Any change with respect to whitespace is ignored. "Minor"
changes are text changes that only affect capitalization and
punctuation. Most other changes are marked as "Major."
Simple schema changes are treated as Minor, such as the change from
AffectedResource to Affected_Resource in Draft 8, or the relationship
name change from "IsRequiredBy" to "RequiredBy" in
Version 1.0. For each mutual relationship between nodes A and B (such
as ParentOf and ChildOf), a relationship change is noted for both A
and B.
The "Version 3.1 Total" lists the total number of relationships
in Version 3.1. The "Shared" value is the total number of
relationships in entries that were in both Version 3.1 and Version 3.0. The
"New" value is the total number of relationships involving
entries that did not exist in Version 3.0. Thus, the total number of
relationships in Version 3.1 would combine stats from Shared entries and
New entries.
A node change is labeled "important" if it is a major field change and
the field is critical to the meaning of the node. The critical fields
are description, name, and relationships.
| | R |
16 |
Configuration |
| | R |
19 |
Data Processing Errors |
| | R |
22 |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
| | R |
74 |
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') |
| | R |
77 |
Improper Neutralization of Special Elements used in a Command ('Command Injection') |
| | R |
78 |
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
D | | R |
79 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
| | R |
88 |
Argument Injection or Modification |
| | R |
89 |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
| | R |
90 |
Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') |
| | R |
91 |
XML Injection (aka Blind XPath Injection) |
D | | |
125 |
Out-of-bounds Read |
| | R |
171 |
Cleansing, Canonicalization, and Comparison Errors |
| | R |
184 |
Incomplete Blacklist |
| N | R |
187 |
Partial String Comparison |
| | R |
209 |
Information Exposure Through an Error Message |
| | R |
216 |
Containment Errors (Container Errors) |
| | R |
220 |
Sensitive Data Under FTP Root |
| | R |
223 |
Omission of Security-relevant Information |
| N | R |
256 |
Unprotected Storage of Credentials |
| | R |
275 |
Permission Issues |
| | R |
284 |
Improper Access Control |
| | R |
285 |
Improper Authorization |
| | R |
287 |
Improper Authentication |
| | R |
295 |
Improper Certificate Validation |
D | | |
297 |
Improper Validation of Certificate with Host Mismatch |
| | R |
308 |
Use of Single-factor Authentication |
| | R |
310 |
Cryptographic Issues |
| | R |
311 |
Missing Encryption of Sensitive Data |
| | R |
312 |
Cleartext Storage of Sensitive Information |
| | R |
319 |
Cleartext Transmission of Sensitive Information |
| | R |
320 |
Key Management Errors |
| | R |
325 |
Missing Required Cryptographic Step |
| | R |
326 |
Inadequate Encryption Strength |
| | R |
327 |
Use of a Broken or Risky Cryptographic Algorithm |
| | R |
328 |
Reversible One-Way Hash |
| | R |
359 |
Exposure of Private Information ('Privacy Violation') |
| | R |
372 |
Incomplete Internal State Distinction |
| | R |
384 |
Session Fixation |
| | R |
425 |
Direct Request ('Forced Browsing') |
| | R |
426 |
Untrusted Search Path |
| | R |
428 |
Unquoted Search Path or Element |
D | N | R |
435 |
Improper Interaction Between Multiple Correctly-Behaving Entities |
| | R |
438 |
Behavioral Problems |
| | R |
471 |
Modification of Assumed-Immutable Data (MAID) |
| | R |
478 |
Missing Default Case in Switch Statement |
