Any change with respect to whitespace is ignored. "Minor"
changes are text changes that only affect capitalization and
punctuation. Most other changes are marked as "Major."
Simple schema changes are treated as Minor, such as the change from
AffectedResource to Affected_Resource in Draft 8, or the relationship
name change from "IsRequiredBy" to "RequiredBy" in
Version 1.0. For each mutual relationship between nodes A and B (such
as ParentOf and ChildOf), a relationship change is noted for both A
and B.
The "Version 3.2 Total" lists the total number of relationships
in Version 3.2. The "Shared" value is the total number of
relationships in entries that were in both Version 3.2 and Version 3.1. The
"New" value is the total number of relationships involving
entries that did not exist in Version 3.1. Thus, the total number of
relationships in Version 3.2 would combine stats from Shared entries and
New entries.
| CWE-ID |
CWE Name |
| 1040 |
Quality Weaknesses with Indirect Security Impacts |
| 1041 |
Use of Redundant Code |
| 1042 |
Static Member Data Element outside of a Singleton Class Element |
| 1043 |
Data Element Aggregating an Excessively Large Number of Non-Primitive Elements |
| 1044 |
Architecture with Number of Horizontal Layers Outside of Expected Range |
| 1045 |
Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor |
| 1046 |
Creation of Immutable Text Using String Concatenation |
| 1047 |
Modules with Circular Dependencies |
| 1048 |
Invokable Control Element with Large Number of Outward Calls |
| 1049 |
Excessive Data Query Operations in a Large Data Table |
| 1050 |
Excessive Platform Resource Consumption within a Loop |
| 1051 |
Initialization with Hard-Coded Network Resource Configuration Data |
| 1052 |
Excessive Use of Hard-Coded Literals in Initialization |
| 1053 |
Missing Documentation for Design |
| 1054 |
Invocation of a Control Element at an Unnecessarily Deep Horizontal Layer |
| 1055 |
Multiple Inheritance from Concrete Classes |
| 1056 |
Invokable Control Element with Variadic Parameters |
| 1057 |
Data Access Operations Outside of Expected Data Manager Component |
| 1058 |
Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element |
| 1059 |
Incomplete Documentation |
| 1060 |
Excessive Number of Inefficient Server-Side Data Accesses |
| 1061 |
Insufficient Encapsulation |
| 1062 |
Parent Class with References to Child Class |
| 1063 |
Creation of Class Instance within a Static Code Block |
| 1064 |
Invokable Control Element with Signature Containing an Excessive Number of Parameters |
| 1065 |
Runtime Resource Management Control Element in a Component Built to Run on Application Servers |
| 1066 |
Missing Serialization Control Element |
| 1067 |
Excessive Execution of Sequential Searches of Data Resource |
| 1068 |
Inconsistency Between Implementation and Documented Design |
| 1069 |
Empty Exception Block |
| 1070 |
Serializable Data Element Containing non-Serializable Item Elements |
| 1071 |
Empty Code Block |
| 1072 |
Data Resource Access without Use of Connection Pooling |
| 1073 |
Non-SQL Invokable Control Element with Excessive Number of Data Resource Accesses |
| 1074 |
Class with Excessively Deep Inheritance |
| 1075 |
Unconditional Control Flow Transfer outside of Switch Block |
| 1076 |
Insufficient Adherence to Expected Conventions |
| 1077 |
Floating Point Comparison with Incorrect Operator |
| 1078 |
Inappropriate Source Code Style or Formatting |
| 1079 |
Parent Class without Virtual Destructor Method |
| 1080 |
Source Code File with Excessive Number of Lines of Code |
| 1082 |
Class Instance Self Destruction Control Element |
| 1083 |
Data Access from Outside Expected Data Manager Component |
| 1084 |
Invokable Control Element with Excessive File or Data Access Operations |
| 1085 |
Invokable Control Element with Excessive Volume of Commented-out Code |
| 1086 |
Class with Excessive Number of Child Classes |
| 1087 |
Class with Virtual Method without a Virtual Destructor |
| 1088 |
Synchronous Access of Remote Resource without Timeout |
| 1089 |
Large Data Table with Excessive Number of Indices |
| 1090 |
Method Containing Access of a Member Element from Another Class |
| 1091 |
Use of Object without Invoking Destructor Method |
| 1092 |
Use of Same Invokable Control Element in Multiple Architectural Layers |
| 1093 |
Excessively Complex Data Representation |
| 1094 |
Excessive Index Range Scan for a Data Resource |
| 1095 |
Loop Condition Value Update within the Loop |
| 1096 |
Singleton Class Instance Creation without Proper Locking or Synchronization |
| 1097 |
Persistent Storable Data Element without Associated Comparison Control Element |
| 1098 |
Data Element containing Pointer Item without Proper Copy Control Element |
| 1099 |
Inconsistent Naming Conventions for Identifiers |
| 1100 |
Insufficient Isolation of System-Dependent Functions |
| 1101 |
Reliance on Runtime Component in Generated Code |
| 1102 |
Reliance on Machine-Dependent Data Representation |
| 1103 |
Use of Platform-Dependent Third Party Components |
| 1104 |
Use of Unmaintained Third Party Components |
| 1105 |
Insufficient Encapsulation of Machine-Dependent Functionality |
| 1106 |
