
R 693 Protection Mechanism Failure
R 694 Use of Multiple Resources with Duplicate Identifier
R 695 Use of Low-Level Functionality
R 696 Incorrect Behavior Order
R 697 Insufficient Comparison
R 698 Redirect Without Exit
R 703 Improper Check or Handling of Exceptional Conditions
R 704 Incorrect Type Conversion or Cast
R 705 Incorrect Control Flow Scoping
R 706 Use of Incorrectly-Resolved Name or Reference
R 707 Improper Enforcement of Message or Data Structure
R 708 Incorrect Ownership Assignment
R 710 Coding Standards Violation
R 732 Incorrect Permission Assignment for Critical Resource
R 733 Compiler Optimization Removal or Modification of Security-critical Code
R 749 Exposed Dangerous Method or Function
R 754 Improper Check for Unusual or Exceptional Conditions
R 755 Improper Handling of Exceptional Conditions
R 756 Missing Custom Error Page
R 757 Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')
R 758 Reliance on Undefined, Unspecified, or Implementation-Defined Behavior
R 759 Use of a One-Way Hash without a Salt
R 760 Use of a One-Way Hash with a Predictable Salt
R 761 Free of Pointer not at Start of Buffer
R 762 Mismatched Memory Management Routines
R 763 Release of Invalid Pointer or Reference
R 764 Multiple Locks of a Critical Resource
R 765 Multiple Unlocks of a Critical Resource
R 766 Critical Variable Declared Public
R 767 Access to Critical Private Variable via Public Method
R 768 Incorrect Short Circuit Evaluation
R 770 Allocation of Resources Without Limits or Throttling
R 771 Missing Reference to Active Allocated Resource
R 772 Missing Release of Resource after Effective Lifetime
R 773 Missing Reference to Active File Descriptor or Handle
R 774 Allocation of File Descriptors or Handles Without Limits or Throttling
R 775 Missing Release of File Descriptor or Handle after Effective Lifetime
R 783 Operator Precedence Logic Error
R 785 Use of Path Manipulation Function without Maximum-sized Buffer
R 786 Access of Memory Location Before Start of Buffer
R 788 Access of Memory Location After End of Buffer
R 798 Use of Hard-coded Credentials
R 805 Buffer Access with Incorrect Length Value
R 807 Reliance on Untrusted Inputs in a Security Decision
R 821 Incorrect Synchronization
R 822 Untrusted Pointer Dereference
R 825 Expired Pointer Dereference
R 829 Inclusion of Functionality from Untrusted Control Sphere
R 834 Excessive Iteration
R 835 Loop with Unreachable Exit Condition ('Infinite Loop')
R 838 Inappropriate Encoding for Output Context
R 839 Numeric Range Comparison Without Minimum Check
R 841 Improper Enforcement of Behavioral Workflow
R 847 CERT Java Secure Coding Section 02 - Expressions (EXP)
R 849 CERT Java Secure Coding Section 04 - Object Orientation (OBJ)
R 850 CERT Java Secure Coding Section 05 - Methods (MET)
R 854 CERT Java Secure Coding Section 09 - Thread APIs (THI)
R 857 CERT Java Secure Coding Section 12 - Input Output (FIO)
R 860 CERT Java Secure Coding Section 15 - Runtime Environment (ENV)
R 861 CERT Java Secure Coding Section 49 - Miscellaneous (MSC)
R 862 Missing Authorization
R 863 Incorrect Authorization
Detailed Difference Report
Detailed Difference Report
5 J2EE Misconfiguration: Data Transmission Without Encryption
Major Relationships
Minor None
6 J2EE Misconfiguration: Insufficient Session-ID Length
Major Demonstrative_Examples, Relationships
Minor None
7 J2EE Misconfiguration: Missing Custom Error Page
Major Demonstrative_Examples, Relationships
Minor None
8 J2EE Misconfiguration: Entity Bean Declared Remote
Major Relationships
Minor None
9 J2EE Misconfiguration: Weak Access Permissions for EJB Methods
Major Relationships
Minor None
11 ASP.NET Misconfiguration: Creating Debug Binary
Major Relationships
Minor None
12 ASP.NET Misconfiguration: Missing Custom Error Page
Major Demonstrative_Examples, Relationships
Minor None
13 ASP.NET Misconfiguration: Password in Configuration File
Major Relationships
Minor None
14 Compiler Removal of Code to Clear Buffers
Major Common_Consequences, References, Relationships
Minor None
15 External Control of System or Configuration Setting
Major Relationships, Taxonomy_Mappings
Minor None
20 Improper Input Validation
Major Demonstrative_Examples, References, Related_Attack_Patterns, Relationships
Minor None
21 Pathname Traversal and Equivalence Errors
Major Related_Attack_Patterns
Minor None
22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Major Demonstrative_Examples, References, Relationships
Minor None
23 Relative Path Traversal
Major Common_Consequences, Demonstrative_Examples, Observed_Examples, References, Relationships
Minor None
24 Path Traversal: '../filedir'
Major Relationships
Minor None
25 Path Traversal: '/../filedir'
Major Relationships
Minor None
26 Path Traversal: '/dir/../filename'
Major Relationships
Minor None
27 Path Traversal: 'dir/../../filename'
Major Observed_Examples, Relationships
Minor None
28 Path Traversal: '..\filedir'
Major Observed_Examples, Relationships
Minor None
29 Path Traversal: '\..\filename'
Major Observed_Examples, Relationships
Minor None
30 Path Traversal: '\dir\..\filename'
Major Relationships
Minor None
31 Path Traversal: 'dir\..\..\filename'
Major Observed_Examples, References, Relationships
Minor None
32 Path Traversal: '...' (Triple Dot)
Major Relationships
Minor None
33 Path Traversal: '....' (Multiple Dot)
Major Relationships
Minor None
34 Path Traversal: '....//'
Major Observed_Examples, Relationships
Minor None
35 Path Traversal: '.../...//'
Major Relationships
Minor None
36 Absolute Path Traversal
Major Common_Consequences, Demonstrative_Examples, Observed_Examples, References, Relationships
Minor None
37 Path Traversal: '/absolute/pathname/here'
Major Relationships
Minor None
38 Path Traversal: '\absolute\pathname\here'
Major Observed_Examples, Relationships
Minor None
39 Path Traversal: 'C:dirname'
Major Common_Consequences, Observed_Examples, Relationships
Minor None
40 Path Traversal: '\\UNC\share\name\' (Windows UNC Share)
Major Observed_Examples, References, Relationships
Minor None
41 Improper Resolution of Path Equivalence
Major Common_Consequences, Observed_Examples, Relationships
Minor None
42 Path Equivalence: 'filename.' (Trailing Dot)
Major Relationships
Minor None
43 Path Equivalence: 'filename....' (Multiple Trailing Dot)
Major Relationships
Minor None
44 Path Equivalence: 'file.name' (Internal Dot)
Major Relationships
Minor None
45 Path Equivalence: 'file...name' (Multiple Internal Dot)
Major Relationships
Minor None
46 Path Equivalence: 'filename ' (Trailing Space)
Major Relationships
Minor None
47 Path Equivalence: ' filename' (Leading Space)
Major Relationships
Minor None
48 Path Equivalence: 'file name' (Internal Whitespace)
Major Relationships
Minor None
49 Path Equivalence: 'filename/' (Trailing Slash)
Major Observed_Examples, Relationships
Minor None
50 Path Equivalence: '//multiple/leading/slash'
Major Observed_Examples, Relationships
Minor None
51 Path Equivalence: '/multiple//internal/slash'
Major Relationships
Minor None
52 Path Equivalence: '/multiple/trailing/slash//'
Major Relationships
Minor None
53 Path Equivalence: '\multiple\\internal\backslash'
Major Relationships
Minor None
54 Path Equivalence: 'filedir\' (Trailing Backslash)
Major Observed_Examples, Relationships
Minor None
55 Path Equivalence: '/./' (Single Dot Directory)
Major Observed_Examples, Relationships
Minor None
56 Path Equivalence: 'filedir*' (Wildcard)
Major Relationships
Minor None
57 Path Equivalence: 'fakedir/../realdir/filename'
Major Observed_Examples, Relationships
Minor None
58 Path Equivalence: Windows 8.3 Filename
Major References, Relationships
Minor None
59 Improper Link Resolution Before File Access ('Link Following')
Major Common_Consequences, Observed_Examples, References, Relationships
Minor None
61 UNIX Symbolic Link (Symlink) Following
Major Observed_Examples, References
Minor None
62 UNIX Hard Link
Major Observed_Examples, References, Relationships
Minor None
64 Windows Shortcut Following (.LNK)
Major Observed_Examples, Relationships
Minor None
65 Windows Hard Link
Major Observed_Examples, References, Relationships
Minor None
66 Improper Handling of File Names that Identify Virtual Resources
Major Relationships
Minor None
67 Improper Handling of Windows Device Names
Major Observed_Examples, References, Relationships, Taxonomy_Mappings
Minor None