| | R |
486 |
Comparison of Classes by Name |
| | R |
502 |
Deserialization of Untrusted Data |
| | R |
522 |
Insufficiently Protected Credentials |
| | R |
523 |
Unprotected Transport of Credentials |
D | | R |
532 |
Information Exposure Through Log Files |
D | N | R |
533 |
DEPRECATED: Information Exposure Through Server Log Files |
D | N | R |
534 |
DEPRECATED: Information Exposure Through Debug Log Files |
D | N | R |
542 |
DEPRECATED: Information Exposure Through Cleanup Log Files |
| | R |
548 |
Information Exposure Through Directory Listing |
| | R |
564 |
SQL Injection: Hibernate |
| | R |
569 |
Expression Issues |
| | R |
581 |
Object Model Violation: Just One of Equals and Hashcode Defined |
D | | R |
595 |
Comparison of Object References Instead of Object Contents |
D | N | R |
596 |
DEPRECATED: Incorrect Semantic Object Comparison |
| | R |
611 |
Improper Restriction of XML External Entity Reference ('XXE') |
| | R |
613 |
Insufficient Session Expiration |
| | R |
620 |
Unverified Password Change |
| | R |
639 |
Authorization Bypass Through User-Controlled Key |
| | R |
640 |
Weak Password Recovery Mechanism for Forgotten Password |
| | R |
643 |
Improper Neutralization of Data within XPath Expressions ('XPath Injection') |
| | R |
652 |
Improper Neutralization of Data within XQuery Expressions ('XQuery Injection') |
| | R |
664 |
Improper Control of a Resource Through its Lifetime |
| | R |
693 |
Protection Mechanism Failure |
D | N | R |
697 |
Incorrect Comparison |
D | | |
699 |
Development Concepts |
| | R |
706 |
Use of Incorrectly-Resolved Name or Reference |
| | R |
731 |
OWASP Top Ten 2004 Category A10 - Insecure Configuration Management |
| | R |
733 |
Compiler Optimization Removal or Modification of Security-critical Code |
| | R |
758 |
Reliance on Undefined, Unspecified, or Implementation-Defined Behavior |
| | R |
776 |
Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') |
| | R |
778 |
Insufficient Logging |
D | | |
787 |
Out-of-bounds Write |
D | | |
839 |
Numeric Range Comparison Without Minimum Check |
| | R |
840 |
Business Logic Errors |
| | R |
857 |
CERT Java Secure Coding Section 12 - Input Output (FIO) |
| | R |
917 |
Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') |
| | R |
929 |
OWASP Top Ten 2013 Category A1 - Injection |
| | R |
930 |
OWASP Top Ten 2013 Category A2 - Broken Authentication and Session Management |
| | R |
932 |
OWASP Top Ten 2013 Category A4 - Insecure Direct Object References |
| | R |
934 |
OWASP Top Ten 2013 Category A6 - Sensitive Data Exposure |
| | R |
935 |
OWASP Top Ten 2013 Category A7 - Missing Function Level Access Control |
| | R |
943 |
Improper Neutralization of Special Elements in Data Query Logic |
| | R |
963 |
SFP Secondary Cluster: Exposed Data |
| | R |
977 |
SFP Secondary Cluster: Design |
D | | |
1000 |
Research Concepts |
D | | |
1007 |
Insufficient Visual Distinction of Homoglyphs Presented to User |
D | | |
1008 |
Architectural Concepts |
D | N | |
1022 |
Use of Web Link to Untrusted Target with window.opener Access |
13 |
ASP.NET Misconfiguration: Password in Configuration File |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
14 |
Compiler Removal of Code to Clear Buffers |
|
Major |
References, Type |
|
Minor |
None |
16 |
Configuration |
|
Major |
Relationships |
|
Minor |
None |
19 |
Data Processing Errors |
|
Major |
Relationships |
|
Minor |
None |
20 |
Improper Input Validation |
|
Major |
References |
|
Minor |
None |
22 |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
|
Major |