Insufficient Use of Symbolic Constants |
| 1107 |
Insufficient Isolation of Symbolic Constant Definitions |
| 1108 |
Excessive Reliance on Global Variables |
| 1109 |
Use of Same Variable for Multiple Purposes |
| 1110 |
Incomplete Design Documentation |
| 1111 |
Incomplete I/O Documentation |
| 1112 |
Incomplete Documentation of Program Execution |
| 1113 |
Inappropriate Comment Style |
| 1114 |
Inappropriate Whitespace Style |
| 1115 |
Source Code Element without Standard Prologue |
| 1116 |
Inaccurate Comments |
| 1117 |
Callable with Insufficient Behavioral Summary |
| 1118 |
Insufficient Documentation of Error Handling Techniques |
| 1119 |
Excessive Use of Unconditional Branching |
| 1120 |
Excessive Code Complexity |
| 1121 |
Excessive McCabe Cyclomatic Complexity |
| 1122 |
Excessive Halstead Complexity |
| 1123 |
Excessive Use of Self-Modifying Code |
| 1124 |
Excessively Deep Nesting |
| 1125 |
Excessive Attack Surface |
| 1126 |
Declaration of Variable with Unnecessarily Wide Scope |
| 1127 |
Compilation with Insufficient Warnings or Errors |
| 1128 |
CISQ Quality Measures (2016) |
| 1129 |
CISQ Quality Measures - Reliability |
| 1130 |
CISQ Quality Measures - Maintainability |
| 1131 |
CISQ Quality Measures - Security |
| 1132 |
CISQ Quality Measures - Performance |
| 1133 |
Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java |
| 1134 |
SEI CERT Oracle Secure Coding Standard for Java - Guidelines 00. Input Validation and Data Sanitization (IDS) |
| 1135 |
SEI CERT Oracle Secure Coding Standard for Java - Guidelines 01. Declarations and Initialization (DCL) |
| 1136 |
SEI CERT Oracle Secure Coding Standard for Java - Guidelines 02. Expressions (EXP) |
| 1137 |
SEI CERT Oracle Secure Coding Standard for Java - Guidelines 03. Numeric Types and Operations (NUM) |
| 1138 |
SEI CERT Oracle Secure Coding Standard for Java - Guidelines 04. Characters and Strings (STR) |
| 1139 |
SEI CERT Oracle Secure Coding Standard for Java - Guidelines 05. Object Orientation (OBJ) |
| 1140 |
SEI CERT Oracle Secure Coding Standard for Java - Guidelines 06. Methods (MET) |
| 1141 |
SEI CERT Oracle Secure Coding Standard for Java - Guidelines 07. Exceptional Behavior (ERR) |
| 1142 |
SEI CERT Oracle Secure Coding Standard for Java - Guidelines 08. Visibility and Atomicity (VNA) |
| 1143 |
SEI CERT Oracle Secure Coding Standard for Java - Guidelines 09. Locking (LCK) |
| 1144 |
SEI CERT Oracle Secure Coding Standard for Java - Guidelines 10. Thread APIs (THI) |
| 1145 |
SEI CERT Oracle Secure Coding Standard for Java - Guidelines 11. Thread Pools (TPS) |
| 1146 |
SEI CERT Oracle Secure Coding Standard for Java - Guidelines 12. Thread-Safety Miscellaneous (TSM) |
| 1147 |
SEI CERT Oracle Secure Coding Standard for Java - Guidelines 13. Input Output (FIO) |
| 1148 |
SEI CERT Oracle Secure Coding Standard for Java - Guidelines 14. Serialization (SER) |
| 1149 |
SEI CERT Oracle Secure Coding Standard for Java - Guidelines 15. Platform Security (SEC) |
| 1150 |
SEI CERT Oracle Secure Coding Standard for Java - Guidelines 16. Runtime Environment (ENV) |
| 1151 |
SEI CERT Oracle Secure Coding Standard for Java - Guidelines 17. Java Native Interface (JNI) |
| 1152 |
SEI CERT Oracle Secure Coding Standard for Java - Guidelines 49. Miscellaneous (MSC) |
| 1153 |
SEI CERT Oracle Secure Coding Standard for Java - Guidelines 50. Android (DRD) |
| 1154 |
Weaknesses Addressed by the SEI CERT C Coding Standard |
| 1155 |
SEI CERT C Coding Standard - Guidelines 01. Preprocessor (PRE) |
| 1156 |
SEI CERT C Coding Standard - Guidelines 02. Declarations and Initialization (DCL) |
| 1157 |
SEI CERT C Coding Standard - Guidelines 03. Expressions (EXP) |
| 1158 |
SEI CERT C Coding Standard - Guidelines 04. Integers (INT) |
| 1159 |
SEI CERT C Coding Standard - Guidelines 05. Floating Point (FLP) |
| 1160 |
SEI CERT C Coding Standard - Guidelines 06. Arrays (ARR) |
| 1161 |
SEI CERT C Coding Standard - Guidelines 07. Characters and Strings (STR) |
| 1162 |
SEI CERT C Coding Standard - Guidelines 08. Memory Management (MEM) |
| 1163 |
SEI CERT C Coding Standard - Guidelines 09. Input Output (FIO) |
| 1164 |
Irrelevant Code |
| 1165 |
SEI CERT C Coding Standard - Guidelines 10. Environment (ENV) |
| 1166 |
SEI CERT C Coding Standard - Guidelines 11. Signals (SIG) |
| 1167 |
SEI CERT C Coding Standard - Guidelines 12. Error Handling (ERR) |
| 1168 |
SEI CERT C Coding Standard - Guidelines 13. Application Programming Interfaces (API) |
| 1169 |
SEI CERT C Coding Standard - Guidelines 14. Concurrency (CON) |
| 1170 |
SEI CERT C Coding Standard - Guidelines 48. Miscellaneous (MSC) |
| 1171 |
SEI CERT C Coding Standard - Guidelines 50. POSIX (POS) |
| 1172 |
SEI CERT C Coding Standard - Guidelines 51. Microsoft Windows (WIN) |
| 1173 |
Improper Use of Validation Framework |
| 1174 |
ASP.NET Misconfiguration: Improper Model Validation |
| 1175 |
SEI CERT Oracle Secure Coding Standard for Java - Guidelines 18. Concurrency (CON) |
| 1176 |
Inefficient CPU Computation |
| 1177 |
Use of Prohibited Code |
A node change is labeled "important" if it is a major field change and
the field is critical to the meaning of the node. The critical fields
are description, name, and relationships.