69 Improper Handling of Windows ::DATA Alternate Data Stream
Major Observed_Examples, References, Relationships
Minor None
71 Apple '.DS_Store'
Major Related_Attack_Patterns, Relationships
Minor None
72 Improper Handling of Apple HFS+ Alternate Data Stream Path
Major Observed_Examples, Relationships
Minor None
73 External Control of File Name or Path
Major Demonstrative_Examples, References, Related_Attack_Patterns, Relationships, Taxonomy_Mappings
Minor None
74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Major Related_Attack_Patterns, Relationships
Minor None
75 Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)
Major Relationships
Minor None
76 Improper Neutralization of Equivalent Special Elements
Major Relationships
Minor None
77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
Major Common_Consequences, Demonstrative_Examples, References, Related_Attack_Patterns, Relationships
Minor None
78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Major Demonstrative_Examples, References, Relationships, Taxonomy_Mappings
Minor None
79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Major References, Relationships
Minor None
80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
Major Related_Attack_Patterns, Relationships
Minor None
81 Improper Neutralization of Script in an Error Message Web Page
Major References, Relationships
Minor None
82 Improper Neutralization of Script in Attributes of IMG Tags in a Web Page
Major Relationships
Minor None
83 Improper Neutralization of Script in Attributes in a Web Page
Major Relationships
Minor None
84 Improper Neutralization of Encoded URI Schemes in a Web Page
Major Relationships
Minor None
85 Doubled Character XSS Manipulations
Major Related_Attack_Patterns, Relationships
Minor None
86 Improper Neutralization of Invalid Characters in Identifiers in Web Pages
Major Related_Attack_Patterns, Relationships
Minor None
87 Improper Neutralization of Alternate XSS Syntax
Major Relationships
Minor None
88 Argument Injection or Modification
Major Common_Consequences, Demonstrative_Examples, Observed_Examples, References, Related_Attack_Patterns, Relationships
Minor None
89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Major Potential_Mitigations, References, Related_Attack_Patterns, Relationships
Minor None
90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
Major Common_Consequences, Observed_Examples, Related_Attack_Patterns, Relationships
Minor None
91 XML Injection (aka Blind XPath Injection)
Major References, Relationships
Minor None
93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Major Relationships
Minor None
94 Improper Control of Generation of Code ('Code Injection')
Major Common_Consequences, Demonstrative_Examples, Observed_Examples, References, Relationships
Minor None
95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
Major Common_Consequences, Demonstrative_Examples, References, Relationships
Minor None
96 Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
Major Common_Consequences, Demonstrative_Examples, Relationships
Minor None
97 Improper Neutralization of Server-Side Includes (SSI) Within a Web Page
Major Relationships
Minor None
99 Improper Control of Resource Identifiers ('Resource Injection')
Major Common_Consequences, Relationships
Minor None
100 Technology-Specific Input Validation Problems
Major Relationships
Minor None
102 Struts: Duplicate Validation Forms
Major Relationships
Minor None
103 Struts: Incomplete validate() Method Definition
Major Relationships
Minor None
104 Struts: Form Bean Does Not Extend Validation Class
Major Relationships
Minor None
105 Struts: Form Field Without Validator
Major Relationships
Minor None
106 Struts: Plug-in Framework not in Use
Major Relationships
Minor None
107 Struts: Unused Validation Form
Major Relationships
Minor None
108 Struts: Unvalidated Action Form
Major Relationships
Minor None
109 Struts: Validator Turned Off
Major Relationships
Minor None
110 Struts: Validator Without Form Field
Major Relationships
Minor None
111 Direct Use of Unsafe JNI
Major Relationships, Taxonomy_Mappings
Minor None
112 Missing XML Validation
Major Relationships
Minor None
113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
Major Common_Consequences, References, Relationships
Minor None
114 Process Control
Major Relationships
Minor None
115 Misinterpretation of Input
Major Relationships
Minor None
116 Improper Encoding or Escaping of Output
Major References, Relationships, Taxonomy_Mappings
Minor None
117 Improper Output Neutralization for Logs
Major Common_Consequences, Relationships
Minor None
118 Improper Access of Indexable Resource ('Range Error')
Major Relationships
Minor None
119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Major Demonstrative_Examples, Potential_Mitigations, References, Relationships
Minor None
120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
Major References, Relationships
Minor None
121 Stack-based Buffer Overflow
Major Demonstrative_Examples, References, Relationships
Minor None
122 Heap-based Buffer Overflow
Major Demonstrative_Examples, References, Relationships
Minor None
123 Write-what-where Condition
Major Common_Consequences, References, Relationships
Minor None
124 Buffer Underwrite ('Buffer Underflow')
Major Demonstrative_Examples, References, Relationships
Minor None
125 Out-of-bounds Read
Major Demonstrative_Examples, References, Relationships
Minor None
126 Buffer Over-read
Major Demonstrative_Examples, Relationships
Minor None
127 Buffer Under-read
Major Relationships
Minor None
128 Wrap-around Error
Major Common_Consequences, Demonstrative_Examples, References, Relationships
Minor None
129 Improper Validation of Array Index
Major Demonstrative_Examples, Potential_Mitigations, References, Relationships
Minor None
130 Improper Handling of Length Parameter Inconsistency
Major Observed_Examples, Relationships
Minor None
131 Incorrect Calculation of Buffer Size
Major Demonstrative_Examples, Potential_Mitigations, References, Relationships
Minor None
133 String Errors
Major Related_Attack_Patterns
Minor None
134 Uncontrolled Format String
Major Observed_Examples, References, Related_Attack_Patterns, Relationships, Taxonomy_Mappings
Minor None
135 Incorrect Calculation of Multi-Byte String Length
Major Common_Consequences, Demonstrative_Examples, Relationships, Taxonomy_Mappings
Minor None
138 Improper Neutralization of Special Elements
Major Common_Consequences, Relationships
Minor None
140 Improper Neutralization of Delimiters
Major Relationships
Minor None
141 Improper Neutralization of Parameter/Argument Delimiters
Major References, Relationships
Minor None
142 Improper Neutralization of Value Delimiters
Major References, Relationships
Minor None
143 Improper Neutralization of Record Delimiters
Major References, Relationships
Minor None
144 Improper Neutralization of Line Delimiters
Major References, Relationships, Taxonomy_Mappings
Minor None
145 Improper Neutralization of Section Delimiters
Major References, Relationships
Minor None
146 Improper Neutralization of Expression/Command Delimiters
Major References, Relationships
Minor None
147 Improper Neutralization of Input Terminators
Major Related_Attack_Patterns, Relationships
Minor None
148 Improper Neutralization of Input Leaders
Major Relationships
Minor None
149 Improper Neutralization of Quoting Syntax
Major Observed_Examples, Related_Attack_Patterns, Relationships
Minor None
150 Improper Neutralization of Escape, Meta, or Control Sequences
Major Relationships, Taxonomy_Mappings
Minor None
151 Improper Neutralization of Comment Delimiters
Major Relationships
Minor None
152 Improper Neutralization of Macro Symbols
Major Relationships
Minor None
153 Improper Neutralization of Substitution Characters
Major Relationships
Minor None
154 Improper Neutralization of Variable Name Delimiters
Major Relationships
Minor None
155 Improper Neutralization of Wildcards or Matching Symbols
Major Relationships
Minor None
156 Improper Neutralization of Whitespace
Major Relationships
Minor None
157 Failure to Sanitize Paired Delimiters
Major Relationships
Minor None
158 Improper Neutralization of Null Byte or NUL Character
Major Observed_Examples, References, Relationships
Minor None
159 Failure to Sanitize Special Element
Major Relationships
Minor None
160 Improper Neutralization of Leading Special Elements
Major Relationships