References, Relationships |
|
Minor |
None |
23 |
Relative Path Traversal |
|
Major |
None |
|
Minor |
References |
36 |
Absolute Path Traversal |
|
Major |
None |
|
Minor |
References |
40 |
Path Traversal: '\\UNC\share\name\' (Windows UNC Share) |
|
Major |
None |
|
Minor |
References |
58 |
Path Equivalence: Windows 8.3 Filename |
|
Major |
References |
|
Minor |
None |
59 |
Improper Link Resolution Before File Access ('Link Following') |
|
Major |
None |
|
Minor |
References |
61 |
UNIX Symbolic Link (Symlink) Following |
|
Major |
None |
|
Minor |
References |
62 |
UNIX Hard Link |
|
Major |
None |
|
Minor |
References |
65 |
Windows Hard Link |
|
Major |
None |
|
Minor |
References |
67 |
Improper Handling of Windows Device Names |
|
Major |
References |
|
Minor |
None |
69 |
Improper Handling of Windows ::DATA Alternate Data Stream |
|
Major |
References |
|
Minor |
None |
74 |
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') |
|
Major |
Relationships |
|
Minor |
None |
77 |
Improper Neutralization of Special Elements used in a Command ('Command Injection') |
|
Major |
Relationships |
|
Minor |
None |
78 |
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
|
Major |
Relationships |
|
Minor |
References |
79 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
|
Major |
Alternate_Terms, Demonstrative_Examples, Description, Observed_Examples, References, Relationship_Notes, Relationships |
|
Minor |
Applicable_Platforms |
88 |
Argument Injection or Modification |
|
Major |
Relationships |
|
Minor |
References |
89 |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
|
Major |
References, Relationships |
|
Minor |
None |
90 |
Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') |
|
Major |
Relationships |
|
Minor |
None |
91 |
XML Injection (aka Blind XPath Injection) |
|
Major |
Relationships |
|
Minor |
References |
95 |
Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') |
|
Major |
None |
|
Minor |
References |
116 |
Improper Encoding or Escaping of Output |
|
Major |
References |
|
Minor |
None |
119 |
Improper Restriction of Operations within the Bounds of a Memory Buffer |
|
Major |
References |
|
Minor |
None |
120 |
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') |
|
Major |
References |
|
Minor |
None |
121 |
Stack-based Buffer Overflow |
|
Major |
References |
|
Minor |
None |
122 |
Heap-based Buffer Overflow |
|
Major |
References |
|
Minor |
None |
125 |
Out-of-bounds Read |
|
Major |
Description |
|
Minor |
None |
126 |
Buffer Over-read |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
128 |
Wrap-around Error |
|
Major |
None |
|
Minor |
References |
129 |
Improper Validation of Array Index |
|
Major |
References |
|
Minor |
None |
131 |
Incorrect Calculation of Buffer Size |
|
Major |
References |
|
Minor |
Potential_Mitigations |
134 |
Use of Externally-Controlled Format String |
|
Major |
References |
|
Minor |
None |
135 |
Incorrect Calculation of Multi-Byte String Length |
|
Major |
References |
|
Minor |
None |
141 |
Improper Neutralization of Parameter/Argument Delimiters |
|
Major |
None |
|
Minor |
References |
142 |
Improper Neutralization of Value Delimiters |
|
Major |
None |
|
Minor |
References |
143 |
Improper Neutralization of Record Delimiters |
|
Major |
None |
|
Minor |
References |
144 |
Improper Neutralization of Line Delimiters |
|
Major |
None |
|
Minor |
References |
145 |
Improper Neutralization of Section Delimiters |
|
Major |
None |
|
Minor |
References |
146 |
Improper Neutralization of Expression/Command Delimiters |
|