| | | R |
20 |
Improper Input Validation |
| | | R |
22 |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
| | | R |
67 |
Improper Handling of Windows Device Names |
| | | R |
78 |
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
| | | R |
79 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
| | | R |
88 |
Argument Injection or Modification |
| | | R |
89 |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
| | | R |
99 |
Improper Control of Resource Identifiers ('Resource Injection') |
| | | R |
102 |
Struts: Duplicate Validation Forms |
| | | R |
105 |
Struts: Form Field Without Validator |
| | | R |
106 |
Struts: Plug-in Framework not in Use |
| | | R |
108 |
Struts: Unvalidated Action Form |
| | | R |
109 |
Struts: Validator Turned Off |
| | | R |
111 |
Direct Use of Unsafe JNI |
| | | R |
112 |
Missing XML Validation |
| | | R |
116 |
Improper Encoding or Escaping of Output |
| | | R |
117 |
Improper Output Neutralization for Logs |
| | | R |
119 |
Improper Restriction of Operations within the Bounds of a Memory Buffer |
| | | R |
120 |
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') |
| | | R |
121 |
Stack-based Buffer Overflow |
| | | R |
122 |
Heap-based Buffer Overflow |
| | | R |
123 |
Write-what-where Condition |
| | | R |
125 |
Out-of-bounds Read |
| | | R |
129 |
Improper Validation of Array Index |
| | | R |
131 |
Incorrect Calculation of Buffer Size |
| | | R |
134 |
Use of Externally-Controlled Format String |
| | | R |
144 |
Improper Neutralization of Line Delimiters |
| | | R |
150 |
Improper Neutralization of Escape, Meta, or Control Sequences |
| | | R |
170 |
Improper Null Termination |
| | | R |
171 |
Cleansing, Canonicalization, and Comparison Errors |
| | | R |
180 |
Incorrect Behavior Order: Validate Before Canonicalize |
| | | R |
182 |
Collapse of Data into Unsafe Value |
| D | | |
186 |
Overly Restrictive Regular Expression |
| | | R |
187 |
Partial String Comparison |
| D | | R |
188 |
Reliance on Data/Memory Layout |
| | | R |
189 |
Numeric Errors |
| | | R |
190 |
Integer Overflow or Wraparound |
| | | R |
191 |
Integer Underflow (Wrap or Wraparound) |
| | | R |
192 |
Integer Coercion Error |
| | | R |
194 |
Unexpected Sign Extension |
| | | R |
195 |
Signed to Unsigned Conversion Error |
| | | R |
197 |
Numeric Truncation Error |
| | | R |
198 |
Use of Incorrect Byte Ordering |
| | | R |
227 |
7PK - API Abuse |
| | | R |
241 |
Improper Handling of Unexpected Data Type |
| | | R |
242 |
Use of Inherently Dangerous Function |
| | | R |
248 |
Uncaught Exception |
| | | R |
252 |
Unchecked Return Value |
| | | R |
253 |
Incorrect Check of Function Return Value |
| | | R |
259 |
Use of Hard-coded Password |
| | | R |
266 |
Incorrect Privilege Assignment |
| | | R |
272 |
Least Privilege Violation |
| | | R |
273 |
Improper Check for Dropped Privileges |
| | | R |
276 |
Incorrect Default Permissions |
| | | R |
279 |
Incorrect Execution-Assigned Permissions |
| | | R |
283 |
Unverified Ownership |
| | | R |
289 |
Authentication Bypass by Alternate Name |
| | | R |
311 |
Missing Encryption of Sensitive Data |
| | | R |
319 |
Cleartext Transmission of Sensitive Information |
| | | R |
327 |
Use of a Broken or Risky Cryptographic Algorithm |
| | | R |
330 |
Use of Insufficiently Random Values |
| | | R |
331 |
Insufficient Entropy |
| | | R |
332 |
Insufficient Entropy in PRNG |
| | | R |
336 |
Same Seed in Pseudo-Random Number Generator (PRNG) |
| | | R |
337 |
Predictable Seed in Pseudo-Random Number Generator (PRNG) |
| | | R |
338 |
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) |
| | | R |
349 |
Acceptance of Extraneous Untrusted Data With Trusted Data |
| | | R |
359 |
Exposure of Private Information ('Privacy Violation') |
| | | R |
362 |
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') |
| | | R |
363 |
Race Condition Enabling Link Following |
| | | R |
365 |
Race Condition in Switch |
| | | R |
366 |
Race Condition within a Thread |
| | | R |
369 |
Divide By Zero |
| | | R |
374 |
Passing Mutable Objects to an Untrusted Method |
| | | R |
375 |
Returning a Mutable Object to an Untrusted Caller |
| | | R |
377 |
Insecure Temporary File |
| | | R |
382 |
J2EE Bad Practices: Use of System.exit() |
| | | R |
391 |
Unchecked Error Condition |
| | | R |
392 |
Missing Report of Error Condition |
| | | R |
396 |
Declaration of Catch for Generic Exception |
| | | R |
397 |
Declaration of Throws for Generic Exception |
| | | R |
399 |
Resource Management Errors |
| D | N | R |
400 |
Uncontrolled Resource Consumption |
| | N | R |
401 |
Improper Release of Memory Before Removing Last Reference |
| | | R |
404 |
Improper Resource Shutdown or Release |
| | | R |
405 |
Asymmetric Resource Consumption (Amplification) |
| | | R |
409 |
Improper Handling of Highly Compressed Data (Data Amplification) |
| | | R |
410 |
Insufficient Resource Pool |
| | | R |
412 |
Unrestricted Externally Accessible Lock |
| | | R |
413 |
Improper Resource Locking |
| | | R |
415 |
Double Free |
| | | R |
416 |
Use After Free |
| | | R |
434 |
Unrestricted Upload of File with Dangerous Type |
| | | R |
452 |
Initialization and Cleanup Errors |
| | | R |
456 |
Missing Initialization of a Variable |
| | | R |
459 |
Incomplete Cleanup |
| | | R |
460 |
Improper Cleanup on Thrown Exception |
| | | R |
467 |
Use of sizeof() on a Pointer Type |
| | | R |
468 |
Incorrect Pointer Scaling |
| | | R |
469 |
Use of Pointer Subtraction to Determine Size |
| | | R |
474 |
Use of Function with Inconsistent Implementations |
| | | R |
476 |
NULL Pointer Dereference |
| | | R |
478 |
Missing Default Case in Switch Statement |
| | | R |
479 |
Signal Handler Use of a Non-reentrant Function |
| | | R |
480 |
Use of Incorrect Operator |
| | | R |
481 |
Assigning instead of Comparing |
| | | R |
486 |
Comparison of Classes by Name |
| | | R |
491 |
Public cloneable() Method Without Final ('Object Hijack') |
| | | R |
492 |
Use of Inner Class Containing Sensitive Data |
| D | N | |
495 |
Private Data Structure Returned From A Public Method |
| | | R |
498 |
Cloneable Class Containing Sensitive Information |
| | | R |
499 |
Serializable Class Containing Sensitive Data |
| | | R |
500 |
Public Static Field Not Marked Final |
| | | R |
502 |
Deserialization of Untrusted Data |
| | | R |
532 |
Information Exposure Through Log Files |
| | | R |
546 |
Suspicious Comment |
| | | R |
547 |
Use of Hard-coded, Security-relevant Constants |
| | | R |
554 |