Minor None
161 Improper Neutralization of Multiple Leading Special Elements
Major Relationships
Minor None
162 Improper Neutralization of Trailing Special Elements
Major Relationships
Minor None
163 Improper Neutralization of Multiple Trailing Special Elements
Major Relationships
Minor None
164 Improper Neutralization of Internal Special Elements
Major Relationships
Minor None
165 Improper Neutralization of Multiple Internal Special Elements
Major Relationships
Minor None
166 Improper Handling of Missing Special Element
Major Relationships
Minor None
167 Improper Handling of Additional Special Element
Major Relationships
Minor None
168 Improper Handling of Inconsistent Special Elements
Major Relationships
Minor None
170 Improper Null Termination
Major Relationships
Minor None
171 Cleansing, Canonicalization, and Comparison Errors
Major References, Related_Attack_Patterns, Taxonomy_Mappings
Minor None
172 Encoding Error
Major Related_Attack_Patterns, Relationships
Minor None
173 Improper Handling of Alternate Encoding
Major Related_Attack_Patterns, Relationships
Minor None
174 Double Decoding of the Same Data
Major Common_Consequences, Observed_Examples, Relationships
Minor None
175 Improper Handling of Mixed Encoding
Major Relationships
Minor None
176 Improper Handling of Unicode Encoding
Major Observed_Examples, References, Relationships
Minor None
177 Improper Handling of URL Encoding (Hex Encoding)
Major Related_Attack_Patterns, Relationships
Minor None
178 Improper Handling of Case Sensitivity
Major Observed_Examples, Relationships
Minor None
179 Incorrect Behavior Order: Early Validation
Major Common_Consequences, Demonstrative_Examples, Observed_Examples, References, Relationships
Minor None
180 Incorrect Behavior Order: Validate Before Canonicalize
Major Demonstrative_Examples, Observed_Examples, Related_Attack_Patterns, Relationships, Taxonomy_Mappings
Minor None
181 Incorrect Behavior Order: Validate Before Filter
Major Demonstrative_Examples, Observed_Examples, Related_Attack_Patterns, Relationships
Minor None
182 Collapse of Data into Unsafe Value
Major References, Relationships, Taxonomy_Mappings
Minor None
183 Permissive Whitelist
Major References, Relationships
Minor None
184 Incomplete Blacklist
Major References, Related_Attack_Patterns, Relationships
Minor None
185 Incorrect Regular Expression
Major Demonstrative_Examples, Related_Attack_Patterns, Relationships
Minor None
186 Overly Restrictive Regular Expression
Major Relationships
Minor None
187 Partial Comparison
Major Relationships
Minor None
188 Reliance on Data/Memory Layout
Major References, Relationships
Minor None
190 Integer Overflow or Wraparound
Major Common_Consequences, Demonstrative_Examples, References, Relationships
Minor None
191 Integer Underflow (Wrap or Wraparound)
Major Common_Consequences, References, Relationships
Minor None
192 Integer Coercion Error
Major Demonstrative_Examples, References
Minor None
193 Off-by-one Error
Major Common_Consequences, Observed_Examples, References, Relationships
Minor None
194 Unexpected Sign Extension
Major Demonstrative_Examples, Relationships
Minor None
195 Signed to Unsigned Conversion Error
Major Demonstrative_Examples, References, Relationships
Minor None
196 Unsigned to Signed Conversion Error
Major References, Relationships
Minor None
197 Numeric Truncation Error
Major References, Relationships, Taxonomy_Mappings
Minor None
198 Use of Incorrect Byte Ordering
Major Relationships
Minor None
200 Information Exposure
Major Related_Attack_Patterns, Relationships
Minor None
201 Information Exposure Through Sent Data
Major Relationships
Minor None
202 Exposure of Sensitive Data Through Data Queries
Major Related_Attack_Patterns, Relationships
Minor None
203 Information Exposure Through Discrepancy
Major Common_Consequences, Demonstrative_Examples, Observed_Examples, Relationships
Minor None
204 Response Discrepancy Information Exposure
Major Demonstrative_Examples, Observed_Examples, References, Relationships
Minor None
205 Information Exposure Through Behavioral Discrepancy
Major Relationships
Minor None
206 Information Exposure of Internal State Through Behavioral Inconsistency
Major Relationships
Minor None
207 Information Exposure Through an External Behavioral Inconsistency
Major Relationships
Minor None
208 Information Exposure Through Timing Discrepancy
Major Observed_Examples, Relationships
Minor None
209 Information Exposure Through an Error Message
Major References, Related_Attack_Patterns, Relationships
Minor None
210 Information Exposure Through Generated Error Message
Major References, Relationships
Minor None
211 Information Exposure Through External Error Message
Major Relationships
Minor None
212 Improper Cross-boundary Removal of Sensitive Data
Major Relationships
Minor None
213 Intentional Information Exposure
Major Relationships
Minor None
214 Information Exposure Through Process Environment
Major Relationships
Minor None
215 Information Exposure Through Debug Information
Major Relationships, Taxonomy_Mappings
Minor None
216 Containment Errors (Container Errors)
Major Relationships
Minor None
219 Sensitive Data Under Web Root
Major Relationships
Minor None
220 Sensitive Data Under FTP Root
Major Relationships
Minor None
221 Information Loss or Omission
Major Relationships
Minor None
222 Truncation of Security-relevant Information
Major Common_Consequences, Relationships
Minor None
223 Omission of Security-relevant Information
Major Common_Consequences, References, Relationships
Minor None
224 Obscured Security-relevant Information by Alternate Name
Major References, Relationships
Minor None
226 Sensitive Information Uncleared Before Release
Major Relationships, Taxonomy_Mappings
Minor None
227 Improper Fulfillment of API Contract ('API Abuse')
Major Relationships
Minor None
228 Improper Handling of Syntactically Invalid Structure
Major Common_Consequences, Relationships
Minor None
229 Improper Handling of Values
Major Relationships
Minor None
230 Improper Handling of Missing Values
Major Relationships
Minor None
231 Improper Handling of Extra Values
Major Relationships
Minor None
232 Improper Handling of Undefined Values
Major Relationships
Minor None
233 Parameter Problems
Major Relationships
Minor None
234 Failure to Handle Missing Parameter
Major Observed_Examples, Relationships
Minor None
235 Improper Handling of Extra Parameters
Major Related_Attack_Patterns, Relationships
Minor None
236 Improper Handling of Undefined Parameters
Major Relationships
Minor None
237 Improper Handling of Structural Elements
Major Relationships
Minor None
238 Improper Handling of Incomplete Structural Elements
Major Relationships
Minor None
239 Failure to Handle Incomplete Element
Major Relationships
Minor None
240 Improper Handling of Inconsistent Structural Elements
Major Relationships
Minor None
241 Improper Handling of Unexpected Data Type
Major Relationships
Minor None
242 Use of Inherently Dangerous Function
Major Relationships
Minor None
243 Creation of chroot Jail Without Changing Working Directory
Major Relationships
Minor None
244 Improper Clearing of Heap Memory Before Release ('Heap Inspection')
Major Relationships
Minor None
245 J2EE Bad Practices: Direct Management of Connections
Major Relationships
Minor None
246 J2EE Bad Practices: Direct Use of Sockets
Major Relationships
Minor None
247 Reliance on DNS Lookups in a Security Decision
Major Demonstrative_Examples, References, Relationships
Minor None
248 Uncaught Exception
Major Common_Consequences, Demonstrative_Examples, Relationships, Taxonomy_Mappings
Minor None
250 Execution with Unnecessary Privileges
Major References, Related_Attack_Patterns, Relationships
Minor None
252 Unchecked Return Value
Major Common_Consequences, References, Relationships
Minor None
253 Incorrect Check of Function Return Value
Major Common_Consequences, Demonstrative_Examples, References, Relationships
Minor None
256 Plaintext Storage of a Password
Major Demonstrative_Examples, References, Relationships, Taxonomy_Mappings
Minor None
257 Storing Passwords in a Recoverable Format
Major Demonstrative_Examples, Relationships
Minor None
258 Empty Password in Configuration File
Major References, Relationships
Minor None
259 Use of Hard-coded Password
Major References, Relationships, Taxonomy_Mappings
Minor None
260 Password in Configuration File
Major References, Relationships