Major |
None |
|
Minor |
References |
158 |
Improper Neutralization of Null Byte or NUL Character |
|
Major |
None |
|
Minor |
References |
170 |
Improper Null Termination |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
171 |
Cleansing, Canonicalization, and Comparison Errors |
|
Major |
References, Relationships |
|
Minor |
None |
176 |
Improper Handling of Unicode Encoding |
|
Major |
None |
|
Minor |
References |
179 |
Incorrect Behavior Order: Early Validation |
|
Major |
None |
|
Minor |
References |
182 |
Collapse of Data into Unsafe Value |
|
Major |
None |
|
Minor |
References |
183 |
Permissive Whitelist |
|
Major |
None |
|
Minor |
References |
184 |
Incomplete Blacklist |
|
Major |
Observed_Examples, Relationships |
|
Minor |
References |
185 |
Incorrect Regular Expression |
|
Major |
References |
|
Minor |
None |
187 |
Partial String Comparison |
|
Major |
Name, Observed_Examples, Relationships, Type |
|
Minor |
None |
188 |
Reliance on Data/Memory Layout |
|
Major |
None |
|
Minor |
References |
190 |
Integer Overflow or Wraparound |
|
Major |
References |
|
Minor |
Potential_Mitigations |
192 |
Integer Coercion Error |
|
Major |
None |
|
Minor |
References |
193 |
Off-by-one Error |
|
Major |
Demonstrative_Examples |
|
Minor |
References |
195 |
Signed to Unsigned Conversion Error |
|
Major |
None |
|
Minor |
References |
196 |
Unsigned to Signed Conversion Error |
|
Major |
None |
|
Minor |
References |
197 |
Numeric Truncation Error |
|
Major |
None |
|
Minor |
References |
209 |
Information Exposure Through an Error Message |
|
Major |
References, Relationships |
|
Minor |
None |
210 |
Information Exposure Through Self-generated Error Message |
|
Major |
None |
|
Minor |
References |
216 |
Containment Errors (Container Errors) |
|
Major |
Relationships |
|
Minor |
None |
220 |
Sensitive Data Under FTP Root |
|
Major |
Relationships |
|
Minor |
None |
223 |
Omission of Security-relevant Information |
|
Major |
Relationships |
|
Minor |
References |
224 |
Obscured Security-relevant Information by Alternate Name |
|
Major |
References |
|
Minor |
None |
242 |
Use of Inherently Dangerous Function |
|
Major |
References |
|
Minor |
None |
250 |
Execution with Unnecessary Privileges |
|
Major |
References |
|
Minor |
None |
252 |
Unchecked Return Value |
|
Major |
References |
|
Minor |
None |
253 |
Incorrect Check of Function Return Value |
|
Major |
None |
|
Minor |
References |
256 |
Unprotected Storage of Credentials |
|
Major |
Name, Relationships |
|
Minor |
None |
264 |
Permissions, Privileges, and Access Controls |
|
Major |
References |
|
Minor |
None |
269 |
Improper Privilege Management |
|
Major |
None |
|
Minor |
References |
270 |
Privilege Context Switching Error |
|
Major |
References |
|
Minor |
None |
271 |
Privilege Dropping / Lowering Errors |
|
Major |
None |
|
Minor |
References |
275 |
Permission Issues |
|
Major |
Relationships |
|
Minor |
None |
276 |
Incorrect Default Permissions |
|
Major |
None |
|
Minor |
References |
284 |
Improper Access Control |
|
Major |
References, Relationships |
|
Minor |
Description |
285 |
Improper Authorization |
|
Major |
References, Relationships |
|
Minor |
None |
287 |
Improper Authentication |
|
Major |
References, Relationships |
|
Minor |
None |
290 |
Authentication Bypass by Spoofing |
|
Major |
None |
|
Minor |
References |
293 |
Using Referer Field for Authentication |
|
Major |
None |
|
Minor |
References |
295 |
Improper Certificate Validation |
|
Major |
Background_Details, Modes_of_Introduction, Potential_Mitigations, Relationships |