ASP.NET Misconfiguration: Not Using Input Validation Framework |
| | | R |
561 |
Dead Code |
| | | R |
562 |
Return of Stack Variable Address |
| | | R |
563 |
Assignment to Variable without Use |
| | | R |
567 |
Unsynchronized Access to Shared Data in a Multithreaded Context |
| | | R |
568 |
finalize() Method Without super.finalize() |
| | | R |
572 |
Call to Thread run() instead of start() |
| | | R |
573 |
Improper Following of Specification by Caller |
| | | R |
581 |
Object Model Violation: Just One of Equals and Hashcode Defined |
| | | R |
583 |
finalize() Method Declared Public |
| | | R |
584 |
Return Inside Finally Block |
| | | R |
585 |
Empty Synchronized Block |
| | | R |
586 |
Explicit Call to Finalize() |
| | | R |
587 |
Assignment of a Fixed Address to a Pointer |
| | | R |
589 |
Call to Non-ubiquitous API |
| | | R |
590 |
Free of Memory not on the Heap |
| | | R |
595 |
Comparison of Object References Instead of Object Contents |
| | | R |
597 |
Use of Wrong Operator in String Comparison |
| | | R |
606 |
Unchecked Input for Loop Condition |
| | | R |
609 |
Double-Checked Locking |
| | | R |
617 |
Reachable Assertion |
| | | R |
628 |
Function Call with Incorrectly Specified Arguments |
| D | | |
629 |
Weaknesses in OWASP Top Ten (2007) |
| | | R |
647 |
Use of Non-Canonical URL Paths for Authorization Decisions |
| | | R |
662 |
Improper Synchronization |
| | | R |
664 |
Improper Control of a Resource Through its Lifetime |
| | | R |
665 |
Improper Initialization |
| | | R |
666 |
Operation on Resource in Wrong Phase of Lifetime |
| | | R |
667 |
Improper Locking |
| | | R |
668 |
Exposure of Resource to Wrong Sphere |
| | | R |
672 |
Operation on a Resource after Expiration or Release |
| | | R |
674 |
Uncontrolled Recursion |
| | | R |
676 |
Use of Potentially Dangerous Function |
| | | R |
680 |
Integer Overflow to Buffer Overflow |
| | | R |
681 |
Incorrect Conversion between Numeric Types |
| | | R |
682 |
Incorrect Calculation |
| | | R |
685 |
Function Call With Incorrect Number of Arguments |
| | | R |
686 |
Function Call With Incorrect Argument Type |
| | | R |
690 |
Unchecked Return Value to NULL Pointer Dereference |
| | | R |
696 |
Incorrect Behavior Order |
| | | R |
697 |
Incorrect Comparison |
| | | R |
703 |
Improper Check or Handling of Exceptional Conditions |
| | | R |
704 |
Incorrect Type Conversion or Cast |
| | | R |
705 |
Incorrect Control Flow Scoping |
| | | R |
710 |
Improper Adherence to Coding Standards |
| D | | |
711 |
Weaknesses in OWASP Top Ten (2004) |
| | | R |
732 |
Incorrect Permission Assignment for Critical Resource |
| D | N | |
734 |
Weaknesses Addressed by the CERT C Secure Coding Standard (2008) |
| D | N | |
735 |
CERT C Secure Coding Standard (2008) Chapter 2 - Preprocessor (PRE) |
| D | N | |
736 |
CERT C Secure Coding Standard (2008) Chapter 3 - Declarations and Initialization (DCL) |
| D | N | |
737 |
CERT C Secure Coding Standard (2008) Chapter 4 - Expressions (EXP) |
| D | N | |
738 |
CERT C Secure Coding Standard (2008) Chapter 5 - Integers (INT) |
| D | N | |
739 |
CERT C Secure Coding Standard (2008) Chapter 6 - Floating Point (FLP) |
| D | N | |
740 |
CERT C Secure Coding Standard (2008) Chapter 7 - Arrays (ARR) |
| D | N | |
741 |
CERT C Secure Coding Standard (2008) Chapter 8 - Characters and Strings (STR) |
| D | N | |
742 |
CERT C Secure Coding Standard (2008) Chapter 9 - Memory Management (MEM) |
| D | N | |
743 |
CERT C Secure Coding Standard (2008) Chapter 10 - Input Output (FIO) |
| D | N | |
744 |
CERT C Secure Coding Standard (2008) Chapter 11 - Environment (ENV) |
| D | N | |
745 |
CERT C Secure Coding Standard (2008) Chapter 12 - Signals (SIG) |
| D | N | |
746 |
CERT C Secure Coding Standard (2008) Chapter 13 - Error Handling (ERR) |
| D | N | |
747 |
CERT C Secure Coding Standard (2008) Chapter 14 - Miscellaneous (MSC) |
| D | N | R |
748 |
CERT C Secure Coding Standard (2008) Appendix - POSIX (POS) |
| D | | |
750 |
Weaknesses in the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors |
| | | R |
754 |
Improper Check for Unusual or Exceptional Conditions |
| | | R |
758 |
Reliance on Undefined, Unspecified, or Implementation-Defined Behavior |
| | | R |
762 |
Mismatched Memory Management Routines |
| D | N | R |
766 |
Critical Data Element Declared Public |
| D | N | R |
769 |
DEPRECATED: Uncontrolled File Descriptor Consumption |
| D | | R |
770 |
Allocation of Resources Without Limits or Throttling |
| | | R |
771 |
Missing Reference to Active Allocated Resource |
| | | R |
772 |
Missing Release of Resource after Effective Lifetime |
| | | R |
773 |
Missing Reference to Active File Descriptor or Handle |
| | | R |
774 |
Allocation of File Descriptors or Handles Without Limits or Throttling |
| | | R |
775 |
Missing Release of File Descriptor or Handle after Effective Lifetime |
| | | R |
786 |
Access of Memory Location Before Start of Buffer |
| | | R |
788 |
Access of Memory Location After End of Buffer |
| | | R |
789 |
Uncontrolled Memory Allocation |
| | | R |
798 |
Use of Hard-coded Credentials |
| D | | |
800 |
Weaknesses in the 2010 CWE/SANS Top 25 Most Dangerous Programming Errors |
| | | R |
805 |
Buffer Access with Incorrect Length Value |
| D | | |
809 |
Weaknesses in OWASP Top Ten (2010) |
| | | R |
820 |
Missing Synchronization |
| | | R |
821 |
Incorrect Synchronization |
| | | R |
835 |
Loop with Unreachable Exit Condition ('Infinite Loop') |
| | | R |
838 |
Inappropriate Encoding for Output Context |
| | | R |
839 |
Numeric Range Comparison Without Minimum Check |
| | | R |
843 |
Access of Resource Using Incompatible Type ('Type Confusion') |
| D | N | |
844 |
Weaknesses Addressed by The CERT Oracle Secure Coding Standard for Java (2011) |
| D | N | |
845 |
The CERT Oracle Secure Coding Standard for Java (2011) Chapter 2 - Input Validation and Data Sanitization (IDS) |
| D | N | |
846 |
The CERT Oracle Secure Coding Standard for Java (2011) Chapter 3 - Declarations and Initialization (DCL) |
| D | N | |
847 |
The CERT Oracle Secure Coding Standard for Java (2011) Chapter 4 - Expressions (EXP) |
| D | N | |
848 |
The CERT Oracle Secure Coding Standard for Java (2011) Chapter 5 - Numeric Types and Operations (NUM) |
| D | N | |
849 |
The CERT Oracle Secure Coding Standard for Java (2011) Chapter 6 - Object Orientation (OBJ) |
| D | N | |
850 |
The CERT Oracle Secure Coding Standard for Java (2011) Chapter 7 - Methods (MET) |
| D | N | |
851 |