Minor None
261 Weak Cryptography for Passwords
Major References, Relationships
Minor None
262 Not Using Password Aging
Major References, Relationships
Minor None
263 Password Aging with Long Expiration
Major References, Relationships
Minor None
266 Incorrect Privilege Assignment
Major Common_Consequences, Demonstrative_Examples, Relationships, Taxonomy_Mappings
Minor None
267 Privilege Defined With Unsafe Actions
Major Common_Consequences, Demonstrative_Examples, Relationships
Minor None
268 Privilege Chaining
Major Common_Consequences, Demonstrative_Examples, Relationships
Minor None
269 Improper Privilege Management
Major References, Relationships
Minor None
270 Privilege Context Switching Error
Major Common_Consequences, Relationships
Minor None
271 Privilege Dropping / Lowering Errors
Major Common_Consequences, Demonstrative_Examples, Observed_Examples, References, Relationships
Minor None
272 Least Privilege Violation
Major Demonstrative_Examples, Relationships, Taxonomy_Mappings
Minor None
273 Improper Check for Dropped Privileges
Major Observed_Examples, Relationships
Minor None
274 Improper Handling of Insufficient Privileges
Major Relationships
Minor None
275 Permission Issues
Major References
Minor None
276 Incorrect Default Permissions
Major References, Related_Attack_Patterns, Relationships, Taxonomy_Mappings
Minor None
277 Insecure Inherited Permissions
Major Relationships
Minor None
278 Insecure Preserved Inherited Permissions
Major Relationships
Minor None
279 Incorrect Execution-Assigned Permissions
Major Relationships, Taxonomy_Mappings
Minor None
280 Improper Handling of Insufficient Permissions or Privileges
Major Relationships
Minor None
281 Improper Preservation of Permissions
Major Observed_Examples, Relationships
Minor None
282 Improper Ownership Management
Major Relationships
Minor None
283 Unverified Ownership
Major Common_Consequences, Demonstrative_Examples, Relationships
Minor None
284 Improper Access Control
Major References, Relationships
Minor None
285 Improper Authorization
Major Demonstrative_Examples, Potential_Mitigations, References, Related_Attack_Patterns, Relationships
Minor None
286 Incorrect User Management
Major Relationships
Minor None
287 Improper Authentication
Major Relationships
Minor None
288 Authentication Bypass Using an Alternate Path or Channel
Major Observed_Examples, Related_Attack_Patterns, Relationships
Minor None
289 Authentication Bypass by Alternate Name
Major Relationships, Taxonomy_Mappings
Minor None
290 Authentication Bypass by Spoofing
Major Common_Consequences, Demonstrative_Examples, Observed_Examples, References, Related_Attack_Patterns, Relationships
Minor None
291 Trusting Self-reported IP Address
Major Demonstrative_Examples, Relationships
Minor None
292 Trusting Self-reported DNS Name
Major Demonstrative_Examples, Relationships
Minor None
293 Using Referer Field for Authentication
Major Common_Consequences, Demonstrative_Examples, References, Relationships
Minor None
294 Authentication Bypass by Capture-replay
Major Observed_Examples, Relationships
Minor None
295 Certificate Issues
Major Related_Attack_Patterns
Minor None
296 Improper Following of Chain of Trust for Certificate Validation
Major References, Relationships
Minor None
297 Improper Validation of Host-specific Certificate Data
Major References, Relationships
Minor None
298 Improper Validation of Certificate Expiration
Major References, Relationships
Minor None
299 Improper Check for Certificate Revocation
Major References, Relationships
Minor None
300 Channel Accessible by Non-Endpoint ('Man-in-the-Middle')
Major Common_Consequences, Related_Attack_Patterns, Relationships, Taxonomy_Mappings
Minor None
301 Reflection Attack in an Authentication Protocol
Major Observed_Examples, References, Relationships
Minor None
302 Authentication Bypass by Assumed-Immutable Data
Major Relationships, Taxonomy_Mappings
Minor None
303 Incorrect Implementation of Authentication Algorithm
Major Relationships
Minor None
304 Missing Critical Step in Authentication
Major Common_Consequences, Relationships
Minor None
305 Authentication Bypass by Primary Weakness
Major Observed_Examples, Relationships
Minor None
306 Missing Authentication for Critical Function
Major Potential_Mitigations, Relationships
Minor None
307 Improper Restriction of Excessive Authentication Attempts
Major Relationships
Minor None
308 Use of Single-factor Authentication
Major Relationships
Minor None
309 Use of Password System for Primary Authentication
Major Relationships
Minor None
311 Missing Encryption of Sensitive Data
Major Demonstrative_Examples, References, Relationships, Taxonomy_Mappings
Minor None
312 Cleartext Storage of Sensitive Information
Major Common_Consequences, Demonstrative_Examples, Observed_Examples, References, Related_Attack_Patterns, Relationships
Minor None
313 Plaintext Storage in a File or on Disk
Major Demonstrative_Examples, Relationships
Minor None
314 Plaintext Storage in the Registry
Major Relationships
Minor None
315 Plaintext Storage in a Cookie
Major Demonstrative_Examples, Relationships
Minor None
316 Plaintext Storage in Memory
Major Relationships
Minor None
317 Plaintext Storage in GUI
Major Relationships
Minor None
318 Plaintext Storage in Executable
Major Relationships
Minor None
319 Cleartext Transmission of Sensitive Information
Major Demonstrative_Examples, References, Related_Attack_Patterns, Relationships, Taxonomy_Mappings
Minor None
321 Use of Hard-coded Cryptographic Key
Major Demonstrative_Examples, Relationships
Minor None
322 Key Exchange without Entity Authentication
Major References, Relationships
Minor None
323 Reusing a Nonce, Key Pair in Encryption
Major Relationships
Minor None
324 Use of a Key Past its Expiration Date
Major References, Relationships
Minor None
325 Missing Required Cryptographic Step
Major Common_Consequences, Relationships
Minor None
326 Inadequate Encryption Strength
Major References, Relationships
Minor None
327 Use of a Broken or Risky Cryptographic Algorithm
Major References, Related_Attack_Patterns, Relationships, Taxonomy_Mappings
Minor None
328 Reversible One-Way Hash
Major References, Related_Attack_Patterns, Relationships
Minor None
329 Not Using a Random IV with CBC Mode
Major References, Relationships
Minor None
330 Use of Insufficiently Random Values
Major Demonstrative_Examples, Observed_Examples, References, Relationships
Minor None
331 Insufficient Entropy
Major Common_Consequences, Demonstrative_Examples, References, Relationships
Minor None
332 Insufficient Entropy in PRNG
Major Common_Consequences, Demonstrative_Examples, Relationships
Minor None
333 Improper Handling of Insufficient Entropy in TRNG
Major Relationships
Minor None
334 Small Space of Random Values
Major Common_Consequences, Demonstrative_Examples, References, Relationships
Minor None
335 PRNG Seed Error
Major Common_Consequences, References, Relationships
Minor None
336 Same Seed in PRNG
Major Relationships
Minor None
337 Predictable Seed in PRNG
Major References, Relationships
Minor None
338 Use of Cryptographically Weak PRNG
Major Common_Consequences, Observed_Examples, References, Relationships
Minor None
339 Small Seed Space in PRNG
Major Relationships
Minor None
340 Predictability Problems
Major References, Relationships
Minor None
341 Predictable from Observable State
Major Common_Consequences, Demonstrative_Examples, Observed_Examples, References, Relationships
Minor None
342 Predictable Exact Value from Previous Values
Major Observed_Examples, References, Relationships
Minor None
343 Predictable Value Range from Previous Values
Major References, Relationships
Minor None
344 Use of Invariant Value in Dynamically Changing Context
Major Relationships
Minor None
345 Insufficient Verification of Data Authenticity
Major References, Related_Attack_Patterns, Relationships
Minor None
346 Origin Validation Error
Major Related_Attack_Patterns, Relationships
Minor None
347 Improper Verification of Cryptographic Signature
Major Common_Consequences, Related_Attack_Patterns, Relationships, Taxonomy_Mappings
Minor None
348 Use of Less Trusted Source
Major Common_Consequences, Demonstrative_Examples, Observed_Examples, Related_Attack_Patterns, Relationships
Minor None
349 Acceptance of Extraneous Untrusted Data With Trusted Data
Major Common_Consequences, Related_Attack_Patterns, Relationships, Taxonomy_Mappings