|
Minor |
None |
296 |
Improper Following of a Certificate's Chain of Trust |
|
Major |
Modes_of_Introduction, Observed_Examples, Potential_Mitigations, Time_of_Introduction |
|
Minor |
None |
297 |
Improper Validation of Certificate with Host Mismatch |
|
Major |
Common_Consequences, Description, Detection_Factors, Modes_of_Introduction, Potential_Mitigations, References, Time_of_Introduction |
|
Minor |
None |
298 |
Improper Validation of Certificate Expiration |
|
Major |
Common_Consequences, Modes_of_Introduction, Potential_Mitigations, Time_of_Introduction |
|
Minor |
None |
299 |
Improper Check for Certificate Revocation |
|
Major |
Modes_of_Introduction, Potential_Mitigations, Time_of_Introduction |
|
Minor |
None |
301 |
Reflection Attack in an Authentication Protocol |
|
Major |
None |
|
Minor |
References |
308 |
Use of Single-factor Authentication |
|
Major |
Relationships |
|
Minor |
None |
310 |
Cryptographic Issues |
|
Major |
References, Relationships |
|
Minor |
None |
311 |
Missing Encryption of Sensitive Data |
|
Major |
References, Relationships |
|
Minor |
None |
312 |
Cleartext Storage of Sensitive Information |
|
Major |
References, Relationships, Type |
|
Minor |
None |
319 |
Cleartext Transmission of Sensitive Information |
|
Major |
References, Relationships, Type |
|
Minor |
None |
320 |
Key Management Errors |
|
Major |
Relationships |
|
Minor |
None |
322 |
Key Exchange without Entity Authentication |
|
Major |
None |
|
Minor |
References |
325 |
Missing Required Cryptographic Step |
|
Major |
Relationships |
|
Minor |
None |
326 |
Inadequate Encryption Strength |
|
Major |
References, Relationships |
|
Minor |
None |
327 |
Use of a Broken or Risky Cryptographic Algorithm |
|
Major |
References, Relationships |
|
Minor |
None |
328 |
Reversible One-Way Hash |
|
Major |
Relationships |
|
Minor |
References |
329 |
Not Using a Random IV with CBC Mode |
|
Major |
None |
|
Minor |
References |
330 |
Use of Insufficiently Random Values |
|
Major |
References |
|
Minor |
None |
350 |
Reliance on Reverse DNS Resolution for a Security-Critical Action |
|
Major |
None |
|
Minor |
References |
352 |
Cross-Site Request Forgery (CSRF) |
|
Major |
References, Relationship_Notes, Research_Gaps |
|
Minor |
None |
359 |
Exposure of Private Information ('Privacy Violation') |
|
Major |
Relationships |
|
Minor |
None |
363 |
Race Condition Enabling Link Following |
|
Major |
None |
|
Minor |
References |
364 |
Signal Handler Race Condition |
|
Major |
None |
|
Minor |
References |
366 |
Race Condition within a Thread |
|
Major |
None |
|
Minor |
References |
367 |
Time-of-check Time-of-use (TOCTOU) Race Condition |
|
Major |
None |
|
Minor |
References |
372 |
Incomplete Internal State Distinction |
|
Major |
Maintenance_Notes, Relationships |
|
Minor |
None |
377 |
Insecure Temporary File |
|
Major |
References |
|
Minor |
None |
379 |
Creation of Temporary File in Directory with Incorrect Permissions |
|
Major |
None |
|
Minor |
References |
384 |
Session Fixation |
|
Major |
Relationships |
|
Minor |
None |
400 |
Uncontrolled Resource Consumption ('Resource Exhaustion') |
|
Major |
References, Type |
|
Minor |
None |
410 |
Insufficient Resource Pool |
|
Major |
References |
|
Minor |
None |
415 |
Double Free |
|
Major |
None |
|
Minor |
References |
422 |
Unprotected Windows Messaging Channel ('Shatter') |
|
Major |
None |
|
Minor |
References |
425 |
Direct Request ('Forced Browsing') |
|
Major |
Relationships |
|
Minor |
None |
426 |
Untrusted Search Path |