The CERT Oracle Secure Coding Standard for Java (2011) Chapter 8 - Exceptional Behavior (ERR) |
| D | N | |
852 |
The CERT Oracle Secure Coding Standard for Java (2011) Chapter 9 - Visibility and Atomicity (VNA) |
| D | N | |
853 |
The CERT Oracle Secure Coding Standard for Java (2011) Chapter 10 - Locking (LCK) |
| D | N | |
854 |
The CERT Oracle Secure Coding Standard for Java (2011) Chapter 11 - Thread APIs (THI) |
| D | N | |
855 |
The CERT Oracle Secure Coding Standard for Java (2011) Chapter 12 - Thread Pools (TPS) |
| D | N | |
856 |
The CERT Oracle Secure Coding Standard for Java (2011) Chapter 13 - Thread-Safety Miscellaneous (TSM) |
| D | N | |
857 |
The CERT Oracle Secure Coding Standard for Java (2011) Chapter 14 - Input Output (FIO) |
| D | N | |
858 |
The CERT Oracle Secure Coding Standard for Java (2011) Chapter 15 - Serialization (SER) |
| D | N | |
859 |
The CERT Oracle Secure Coding Standard for Java (2011) Chapter 16 - Platform Security (SEC) |
| D | N | |
860 |
The CERT Oracle Secure Coding Standard for Java (2011) Chapter 17 - Runtime Environment (ENV) |
| D | N | |
861 |
The CERT Oracle Secure Coding Standard for Java (2011) Chapter 18 - Miscellaneous (MSC) |
| D | N | |
868 |
Weaknesses Addressed by the SEI CERT C++ Coding Standard (2016 Version) |
| | | R |
908 |
Use of Uninitialized Resource |
| | | R |
910 |
Use of Expired File Descriptor |
| D | | |
916 |
Use of Password Hash With Insufficient Computational Effort |
| D | | |
928 |
Weaknesses in OWASP Top Ten (2013) |
| | | R |
1006 |
Bad Coding Practices |
| D | | |
1007 |
Insufficient Visual Distinction of Homoglyphs Presented to User |
| | | R |
1023 |
Incomplete Comparison with Missing Factors |
| 15 |
External Control of System or Configuration Setting |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
| 20 |
Improper Input Validation |
|
Major |
Related_Attack_Patterns, Relationships |
|
Minor |
None |
| 22 |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
|
Major |
References, Related_Attack_Patterns, Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 59 |
Improper Link Resolution Before File Access ('Link Following') |
|
Major |
Taxonomy_Mappings |
|
Minor |
None |
| 64 |
Windows Shortcut Following (.LNK) |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
| 67 |
Improper Handling of Windows Device Names |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 69 |
Improper Handling of Windows ::DATA Alternate Data Stream |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
| 74 |
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
| 77 |
Improper Neutralization of Special Elements used in a Command ('Command Injection') |
|
Major |
Taxonomy_Mappings |
|
Minor |
None |
| 78 |
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
|
Major |
References, Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 79 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
|
Major |
References, Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 88 |
Argument Injection or Modification |
|
Major |
Relationships |
|
Minor |
None |
| 89 |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
|
Major |
References, Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 95 |
Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') |
|
Major |
Taxonomy_Mappings |
|
Minor |
None |
| 99 |
Improper Control of Resource Identifiers ('Resource Injection') |
|
Major |
References, Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 102 |
Struts: Duplicate Validation Forms |
|
Major |
Relationships |
|
Minor |
None |
| 105 |
Struts: Form Field Without Validator |
|
Major |
Relationships |
|
Minor |
None |
| 106 |
Struts: Plug-in Framework not in Use |
|
Major |
Relationships |
|
Minor |
None |
| 108 |
Struts: Unvalidated Action Form |
|
Major |
Relationships |
|
Minor |
None |
| 109 |
Struts: Validator Turned Off |
|
Major |
Relationships |
|
Minor |
None |
| 111 |
Direct Use of Unsafe JNI |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 112 |
Missing XML Validation |
|
Major |
Relationships |
|
Minor |
None |
| 116 |
Improper Encoding or Escaping of Output |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 117 |
Improper Output Neutralization for Logs |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 119 |
Improper Restriction of Operations within the Bounds of a Memory Buffer |
|
Major |
Relationships |
|
Minor |
None |
| 120 |
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') |
|
Major |
References, Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 121 |
Stack-based Buffer Overflow |
|
Major |
Relationships |
|
Minor |
None |
| 122 |
Heap-based Buffer Overflow |
|
Major |
Relationships |
|
Minor |
None |
| 123 |
Write-what-where Condition |
|
Major |
Relationships |
|
Minor |
None |
| 125 |
Out-of-bounds Read |
|
Major |
Relationships |
|
Minor |
None |
| 129 |
Improper Validation of Array Index |
|
Major |
References, Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 131 |
Incorrect Calculation of Buffer Size |
|
Major |
Relationships |
|
Minor |
None |
| 134 |
Use of Externally-Controlled Format String |
|
Major |
References, Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 135 |
Incorrect Calculation of Multi-Byte String Length |
|
Major |
Taxonomy_Mappings |
|
Minor |
None |
| 144 |
Improper Neutralization of Line Delimiters |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 150 |
Improper Neutralization of Escape, Meta, or Control Sequences |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 162 |
Improper Neutralization of Trailing Special Elements |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
| 170 |
Improper Null Termination |
|
Major |
Relationships |
|
Minor |
Common_Consequences |
| 171 |
Cleansing, Canonicalization, and Comparison Errors |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 172 |
Encoding Error |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
| 173 |
Improper Handling of Alternate Encoding |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
| 177 |
Improper Handling of URL Encoding (Hex Encoding) |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
| 180 |
Incorrect Behavior Order: Validate Before Canonicalize |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 181 |
Incorrect Behavior Order: Validate Before Filter |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
| 182 |
Collapse of Data into Unsafe Value |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 183 |