Minor None
350 Improperly Trusted Reverse DNS
Major Related_Attack_Patterns, Relationships
Minor None
351 Insufficient Type Distinction
Major Relationships
Minor None
352 Cross-Site Request Forgery (CSRF)
Major Related_Attack_Patterns, Relationships
Minor None
353 Missing Support for Integrity Check
Major References, Relationships
Minor None
354 Improper Validation of Integrity Check Value
Major Related_Attack_Patterns, Relationships
Minor None
356 Product UI does not Warn User of Unsafe Actions
Major Relationships
Minor None
357 Insufficient UI Warning of Dangerous Operations
Major Relationships
Minor None
358 Improperly Implemented Security Check for Standard
Major Relationships, Taxonomy_Mappings
Minor None
359 Privacy Violation
Major Related_Attack_Patterns, Relationships, Taxonomy_Mappings
Minor None
360 Trust of System Event Data
Major Relationships
Minor None
361 Time and State
Major Related_Attack_Patterns
Minor None
362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Major Potential_Mitigations, References, Relationships
Minor None
363 Race Condition Enabling Link Following
Major Demonstrative_Examples, References, Relationships
Minor None
364 Signal Handler Race Condition
Major Demonstrative_Examples, References, Relationships
Minor None
365 Race Condition in Switch
Major Demonstrative_Examples, References, Relationships
Minor None
366 Race Condition within a Thread
Major References, Relationships
Minor None
367 Time-of-check Time-of-use (TOCTOU) Race Condition
Major Demonstrative_Examples, Observed_Examples, References, Relationships
Minor None
368 Context Switching Race Condition
Major References, Relationships
Minor None
369 Divide By Zero
Major Relationships, Taxonomy_Mappings
Minor None
370 Missing Check for Certificate Revocation after Initial Check
Major References, Relationships
Minor None
372 Incomplete Internal State Distinction
Major Relationships
Minor None
374 Passing Mutable Objects to an Untrusted Method
Major Relationships, Taxonomy_Mappings
Minor None
375 Returning a Mutable Object to an Untrusted Caller
Major Relationships, Taxonomy_Mappings
Minor None
377 Insecure Temporary File
Major References, Relationships, Taxonomy_Mappings
Minor None
378 Creation of Temporary File With Insecure Permissions
Major Relationships
Minor None
379 Creation of Temporary File in Directory with Incorrect Permissions
Major References, Relationships
Minor None
382 J2EE Bad Practices: Use of System.exit()
Major Relationships
Minor None
383 J2EE Bad Practices: Direct Use of Threads
Major Relationships
Minor None
385 Covert Timing Channel
Major Related_Attack_Patterns, Relationships
Minor None
386 Symbolic Name not Mapping to Correct Object
Major Relationships
Minor None
388 Error Handling
Major References
Minor None
390 Detection of Error Condition Without Action
Major Common_Consequences, References, Relationships
Minor None
391 Unchecked Error Condition
Major Relationships
Minor None
392 Missing Report of Error Condition
Major Common_Consequences, Relationships
Minor None
393 Return of Wrong Status Code
Major Common_Consequences, Relationships
Minor None
394 Unexpected Status Code or Return Value
Major Relationships
Minor None
395 Use of NullPointerException Catch to Detect NULL Pointer Dereference
Major Relationships
Minor None
396 Declaration of Catch for Generic Exception
Major References, Relationships
Minor None
397 Declaration of Throws for Generic Exception
Major Relationships
Minor None
398 Indicator of Poor Code Quality
Major Relationships
Minor None
400 Uncontrolled Resource Consumption ('Resource Exhaustion')
Major Demonstrative_Examples, Related_Attack_Patterns, Relationships, Taxonomy_Mappings
Minor None
401 Improper Release of Memory Before Removing Last Reference ('Memory Leak')
Major Relationships, Taxonomy_Mappings
Minor None
402 Transmission of Private Resources into a New Sphere ('Resource Leak')
Major Relationships
Minor None
403 Exposure of File Descriptor to Unintended Control Sphere
Major Relationships
Minor None
404 Improper Resource Shutdown or Release
Major Demonstrative_Examples, References, Relationships, Taxonomy_Mappings
Minor None
405 Asymmetric Resource Consumption (Amplification)
Major Relationships, Taxonomy_Mappings
Minor None
406 Insufficient Control of Network Message Volume (Network Amplification)
Major Common_Consequences, Relationships
Minor None
407 Algorithmic Complexity
Major Observed_Examples, Relationships
Minor None
408 Incorrect Behavior Order: Early Amplification
Major Common_Consequences, Relationships
Minor None
409 Improper Handling of Highly Compressed Data (Data Amplification)
Major Common_Consequences, Demonstrative_Examples, Observed_Examples, Relationships, Taxonomy_Mappings
Minor None
410 Insufficient Resource Pool
Major Relationships
Minor None
412 Unrestricted Externally Accessible Lock
Major Demonstrative_Examples, Relationships
Minor None
413 Improper Resource Locking
Major Demonstrative_Examples, Relationships
Minor None
414 Missing Lock Check
Major Relationships
Minor None
415 Double Free
Major References, Relationships
Minor None
416 Use After Free
Major References, Relationships
Minor None
419 Unprotected Primary Channel
Major Relationships
Minor None
420 Unprotected Alternate Channel
Major Relationships
Minor None
421 Race Condition During Access to Alternate Channel
Major References, Relationships
Minor None
422 Unprotected Windows Messaging Channel ('Shatter')
Major References, Relationships
Minor None
424 Improper Protection of Alternate Path
Major Related_Attack_Patterns, Relationships
Minor None
425 Direct Request ('Forced Browsing')
Major Related_Attack_Patterns, Relationships
Minor None
426 Untrusted Search Path
Major Demonstrative_Examples, References
Minor None
427 Uncontrolled Search Path Element
Major Observed_Examples, Related_Attack_Patterns, Relationships
Minor None
428 Unquoted Search Path or Element
Major References, Relationships
Minor None
430 Deployment of Wrong Handler
Major References, Relationships
Minor None
431 Missing Handler
Major References, Relationships
Minor None
432 Dangerous Signal Handler not Disabled During Sensitive Operations
Major Relationships
Minor None
433 Unparsed Raw Web Content Delivery
Major References, Relationships
Minor None
434 Unrestricted Upload of File with Dangerous Type
Major References, Relationships
Minor None
435 Interaction Error
Major Relationships
Minor None
436 Interpretation Conflict
Major Relationships
Minor None
437 Incomplete Model of Endpoint Features
Major Relationships
Minor None
439 Behavioral Change in New Version or Environment
Major Relationships
Minor None
440 Expected Behavior Violation
Major Relationships
Minor None
441 Unintended Proxy/Intermediary
Major Related_Attack_Patterns, Relationships
Minor None
444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
Major Common_Consequences, Relationships
Minor None
446 UI Discrepancy for Security Feature
Major Relationships
Minor None
447 Unimplemented or Unsupported Feature in UI
Major Relationships
Minor None
448 Obsolete Feature in UI
Major Relationships
Minor None
449 The UI Performs the Wrong Action
Major Relationships
Minor None
450 Multiple Interpretations of UI Input
Major Relationships
Minor None
451 UI Misrepresentation of Critical Information
Major Relationships
Minor None
453 Insecure Default Variable Initialization
Major Common_Consequences, Demonstrative_Examples, Relationships
Minor None
454 External Initialization of Trusted Variables or Data Stores
Major Common_Consequences, Relationships, Taxonomy_Mappings
Minor None
455 Non-exit on Failed Initialization
Major Common_Consequences, Demonstrative_Examples, Relationships
Minor None
456 Missing Initialization
Major References, Relationships
Minor None
457 Use of Uninitialized Variable
Major References, Relationships
Minor None
459 Incomplete Cleanup
Major Relationships, Taxonomy_Mappings
Minor None
460 Improper Cleanup on Thrown Exception
Major Relationships
Minor None
462 Duplicate Key in Associative List (Alist)
Major Relationships
Minor None
463 Deletion of Data Structure Sentinel
Major References, Relationships
Minor None
464 Addition of Data Structure Sentinel
Major Relationships
Minor None
466 Return of Pointer Value Outside of Expected Range
Major Potential_Mitigations, References, Relationships
Minor None