|
Major |
Demonstrative_Examples, References, Relationships, Type |
|
Minor |
None |
428 |
Unquoted Search Path or Element |
|
Major |
Relationships |
|
Minor |
References |
430 |
Deployment of Wrong Handler |
|
Major |
None |
|
Minor |
References |
431 |
Missing Handler |
|
Major |
None |
|
Minor |
References |
433 |
Unparsed Raw Web Content Delivery |
|
Major |
None |
|
Minor |
References |
434 |
Unrestricted Upload of File with Dangerous Type |
|
Major |
None |
|
Minor |
References |
435 |
Improper Interaction Between Multiple Correctly-Behaving Entities |
|
Major |
Alternate_Terms, Description, Name, References, Relationships |
|
Minor |
None |
436 |
Interpretation Conflict |
|
Major |
References |
|
Minor |
None |
438 |
Behavioral Problems |
|
Major |
Relationships |
|
Minor |
None |
456 |
Missing Initialization of a Variable |
|
Major |
None |
|
Minor |
References |
457 |
Use of Uninitialized Variable |
|
Major |
None |
|
Minor |
References |
463 |
Deletion of Data Structure Sentinel |
|
Major |
None |
|
Minor |
References |
468 |
Incorrect Pointer Scaling |
|
Major |
None |
|
Minor |
References |
471 |
Modification of Assumed-Immutable Data (MAID) |
|
Major |
Relationships |
|
Minor |
None |
472 |
External Control of Assumed-Immutable Web Parameter |
|
Major |
None |
|
Minor |
References |
478 |
Missing Default Case in Switch Statement |
|
Major |
Relationships |
|
Minor |
References |
479 |
Signal Handler Use of a Non-reentrant Function |
|
Major |
None |
|
Minor |
References |
480 |
Use of Incorrect Operator |
|
Major |
None |
|
Minor |
References |
481 |
Assigning instead of Comparing |
|
Major |
None |
|
Minor |
References |
482 |
Comparing instead of Assigning |
|
Major |
None |
|
Minor |
References |
484 |
Omitted Break Statement in Switch |
|
Major |
None |
|
Minor |
References |
486 |
Comparison of Classes by Name |
|
Major |
Relationships |
|
Minor |
None |
502 |
Deserialization of Untrusted Data |
|
Major |
Relationships |
|
Minor |
None |
507 |
Trojan Horse |
|
Major |
References |
|
Minor |
None |
522 |
Insufficiently Protected Credentials |
|
Major |
Relationships |
|
Minor |
None |
523 |
Unprotected Transport of Credentials |
|
Major |
Relationships |
|
Minor |
None |
532 |
Information Exposure Through Log Files |
|
Major |
Description, Potential_Mitigations, Relationships |
|
Minor |
None |
533 |
DEPRECATED: Information Exposure Through Server Log Files |
|
Major |
Affected_Resources, Common_Consequences, Description, Name, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction, Type |
|
Minor |
None |
534 |
DEPRECATED: Information Exposure Through Debug Log Files |
|
Major |
Common_Consequences, Description, Name, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction, Type |
|
Minor |
None |
542 |
DEPRECATED: Information Exposure Through Cleanup Log Files |
|
Major |
Common_Consequences, Description, Name, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction, Type |
|
Minor |
None |
548 |
Information Exposure Through Directory Listing |
|
Major |
Relationships |
|
Minor |
None |
564 |
SQL Injection: Hibernate |
|
Major |
Relationships |
|
Minor |
None |
569 |
Expression Issues |
|
Major |
Relationships |
|
Minor |
None |
581 |
Object Model Violation: Just One of Equals and Hashcode Defined |
|
Major |
Relationships |
|
Minor |
None |
595 |
Comparison of Object References Instead of Object Contents |
|
Major |
Applicable_Platforms, Common_Consequences, Description, Other_Notes, Potential_Mitigations, References, Relationships, Type |
|
Minor |
None |