Permissive Whitelist |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
| 184 |
Incomplete Blacklist |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
| 186 |
Overly Restrictive Regular Expression |
|
Major |
Description |
|
Minor |
None |
| 187 |
Partial String Comparison |
|
Major |
Relationships |
|
Minor |
None |
| 188 |
Reliance on Data/Memory Layout |
|
Major |
Description, Relationships |
|
Minor |
None |
| 189 |
Numeric Errors |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 190 |
Integer Overflow or Wraparound |
|
Major |
Relationships |
|
Minor |
None |
| 191 |
Integer Underflow (Wrap or Wraparound) |
|
Major |
Relationships |
|
Minor |
None |
| 192 |
Integer Coercion Error |
|
Major |
Relationships |
|
Minor |
None |
| 194 |
Unexpected Sign Extension |
|
Major |
Relationships |
|
Minor |
None |
| 195 |
Signed to Unsigned Conversion Error |
|
Major |
Relationships |
|
Minor |
None |
| 197 |
Numeric Truncation Error |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 198 |
Use of Incorrect Byte Ordering |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 200 |
Information Exposure |
|
Major |
Related_Attack_Patterns |
|
Minor |
Description |
| 209 |
Information Exposure Through an Error Message |
|
Major |
Taxonomy_Mappings |
|
Minor |
None |
| 227 |
7PK - API Abuse |
|
Major |
Relationships |
|
Minor |
None |
| 230 |
Improper Handling of Missing Values |
|
Major |
Taxonomy_Mappings |
|
Minor |
None |
| 232 |
Improper Handling of Undefined Values |
|
Major |
Taxonomy_Mappings |
|
Minor |
None |
| 241 |
Improper Handling of Unexpected Data Type |
|
Major |
Relationships |
|
Minor |
None |
| 242 |
Use of Inherently Dangerous Function |
|
Major |
Relationships |
|
Minor |
None |
| 248 |
Uncaught Exception |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 250 |
Execution with Unnecessary Privileges |
|
Major |
Taxonomy_Mappings |
|
Minor |
None |
| 252 |
Unchecked Return Value |
|
Major |
References, Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 253 |
Incorrect Check of Function Return Value |
|
Major |
Relationships |
|
Minor |
None |
| 259 |
Use of Hard-coded Password |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 266 |
Incorrect Privilege Assignment |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 267 |
Privilege Defined With Unsafe Actions |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
| 272 |
Least Privilege Violation |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 273 |
Improper Check for Dropped Privileges |
|
Major |
Relationships |
|
Minor |
None |
| 276 |
Incorrect Default Permissions |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 279 |
Incorrect Execution-Assigned Permissions |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 283 |
Unverified Ownership |
|
Major |
Relationships |
|
Minor |
Common_Consequences |
| 284 |
Improper Access Control |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
| 285 |
Improper Authorization |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
| 287 |
Improper Authentication |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
| 289 |
Authentication Bypass by Alternate Name |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 300 |
Channel Accessible by Non-Endpoint ('Man-in-the-Middle') |
|
Major |
Taxonomy_Mappings |
|
Minor |
None |
| 302 |
Authentication Bypass by Assumed-Immutable Data |
|
Major |
Taxonomy_Mappings |
|
Minor |
None |
| 306 |
Missing Authentication for Critical Function |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
| 311 |
Missing Encryption of Sensitive Data |
|
Major |
Related_Attack_Patterns, Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 319 |
Cleartext Transmission of Sensitive Information |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 326 |
Inadequate Encryption Strength |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
| 327 |
Use of a Broken or Risky Cryptographic Algorithm |
|
Major |
References, Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 330 |
Use of Insufficiently Random Values |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 331 |
Insufficient Entropy |
|
Major |
Relationships |
|
Minor |
None |
| 332 |
Insufficient Entropy in PRNG |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 333 |
Improper Handling of Insufficient Entropy in TRNG |
|
Major |
Taxonomy_Mappings |
|
Minor |
None |
| 336 |
Same Seed in Pseudo-Random Number Generator (PRNG) |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 337 |
Predictable Seed in Pseudo-Random Number Generator (PRNG) |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 338 |
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) |
|
Major |
Relationships |
|
Minor |
None |
| 347 |
Improper Verification of Cryptographic Signature |
|
Major |
Taxonomy_Mappings |
|
Minor |
None |
| 349 |
Acceptance of Extraneous Untrusted Data With Trusted Data |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 359 |
Exposure of Private Information ('Privacy Violation') |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 362 |
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 363 |
Race Condition Enabling Link Following |
|
Major |
Relationships |
|
Minor |
None |
| 365 |
Race Condition in Switch |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 366 |
Race Condition within a Thread |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 369 |
Divide By Zero |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 374 |
Passing Mutable Objects to an Untrusted Method |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 375 |
Returning a Mutable Object to an Untrusted Caller |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 377 |
Insecure Temporary File |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 382 |
J2EE Bad Practices: Use of System.exit() |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 390 |
Detection of Error Condition Without Action |
|
Major |
Related_Attack_Patterns, Taxonomy_Mappings |
|
Minor |
None |
| 391 |
Unchecked Error Condition |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 392 |
Missing Report of Error Condition |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 394 |
Unexpected Status Code or Return Value |
|
Major |
Taxonomy_Mappings |
|
Minor |
None |
| 395 |
Use of NullPointerException Catch to Detect NULL Pointer Dereference |
|
Major |
Taxonomy_Mappings |
|
Minor |
None |
| 396 |
Declaration of Catch for Generic Exception |
|
Major |
References, Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 397 |