467 Use of sizeof() on a Pointer Type
Major Relationships
Minor None
468 Incorrect Pointer Scaling
Major Demonstrative_Examples, References, Relationships
Minor None
469 Use of Pointer Subtraction to Determine Size
Major Relationships
Minor None
470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
Major Relationships, Taxonomy_Mappings
Minor None
471 Modification of Assumed-Immutable Data (MAID)
Major Relationships
Minor None
472 External Control of Assumed-Immutable Web Parameter
Major Demonstrative_Examples, References, Relationships
Minor None
473 PHP External Variable Modification
Major Relationships
Minor None
474 Use of Function with Inconsistent Implementations
Major Relationships
Minor None
475 Undefined Behavior for Input to API
Major Relationships
Minor None
476 NULL Pointer Dereference
Major Observed_Examples, Related_Attack_Patterns, Relationships
Minor None
477 Use of Obsolete Functions
Major Relationships
Minor None
478 Missing Default Case in Switch Statement
Major References, Relationships
Minor None
479 Signal Handler Use of a Non-reentrant Function
Major References, Relationships, Taxonomy_Mappings
Minor None
480 Use of Incorrect Operator
Major Common_Consequences, References, Relationships, Taxonomy_Mappings
Minor None
481 Assigning instead of Comparing
Major References, Relationships
Minor None
482 Comparing instead of Assigning
Major References, Relationships
Minor None
483 Incorrect Block Delimitation
Major Relationships
Minor None
484 Omitted Break Statement in Switch
Major Common_Consequences, References, Relationships, Taxonomy_Mappings
Minor None
485 Insufficient Encapsulation
Major Relationships
Minor None
486 Comparison of Classes by Name
Major Demonstrative_Examples, Relationships, Taxonomy_Mappings
Minor None
487 Reliance on Package-level Scope
Major Relationships, Taxonomy_Mappings
Minor None
488 Exposure of Data Element to Wrong Session
Major Relationships
Minor None
489 Leftover Debug Code
Major Relationships
Minor None
491 Public cloneable() Method Without Final ('Object Hijack')
Major Relationships, Taxonomy_Mappings
Minor None
492 Use of Inner Class Containing Sensitive Data
Major Relationships, Taxonomy_Mappings
Minor None
493 Critical Public Variable Without Final Modifier
Major Relationships, Taxonomy_Mappings
Minor None
494 Download of Code Without Integrity Check
Major References, Relationships, Taxonomy_Mappings
Minor None
495 Private Array-Typed Field Returned From A Public Method
Major Common_Consequences, Relationships
Minor None
496 Public Data Assigned to Private Array-Typed Field
Major Common_Consequences, Relationships
Minor None
497 Exposure of System Data to an Unauthorized Control Sphere
Major Related_Attack_Patterns, Relationships
Minor None
498 Cloneable Class Containing Sensitive Information
Major Relationships, Taxonomy_Mappings
Minor None
499 Serializable Class Containing Sensitive Data
Major Relationships, Taxonomy_Mappings
Minor None
500 Public Static Field Not Marked Final
Major Relationships, Taxonomy_Mappings
Minor None
501 Trust Boundary Violation
Major Relationships
Minor None
502 Deserialization of Untrusted Data
Major Relationships, Taxonomy_Mappings
Minor None
506 Embedded Malicious Code
Major Relationships
Minor None
507 Trojan Horse
Major Relationships
Minor None
508 Non-Replicating Malicious Code
Major Relationships
Minor None
509 Replicating Malicious Code (Virus or Worm)
Major Relationships
Minor None
510 Trapdoor
Major Relationships
Minor None
511 Logic/Time Bomb
Major Relationships
Minor None
512 Spyware
Major Relationships
Minor None
514 Covert Channel
Major Related_Attack_Patterns, Relationships
Minor None
515 Covert Storage Channel
Major Relationships
Minor None
520 .NET Misconfiguration: Use of Impersonation
Major Relationships
Minor None
521 Weak Password Requirements
Major Common_Consequences, References, Relationships
Minor None
522 Insufficiently Protected Credentials
Major Common_Consequences, Demonstrative_Examples, Observed_Examples, References, Related_Attack_Patterns, Relationships
Minor None
523 Unprotected Transport of Credentials
Major Relationships
Minor None
524 Information Exposure Through Caching
Major Relationships, Taxonomy_Mappings
Minor None
525 Information Exposure Through Browser Caching
Major Relationships
Minor None
526 Information Exposure Through Environmental Variables
Major Relationships, Taxonomy_Mappings
Minor None
527 Exposure of CVS Repository to an Unauthorized Control Sphere
Major Relationships
Minor None
528 Exposure of Core Dump File to an Unauthorized Control Sphere
Major Relationships, Taxonomy_Mappings
Minor None
529 Exposure of Access Control List Files to an Unauthorized Control Sphere
Major Relationships
Minor None
530 Exposure of Backup File to an Unauthorized Control Sphere
Major Relationships
Minor None
531 Information Exposure Through Test Code
Major Relationships
Minor None
532 Information Exposure Through Log Files
Major Related_Attack_Patterns, Relationships, Taxonomy_Mappings
Minor None
533 Information Exposure Through Server Log Files
Major Relationships, Taxonomy_Mappings
Minor None
534 Information Exposure Through Debug Log Files
Major Relationships, Taxonomy_Mappings
Minor None
535 Information Exposure Through Shell Error Message
Major Relationships
Minor None
536 Information Exposure Through Servlet Runtime Error Message
Major Relationships
Minor None
537 Information Exposure Through Java Runtime Error Message
Major Relationships
Minor None
538 File and Directory Information Exposure
Major References, Related_Attack_Patterns, Relationships
Minor None
539 Information Exposure Through Persistent Cookies
Major Relationships, Taxonomy_Mappings
Minor None
540 Information Exposure Through Source Code
Major Relationships
Minor None
541 Information Exposure Through Include Source Code
Major Relationships
Minor None
542 Information Exposure Through Cleanup Log Files
Major Relationships, Taxonomy_Mappings
Minor None
543 Use of Singleton Pattern Without Synchronization in a Multithreaded Context
Major Relationships, Taxonomy_Mappings
Minor None
544 Missing Standardized Error Handling Mechanism
Major Relationships
Minor None
545 Use of Dynamic Class Loading
Major Common_Consequences, Relationships
Minor None
546 Suspicious Comment
Major Common_Consequences, Relationships
Minor None
547 Use of Hard-coded, Security-relevant Constants
Major Common_Consequences, Relationships
Minor None
548 Information Exposure Through Directory Listing
Major Relationships
Minor None
549 Missing Password Field Masking
Major References, Relationships
Minor None
550 Information Exposure Through Server Error Message
Major Relationships
Minor None
551 Incorrect Behavior Order: Authorization Before Parsing and Canonicalization
Major Relationships
Minor None
552 Files or Directories Accessible to External Parties
Major Relationships
Minor None
553 Command Shell in Externally Accessible Directory
Major Relationships
Minor None
554 ASP.NET Misconfiguration: Not Using Input Validation Framework
Major Relationships
Minor None
555 J2EE Misconfiguration: Plaintext Password in Configuration File
Major Relationships
Minor None
556 ASP.NET Misconfiguration: Use of Identity Impersonation
Major Relationships
Minor None
558 Use of getlogin() in Multithreaded Application
Major Relationships
Minor None
560 Use of umask() with chmod-style Argument
Major Relationships
Minor None
561 Dead Code
Major Common_Consequences, Relationships
Minor None
562 Return of Stack Variable Address
Major Relationships
Minor None
563 Unused Variable
Major Common_Consequences, Relationships
Minor None
564 SQL Injection: Hibernate
Major Relationships
Minor None
565 Reliance on Cookies without Validation and Integrity Checking
Major Demonstrative_Examples, Relationships
Minor None
566 Authorization Bypass Through User-Controlled SQL Primary Key
Major Relationships
Minor None
567 Unsynchronized Access to Shared Data in a Multithreaded Context
Major Relationships
Minor None
568 finalize() Method Without super.finalize()
Major Relationships, Taxonomy_Mappings
Minor None
570 Expression is Always False
Major Relationships
Minor None
571 Expression is Always True
Major Relationships
Minor None
572 Call to Thread run() instead of start()
Major Relationships, Taxonomy_Mappings
Minor None
573 Improper Following of Specification by Caller
Major Relationships, Taxonomy_Mappings
Minor None