596 |
DEPRECATED: Incorrect Semantic Object Comparison |
|
Major |
Common_Consequences, Demonstrative_Examples, Description, Detection_Factors, Name, Relationships, Time_of_Introduction, Type |
|
Minor |
None |
597 |
Use of Wrong Operator in String Comparison |
|
Major |
None |
|
Minor |
References |
602 |
Client-Side Enforcement of Server-Side Security |
|
Major |
References |
|
Minor |
None |
603 |
Use of Client-Side Authentication |
|
Major |
None |
|
Minor |
References |
606 |
Unchecked Input for Loop Condition |
|
Major |
None |
|
Minor |
References |
609 |
Double-Checked Locking |
|
Major |
None |
|
Minor |
References |
611 |
Improper Restriction of XML External Entity Reference ('XXE') |
|
Major |
Relationships |
|
Minor |
None |
613 |
Insufficient Session Expiration |
|
Major |
Relationships |
|
Minor |
None |
618 |
Exposed Unsafe ActiveX Method |
|
Major |
None |
|
Minor |
References |
620 |
Unverified Password Change |
|
Major |
Relationships |
|
Minor |
None |
623 |
Unsafe ActiveX Control Marked Safe For Scripting |
|
Major |
References |
|
Minor |
None |
625 |
Permissive Regular Expression |
|
Major |
None |
|
Minor |
References |
639 |
Authorization Bypass Through User-Controlled Key |
|
Major |
Relationships |
|
Minor |
None |
640 |
Weak Password Recovery Mechanism for Forgotten Password |
|
Major |
Relationships |
|
Minor |
None |
643 |
Improper Neutralization of Data within XPath Expressions ('XPath Injection') |
|
Major |
Relationships |
|
Minor |
References |
648 |
Incorrect Use of Privileged APIs |
|
Major |
Observed_Examples |
|
Minor |
None |
652 |
Improper Neutralization of Data within XQuery Expressions ('XQuery Injection') |
|
Major |
Relationships |
|
Minor |
None |
664 |
Improper Control of a Resource Through its Lifetime |
|
Major |
Relationships |
|
Minor |
None |
665 |
Improper Initialization |
|
Major |
None |
|
Minor |
References |
676 |
Use of Potentially Dangerous Function |
|
Major |
References |
|
Minor |
None |
681 |
Incorrect Conversion between Numeric Types |
|
Major |
None |
|
Minor |
References |
682 |
Incorrect Calculation |
|
Major |
None |
|
Minor |
References |
689 |
Permission Race Condition During Resource Copy |
|
Major |
None |
|
Minor |
References |
693 |
Protection Mechanism Failure |
|
Major |
Relationships |
|
Minor |
None |
697 |
Incorrect Comparison |
|
Major |
Common_Consequences, Demonstrative_Examples, Description, Maintenance_Notes, Name, Observed_Examples, Relationships |
|
Minor |
None |
699 |
Development Concepts |
|
Major |
Description, View_Audience |
|
Minor |
None |
704 |
Incorrect Type Conversion or Cast |
|
Major |
None |
|
Minor |
Description |
706 |
Use of Incorrectly-Resolved Name or Reference |
|
Major |
Relationships |
|
Minor |
None |
731 |
OWASP Top Ten 2004 Category A10 - Insecure Configuration Management |
|
Major |
Relationships |
|
Minor |
None |
732 |
Incorrect Permission Assignment for Critical Resource |
|
Major |
None |
|
Minor |
References |
733 |
Compiler Optimization Removal or Modification of Security-critical Code |
|
Major |
References, Relationships |
|
Minor |
Description |
758 |
Reliance on Undefined, Unspecified, or Implementation-Defined Behavior |
|
Major |
Relationships |
|
Minor |
None |
759 |
Use of a One-Way Hash without a Salt |
|
Major |
References |
|
Minor |
None |
760 |
Use of a One-Way Hash with a Predictable Salt |
|
Major |
References |
|
Minor |
None |
770 |
Allocation of Resources Without Limits or Throttling |
|
Major |
References |
|
Minor |
None |
774 |