Declaration of Throws for Generic Exception |
|
Major |
Applicable_Platforms, Demonstrative_Examples, References, Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 399 |
Resource Management Errors |
|
Major |
Relationships |
|
Minor |
None |
| 400 |
Uncontrolled Resource Consumption |
|
Major |
Alternate_Terms, Description, Name, Relationships, Taxonomy_Mappings, Theoretical_Notes |
|
Minor |
None |
| 401 |
Improper Release of Memory Before Removing Last Reference |
|
Major |
Common_Consequences, Demonstrative_Examples, Name, References, Relationships, Taxonomy_Mappings, Type, Weakness_Ordinalities |
|
Minor |
None |
| 404 |
Improper Resource Shutdown or Release |
|
Major |
Relationships, Taxonomy_Mappings, Type |
|
Minor |
None |
| 405 |
Asymmetric Resource Consumption (Amplification) |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 409 |
Improper Handling of Highly Compressed Data (Data Amplification) |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 410 |
Insufficient Resource Pool |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 412 |
Unrestricted Externally Accessible Lock |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 413 |
Improper Resource Locking |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 415 |
Double Free |
|
Major |
Relationships |
|
Minor |
None |
| 416 |
Use After Free |
|
Major |
Relationships |
|
Minor |
None |
| 426 |
Untrusted Search Path |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
| 427 |
Uncontrolled Search Path Element |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
| 428 |
Unquoted Search Path or Element |
|
Major |
Applicable_Platforms, Related_Attack_Patterns |
|
Minor |
None |
| 434 |
Unrestricted Upload of File with Dangerous Type |
|
Major |
References, Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 452 |
Initialization and Cleanup Errors |
|
Major |
Relationships |
|
Minor |
None |
| 456 |
Missing Initialization of a Variable |
|
Major |
References, Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 457 |
Use of Uninitialized Variable |
|
Major |
Taxonomy_Mappings |
|
Minor |
None |
| 459 |
Incomplete Cleanup |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 460 |
Improper Cleanup on Thrown Exception |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 467 |
Use of sizeof() on a Pointer Type |
|
Major |
Relationships |
|
Minor |
None |
| 468 |
Incorrect Pointer Scaling |
|
Major |
Relationships |
|
Minor |
None |
| 469 |
Use of Pointer Subtraction to Determine Size |
|
Major |
Relationships |
|
Minor |
None |
| 470 |
Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') |
|
Major |
Taxonomy_Mappings |
|
Minor |
None |
| 472 |
External Control of Assumed-Immutable Web Parameter |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
| 474 |
Use of Function with Inconsistent Implementations |
|
Major |
Relationships, Weakness_Ordinalities |
|
Minor |
None |
| 475 |
Undefined Behavior for Input to API |
|
Major |
Weakness_Ordinalities |
|
Minor |
None |
| 476 |
NULL Pointer Dereference |
|
Major |
Relationships |
|
Minor |
None |
| 477 |
Use of Obsolete Function |
|
Major |
Taxonomy_Mappings, Weakness_Ordinalities |
|
Minor |
None |
| 478 |
Missing Default Case in Switch Statement |
|
Major |
Relationships |
|
Minor |
None |
| 479 |
Signal Handler Use of a Non-reentrant Function |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 480 |
Use of Incorrect Operator |
|
Major |
Relationships |
|
Minor |
None |
| 481 |
Assigning instead of Comparing |
|
Major |
Relationships |
|
Minor |
None |
| 483 |
Incorrect Block Delimitation |
|
Major |
Weakness_Ordinalities |
|
Minor |
None |
| 484 |
Omitted Break Statement in Switch |
|
Major |
Weakness_Ordinalities |
|
Minor |
None |
| 486 |
Comparison of Classes by Name |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 487 |
Reliance on Package-level Scope |
|
Major |
Taxonomy_Mappings |
|
Minor |
None |
| 489 |
Leftover Debug Code |
|
Major |
Weakness_Ordinalities |
|
Minor |
None |
| 491 |
Public cloneable() Method Without Final ('Object Hijack') |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 492 |
Use of Inner Class Containing Sensitive Data |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 493 |
Critical Public Variable Without Final Modifier |
|
Major |
Taxonomy_Mappings |
|
Minor |
None |
| 494 |
Download of Code Without Integrity Check |
|
Major |
Taxonomy_Mappings |
|
Minor |
None |
| 495 |
Private Data Structure Returned From A Public Method |
|
Major |
Common_Consequences, Demonstrative_Examples, Description, Name, Potential_Mitigations |
|
Minor |
None |
| 497 |
Exposure of System Data to an Unauthorized Control Sphere |
|
Major |
Taxonomy_Mappings |
|
Minor |
None |
| 498 |
Cloneable Class Containing Sensitive Information |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 499 |
Serializable Class Containing Sensitive Data |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 500 |
Public Static Field Not Marked Final |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 502 |
Deserialization of Untrusted Data |
|
Major |
Related_Attack_Patterns, Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 522 |
Insufficiently Protected Credentials |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
| 532 |
Information Exposure Through Log Files |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 543 |
Use of Singleton Pattern Without Synchronization in a Multithreaded Context |
|
Major |
Taxonomy_Mappings |
|
Minor |
None |
| 546 |
Suspicious Comment |
|
Major |
Relationships, Weakness_Ordinalities |
|
Minor |
None |
| 547 |
Use of Hard-coded, Security-relevant Constants |
|
Major |
Relationships, Weakness_Ordinalities |
|
Minor |
None |
| 552 |
Files or Directories Accessible to External Parties |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
| 553 |
Command Shell in Externally Accessible Directory |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
| 554 |
ASP.NET Misconfiguration: Not Using Input Validation Framework |
|
Major |
Relationships, Weakness_Ordinalities |
|
Minor |
None |
| 561 |
Dead Code |
|
Major |
Common_Consequences, References, Relationships, Taxonomy_Mappings, Weakness_Ordinalities |
|
Minor |
None |
| 562 |
Return of Stack Variable Address |
|
Major |
Relationships, Weakness_Ordinalities |
|
Minor |
None |
| 563 |
Assignment to Variable without Use |
|
Major |
Relationships, Taxonomy_Mappings, Weakness_Ordinalities |
|
Minor |
None |