574 EJB Bad Practices: Use of Synchronization Primitives
Major Relationships
Minor None
575 EJB Bad Practices: Use of AWT Swing
Major Relationships
Minor None
576 EJB Bad Practices: Use of Java I/O
Major Relationships
Minor None
577 EJB Bad Practices: Use of Sockets
Major Relationships
Minor None
578 EJB Bad Practices: Use of Class Loader
Major Relationships
Minor None
579 J2EE Bad Practices: Non-serializable Object Stored in Session
Major Relationships
Minor None
580 clone() Method Without super.clone()
Major Relationships
Minor None
581 Object Model Violation: Just One of Equals and Hashcode Defined
Major Relationships, Taxonomy_Mappings
Minor None
582 Array Declared Public, Final, and Static
Major Relationships, Taxonomy_Mappings
Minor None
583 finalize() Method Declared Public
Major Relationships, Taxonomy_Mappings
Minor None
584 Return Inside Finally Block
Major Relationships, Taxonomy_Mappings
Minor None
585 Empty Synchronized Block
Major Relationships
Minor None
586 Explicit Call to Finalize()
Major Relationships, Taxonomy_Mappings
Minor None
587 Assignment of a Fixed Address to a Pointer
Major Demonstrative_Examples, Relationships
Minor None
588 Attempt to Access Child of a Non-structure Pointer
Major Relationships
Minor None
589 Call to Non-ubiquitous API
Major Relationships, Taxonomy_Mappings
Minor None
590 Free of Memory not on the Heap
Major Relationships
Minor None
591 Sensitive Data Storage in Improperly Locked Memory
Major Relationships
Minor None
592 Authentication Bypass Issues
Major References, Relationships
Minor None
593 Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created
Major Relationships
Minor None
594 J2EE Framework: Saving Unserializable Objects to Disk
Major Relationships
Minor None
595 Comparison of Object References Instead of Object Contents
Major Common_Consequences, Demonstrative_Examples, Relationships, Taxonomy_Mappings
Minor None
596 Incorrect Semantic Object Comparison
Major Relationships
Minor None
597 Use of Wrong Operator in String Comparison
Major Demonstrative_Examples, References, Relationships, Taxonomy_Mappings
Minor None
598 Information Exposure Through Query Strings in GET Request
Major Relationships
Minor None
599 Trust of OpenSSL Certificate Without Validation
Major Relationships
Minor None
600 Uncaught Exception in Servlet
Major Demonstrative_Examples, Relationships
Minor None
601 URL Redirection to Untrusted Site ('Open Redirect')
Major Relationships
Minor None
602 Client-Side Enforcement of Server-Side Security
Major Relationships
Minor None
603 Use of Client-Side Authentication
Major References, Relationships
Minor None
605 Multiple Binds to the Same Port
Major Relationships
Minor None
606 Unchecked Input for Loop Condition
Major References, Relationships
Minor None
607 Public Static Final Field References Mutable Object
Major Relationships, Taxonomy_Mappings
Minor None
608 Struts: Non-private Field in ActionForm Class
Major Relationships
Minor None
609 Double-Checked Locking
Major Demonstrative_Examples, References, Relationships
Minor None
610 Externally Controlled Reference to a Resource in Another Sphere
Major Relationships
Minor None
611 Information Exposure Through XML External Entity Reference
Major Relationships
Minor None
612 Information Exposure Through Indexing of Private Data
Major Relationships
Minor None
613 Insufficient Session Expiration
Major Relationships
Minor None
614 Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
Major Relationships
Minor None
615 Information Exposure Through Comments
Major Relationships
Minor None
616 Incomplete Identification of Uploaded File Variables (PHP)
Major Observed_Examples, Relationships
Minor None
617 Reachable Assertion
Major Common_Consequences, Observed_Examples, Relationships, Taxonomy_Mappings
Minor None
618 Exposed Unsafe ActiveX Method
Major References, Relationships
Minor None
619 Dangling Database Cursor ('Cursor Injection')
Major Relationships
Minor None
620 Unverified Password Change
Major Demonstrative_Examples, Observed_Examples, References, Relationships
Minor None
621 Variable Extraction Error
Major Common_Consequences, Demonstrative_Examples, Relationships
Minor None
622 Unvalidated Function Hook Arguments
Major Relationships
Minor None
623 Unsafe ActiveX Control Marked Safe For Scripting
Major References, Relationships
Minor None
624 Executable Regular Expression Error
Major Relationships
Minor None
625 Permissive Regular Expression
Major Demonstrative_Examples, References, Relationships, Taxonomy_Mappings
Minor None
626 Null Byte Interaction Error (Poison Null Byte)
Major Relationships
Minor None
627 Dynamic Variable Evaluation
Major Common_Consequences, Relationships
Minor None
628 Function Call with Incorrectly Specified Arguments
Major Common_Consequences, Demonstrative_Examples, Relationships
Minor None
630 Weaknesses Examined by SAMATE
Major References
Minor None
636 Not Failing Securely ('Failing Open')
Major Relationships
Minor None
637 Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')
Major Relationships
Minor None
638 Not Using Complete Mediation
Major Relationships
Minor None
639 Authorization Bypass Through User-Controlled Key
Major Relationships
Minor None
640 Weak Password Recovery Mechanism for Forgotten Password
Major References, Relationships
Minor None
641 Improper Restriction of Names for Files and Other Resources
Major Observed_Examples, Relationships
Minor None
642 External Control of Critical State Data
Major Demonstrative_Examples, Potential_Mitigations, References, Relationships
Minor None
643 Improper Neutralization of Data within XPath Expressions ('XPath Injection')
Major References, Relationships
Minor None
644 Improper Neutralization of HTTP Headers for Scripting Syntax
Major Relationships
Minor None
645 Overly Restrictive Account Lockout Mechanism
Major Relationships
Minor None
646 Reliance on File Name or Extension of Externally-Supplied File
Major Relationships
Minor None
647 Use of Non-Canonical URL Paths for Authorization Decisions
Major Relationships, Taxonomy_Mappings
Minor None
648 Incorrect Use of Privileged APIs
Major Relationships
Minor None
649 Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking
Major Related_Attack_Patterns, Relationships
Minor None
650 Trusting HTTP Permission Methods on the Server Side
Major Relationships
Minor None
651 Information Exposure Through WSDL File
Major Relationships
Minor None
652 Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')
Major Relationships
Minor None
653 Insufficient Compartmentalization
Major Relationships
Minor None
654 Reliance on a Single Factor in a Security Decision
Major Relationships
Minor None
655 Insufficient Psychological Acceptability
Major References, Relationships
Minor None
656 Reliance on Security Through Obscurity
Major Relationships
Minor None
657 Violation of Secure Design Principles
Major Relationships
Minor None
662 Improper Synchronization
Major Relationships
Minor None
663 Use of a Non-reentrant Function in a Concurrent Context
Major Relationships
Minor None
664 Improper Control of a Resource Through its Lifetime
Major Related_Attack_Patterns, Relationships
Minor None
665 Improper Initialization
Major Demonstrative_Examples, References, Relationships, Taxonomy_Mappings
Minor None
666 Operation on Resource in Wrong Phase of Lifetime
Major Relationships
Minor None
667 Improper Locking
Major Demonstrative_Examples, Observed_Examples, Relationships
Minor None
668 Exposure of Resource to Wrong Sphere
Major Relationships
Minor None
669 Incorrect Resource Transfer Between Spheres
Major Relationships
Minor None
670 Always-Incorrect Control Flow Implementation
Major Relationships, Taxonomy_Mappings
Minor None
671 Lack of Administrator Control over Security
Major Relationships
Minor None
672 Operation on a Resource after Expiration or Release
Major Common_Consequences, Demonstrative_Examples, Relationships
Minor None
673 External Influence of Sphere Definition
Major Relationships
Minor None
674 Uncontrolled Recursion
Major Relationships
Minor None
675 Duplicate Operations on Resource
Major Relationships
Minor None
676 Use of Potentially Dangerous Function
Major References, Related_Attack_Patterns, Relationships, Weakness_Ordinalities
Minor None
681 Incorrect Conversion between Numeric Types
Major Demonstrative_Examples, References, Relationships, Taxonomy_Mappings
Minor None