Allocation of File Descriptors or Handles Without Limits or Throttling |
|
Major |
None |
|
Minor |
References |
775 |
Missing Release of File Descriptor or Handle after Effective Lifetime |
|
Major |
None |
|
Minor |
References |
776 |
Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') |
|
Major |
Relationships |
|
Minor |
None |
778 |
Insufficient Logging |
|
Major |
Relationships |
|
Minor |
References |
783 |
Operator Precedence Logic Error |
|
Major |
None |
|
Minor |
References |
784 |
Reliance on Cookies without Validation and Integrity Checking in a Security Decision |
|
Major |
References |
|
Minor |
None |
787 |
Out-of-bounds Write |
|
Major |
Description |
|
Minor |
None |
789 |
Uncontrolled Memory Allocation |
|
Major |
None |
|
Minor |
References |
798 |
Use of Hard-coded Credentials |
|
Major |
References |
|
Minor |
Potential_Mitigations |
805 |
Buffer Access with Incorrect Length Value |
|
Major |
References |
|
Minor |
None |
823 |
Use of Out-of-range Pointer Offset |
|
Major |
None |
|
Minor |
References |
824 |
Access of Uninitialized Pointer |
|
Major |
None |
|
Minor |
References |
833 |
Deadlock |
|
Major |
References |
|
Minor |
None |
834 |
Excessive Iteration |
|
Major |
None |
|
Minor |
References |
835 |
Loop with Unreachable Exit Condition ('Infinite Loop') |
|
Major |
None |
|
Minor |
References |
839 |
Numeric Range Comparison Without Minimum Check |
|
Major |
Description |
|
Minor |
References |
840 |
Business Logic Errors |
|
Major |
Relationships |
|
Minor |
None |
843 |
Access of Resource Using Incompatible Type ('Type Confusion') |
|
Major |
None |
|
Minor |
References |
857 |
CERT Java Secure Coding Section 12 - Input Output (FIO) |
|
Major |
Relationships |
|
Minor |
None |
862 |
Missing Authorization |
|
Major |
References |
|
Minor |
None |
863 |
Incorrect Authorization |
|
Major |
References |
|
Minor |
None |
917 |
Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') |
|
Major |
Relationships |
|
Minor |
None |
918 |
Server-Side Request Forgery (SSRF) |
|
Major |
References |
|
Minor |
None |
928 |
Weaknesses in OWASP Top Ten (2013) |
|
Major |
Relationship_Notes |
|
Minor |
None |
929 |
OWASP Top Ten 2013 Category A1 - Injection |
|
Major |
Relationships |
|
Minor |
None |
930 |
OWASP Top Ten 2013 Category A2 - Broken Authentication and Session Management |
|
Major |
Relationships |
|
Minor |
None |
932 |
OWASP Top Ten 2013 Category A4 - Insecure Direct Object References |
|
Major |
Relationships |
|
Minor |
None |
934 |
OWASP Top Ten 2013 Category A6 - Sensitive Data Exposure |
|
Major |
Relationships |
|
Minor |
None |
935 |
OWASP Top Ten 2013 Category A7 - Missing Function Level Access Control |
|
Major |
Relationships |
|
Minor |
None |
943 |
Improper Neutralization of Special Elements in Data Query Logic |
|
Major |
Relationships |
|
Minor |
None |
963 |
SFP Secondary Cluster: Exposed Data |
|
Major |
Relationships |
|
Minor |
None |
977 |
SFP Secondary Cluster: Design |
|
Major |
Relationships |
|
Minor |
None |
1000 |
Research Concepts |
|
Major |
Description, Other_Notes, View_Audience |
|
Minor |
None |
1007 |
Insufficient Visual Distinction of Homoglyphs Presented to User |
|
Major |
Demonstrative_Examples, Description, References |
|
Minor |
None |
1008 |
Architectural Concepts |
|
Major |
Description, Other_Notes, View_Audience |
|
Minor |
None |
1022 |
Use of Web Link to Untrusted Target with window.opener Access |
|
Major |
Alternate_Terms, Demonstrative_Examples, Description, Modes_of_Introduction, Name, Potential_Mitigations, References |
|
Minor |
None |