682 Incorrect Calculation
Major Demonstrative_Examples, References, Relationships
Minor None
683 Function Call With Incorrect Order of Arguments
Major Demonstrative_Examples, Relationships
Minor None
684 Incorrect Provision of Specified Functionality
Major Relationships
Minor None
685 Function Call With Incorrect Number of Arguments
Major Relationships
Minor None
686 Function Call With Incorrect Argument Type
Major Relationships
Minor None
687 Function Call With Incorrectly Specified Argument Value
Major Demonstrative_Examples, Relationships
Minor None
688 Function Call With Incorrect Variable or Reference as Argument
Major Demonstrative_Examples, Relationships
Minor None
689 Permission Race Condition During Resource Copy
Major References
Minor None
691 Insufficient Control Flow Management
Major Relationships
Minor None
692 Incomplete Blacklist to Cross-Site Scripting
Major Related_Attack_Patterns
Minor None
693 Protection Mechanism Failure
Major Related_Attack_Patterns, Relationships
Minor None
694 Use of Multiple Resources with Duplicate Identifier
Major Relationships
Minor None
695 Use of Low-Level Functionality
Major Relationships
Minor None
696 Incorrect Behavior Order
Major Related_Attack_Patterns, Relationships, Weakness_Ordinalities
Minor None
697 Insufficient Comparison
Major Related_Attack_Patterns, Relationships
Minor None
698 Redirect Without Exit
Major Common_Consequences, Demonstrative_Examples, Relationships
Minor None
703 Improper Check or Handling of Exceptional Conditions
Major References, Relationships, Taxonomy_Mappings
Minor None
704 Incorrect Type Conversion or Cast
Major Relationships
Minor None
705 Incorrect Control Flow Scoping
Major Relationships, Taxonomy_Mappings
Minor None
706 Use of Incorrectly-Resolved Name or Reference
Major Related_Attack_Patterns, Relationships
Minor None
707 Improper Enforcement of Message or Data Structure
Major Related_Attack_Patterns, Relationships
Minor None
708 Incorrect Ownership Assignment
Major Common_Consequences, Relationships
Minor None
710 Coding Standards Violation
Major Relationships
Minor None
713 OWASP Top Ten 2007 Category A2 - Injection Flaws
Major Related_Attack_Patterns
Minor None
714 OWASP Top Ten 2007 Category A3 - Malicious File Execution
Major Related_Attack_Patterns
Minor None
721 OWASP Top Ten 2007 Category A10 - Failure to Restrict URL Access
Major Related_Attack_Patterns
Minor None
732 Incorrect Permission Assignment for Critical Resource
Major References, Related_Attack_Patterns, Relationships, Taxonomy_Mappings
Minor None
733 Compiler Optimization Removal or Modification of Security-critical Code
Major Relationships
Minor None
749 Exposed Dangerous Method or Function
Major Relationships
Minor None
754 Improper Check for Unusual or Exceptional Conditions
Major Relationships
Minor None
755 Improper Handling of Exceptional Conditions
Major Relationships
Minor None
756 Missing Custom Error Page
Major Common_Consequences, Demonstrative_Examples, Relationships
Minor None
757 Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')
Major Relationships
Minor None
758 Reliance on Undefined, Unspecified, or Implementation-Defined Behavior
Major Relationships
Minor None
759 Use of a One-Way Hash without a Salt
Major References, Related_Attack_Patterns, Relationships
Minor None
760 Use of a One-Way Hash with a Predictable Salt
Major References, Relationships
Minor None
761 Free of Pointer not at Start of Buffer
Major Demonstrative_Examples, Relationships
Minor None
762 Mismatched Memory Management Routines
Major Demonstrative_Examples, Relationships
Minor None
763 Release of Invalid Pointer or Reference
Major Common_Consequences, Demonstrative_Examples, Relationships
Minor None
764 Multiple Locks of a Critical Resource
Major Relationships
Minor None
765 Multiple Unlocks of a Critical Resource
Major Relationships
Minor None
766 Critical Variable Declared Public
Major Relationships
Minor None
767 Access to Critical Private Variable via Public Method
Major Relationships
Minor None
768 Incorrect Short Circuit Evaluation
Major Relationships
Minor None
770 Allocation of Resources Without Limits or Throttling
Major Demonstrative_Examples, References, Related_Attack_Patterns, Relationships, Taxonomy_Mappings
Minor None
771 Missing Reference to Active Allocated Resource
Major Relationships
Minor None
772 Missing Release of Resource after Effective Lifetime
Major Demonstrative_Examples, Relationships, Taxonomy_Mappings
Minor None
773 Missing Reference to Active File Descriptor or Handle
Major Relationships
Minor None
774 Allocation of File Descriptors or Handles Without Limits or Throttling
Major References, Relationships
Minor None
775 Missing Release of File Descriptor or Handle after Effective Lifetime
Major References, Relationships
Minor None
776 Unrestricted Recursive Entity References in DTDs ('XML Bomb')
Major Demonstrative_Examples
Minor None
778 Insufficient Logging
Major References
Minor None
783 Operator Precedence Logic Error
Major Demonstrative_Examples, References, Relationships
Minor None
785 Use of Path Manipulation Function without Maximum-sized Buffer
Major Relationships
Minor None
786 Access of Memory Location Before Start of Buffer
Major Common_Consequences, Demonstrative_Examples, Observed_Examples, Relationships
Minor None
788 Access of Memory Location After End of Buffer
Major Common_Consequences, Demonstrative_Examples, Observed_Examples, Relationships
Minor None
789 Uncontrolled Memory Allocation
Major References
Minor None
798 Use of Hard-coded Credentials
Major Demonstrative_Examples, Related_Attack_Patterns, Relationships, Taxonomy_Mappings
Minor None
805 Buffer Access with Incorrect Length Value
Major Potential_Mitigations, References, Relationships
Minor None
806 Buffer Access Using Size of Source Buffer
Major Potential_Mitigations, References
Minor None
807 Reliance on Untrusted Inputs in a Security Decision
Major Demonstrative_Examples, References, Relationships
Minor None
821 Incorrect Synchronization
Major Relationships, Taxonomy_Mappings
Minor None
822 Untrusted Pointer Dereference
Major Relationships
Minor None
823 Use of Out-of-range Pointer Offset
Major References
Minor None
824 Access of Uninitialized Pointer
Major References
Minor None
825 Expired Pointer Dereference
Major Demonstrative_Examples, Relationships
Minor None
828 Signal Handler with Functionality that is not Asynchronous-Safe
Major Demonstrative_Examples
Minor None
829 Inclusion of Functionality from Untrusted Control Sphere
Major Demonstrative_Examples, References, Related_Attack_Patterns, Relationships
Minor None
830 Inclusion of Web Functionality from an Untrusted Source
Major Demonstrative_Examples
Minor None
833 Deadlock
Major References
Minor None
834 Excessive Iteration
Major References, Relationships, Taxonomy_Mappings
Minor None
835 Loop with Unreachable Exit Condition ('Infinite Loop')
Major Demonstrative_Examples, References, Relationships, Taxonomy_Mappings
Minor None
837 Improper Enforcement of a Single, Unique Action
Major Observed_Examples
Minor None
838 Inappropriate Encoding for Output Context
Major Potential_Mitigations, References, Relationships, Taxonomy_Mappings
Minor None
839 Numeric Range Comparison Without Minimum Check
Major Demonstrative_Examples, References, Relationships
Minor None
841 Improper Enforcement of Behavioral Workflow
Major Demonstrative_Examples, Observed_Examples, Relationships
Minor None
843 Access of Resource Using Incompatible Type ('Type Confusion')
Major References
Minor None
847 CERT Java Secure Coding Section 02 - Expressions (EXP)
Major Relationships
Minor None
849 CERT Java Secure Coding Section 04 - Object Orientation (OBJ)
Major Relationships
Minor None
850 CERT Java Secure Coding Section 05 - Methods (MET)
Major Relationships
Minor None
854 CERT Java Secure Coding Section 09 - Thread APIs (THI)
Major Relationships
Minor None
857 CERT Java Secure Coding Section 12 - Input Output (FIO)
Major Relationships
Minor None
860 CERT Java Secure Coding Section 15 - Runtime Environment (ENV)
Major Relationships
Minor None
861 CERT Java Secure Coding Section 49 - Miscellaneous (MSC)
Major Relationships
Minor None
862 Missing Authorization
Major Demonstrative_Examples, Observed_Examples, References, Relationships
Minor None
863 Incorrect Authorization
Major References, Relationships
Minor None
Page Last Updated: January 05, 2017