| 567 |
Unsynchronized Access to Shared Data in a Multithreaded Context |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 568 |
finalize() Method Without super.finalize() |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 572 |
Call to Thread run() instead of start() |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 573 |
Improper Following of Specification by Caller |
|
Major |
Relationships, Taxonomy_Mappings, Weakness_Ordinalities |
|
Minor |
None |
| 581 |
Object Model Violation: Just One of Equals and Hashcode Defined |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 582 |
Array Declared Public, Final, and Static |
|
Major |
Taxonomy_Mappings |
|
Minor |
None |
| 583 |
finalize() Method Declared Public |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 584 |
Return Inside Finally Block |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 585 |
Empty Synchronized Block |
|
Major |
Relationships, Weakness_Ordinalities |
|
Minor |
None |
| 586 |
Explicit Call to Finalize() |
|
Major |
Relationships, Taxonomy_Mappings, Weakness_Ordinalities |
|
Minor |
None |
| 587 |
Assignment of a Fixed Address to a Pointer |
|
Major |
Relationships |
|
Minor |
None |
| 589 |
Call to Non-ubiquitous API |
|
Major |
Relationships, Taxonomy_Mappings, Weakness_Ordinalities |
|
Minor |
None |
| 590 |
Free of Memory not on the Heap |
|
Major |
Relationships |
|
Minor |
None |
| 594 |
J2EE Framework: Saving Unserializable Objects to Disk |
|
Major |
Weakness_Ordinalities |
|
Minor |
None |
| 595 |
Comparison of Object References Instead of Object Contents |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 597 |
Use of Wrong Operator in String Comparison |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 600 |
Uncaught Exception in Servlet |
|
Major |
Taxonomy_Mappings |
|
Minor |
None |
| 601 |
URL Redirection to Untrusted Site ('Open Redirect') |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
| 605 |
Multiple Binds to the Same Port |
|
Major |
Weakness_Ordinalities |
|
Minor |
None |
| 606 |
Unchecked Input for Loop Condition |
|
Major |
References, Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 609 |
Double-Checked Locking |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 611 |
Improper Restriction of XML External Entity Reference ('XXE') |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
| 617 |
Reachable Assertion |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 625 |
Permissive Regular Expression |
|
Major |
Taxonomy_Mappings |
|
Minor |
None |
| 628 |
Function Call with Incorrectly Specified Arguments |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 629 |
Weaknesses in OWASP Top Ten (2007) |
|
Major |
Description |
|
Minor |
None |
| 647 |
Use of Non-Canonical URL Paths for Authorization Decisions |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 662 |
Improper Synchronization |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 664 |
Improper Control of a Resource Through its Lifetime |
|
Major |
Relationships |
|
Minor |
None |
| 665 |
Improper Initialization |
|
Major |
Related_Attack_Patterns, Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 666 |
Operation on Resource in Wrong Phase of Lifetime |
|
Major |
Relationships |
|
Minor |
None |
| 667 |
Improper Locking |
|
Major |
References, Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 668 |
Exposure of Resource to Wrong Sphere |
|
Major |
Relationships |
|
Minor |
None |
| 672 |
Operation on a Resource after Expiration or Release |
|
Major |
References, Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 674 |
Uncontrolled Recursion |
|
Major |
References, Related_Attack_Patterns, Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 676 |
Use of Potentially Dangerous Function |
|
Major |
Relationships, Weakness_Ordinalities |
|
Minor |
None |
| 677 |
Weakness Base Elements |
|
Major |
View_Filter |
|
Minor |
None |
| 678 |
Composites |
|
Major |
View_Filter |
|
Minor |
None |
| 680 |
Integer Overflow to Buffer Overflow |
|
Major |
Relationships |
|
Minor |
None |
| 681 |
Incorrect Conversion between Numeric Types |
|
Major |
References, Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 682 |
Incorrect Calculation |
|
Major |
Relationships |
|
Minor |
None |
| 684 |
Incorrect Provision of Specified Functionality |
|
Major |
Weakness_Ordinalities |
|
Minor |
None |
| 685 |
Function Call With Incorrect Number of Arguments |
|
Major |
Relationships |
|
Minor |
None |
| 686 |
Function Call With Incorrect Argument Type |
|
Major |
Relationships |
|
Minor |
None |
| 690 |
Unchecked Return Value to NULL Pointer Dereference |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 692 |
Incomplete Blacklist to Cross-Site Scripting |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
| 693 |
Protection Mechanism Failure |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
| 696 |
Incorrect Behavior Order |
|
Major |
Relationships |
|
Minor |
None |
| 697 |
Incorrect Comparison |
|
Major |
Related_Attack_Patterns, Relationships |
|
Minor |
None |
| 703 |
Improper Check or Handling of Exceptional Conditions |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 704 |
Incorrect Type Conversion or Cast |
|
Major |
References, Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 705 |
Incorrect Control Flow Scoping |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 706 |
Use of Incorrectly-Resolved Name or Reference |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
| 707 |
Improper Enforcement of Message or Data Structure |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
| 710 |
Improper Adherence to Coding Standards |
|
Major |
Relationships |
|
Minor |
None |
| 711 |
Weaknesses in OWASP Top Ten (2004) |
|
Major |
Description |
|
Minor |
None |
| 732 |
Incorrect Permission Assignment for Critical Resource |
|
Major |
Related_Attack_Patterns, Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 734 |
Weaknesses Addressed by the CERT C Secure Coding Standard (2008) |
|
Major |
Description, Name, References |
|
Minor |
None |
| 735 |
CERT C Secure Coding Standard (2008) Chapter 2 - Preprocessor (PRE) |
|
Major |
Description, Name, References |
|
Minor |
None |
| 736 |
CERT C Secure Coding Standard (2008) Chapter 3 - Declarations and Initialization (DCL) |
|
Major |
Description, Name, References |
|
Minor |
None |
| 737 |
CERT C Secure Coding Standard (2008) Chapter 4 - Expressions (EXP) |
|
Major |
Description, Name, References |
|
Minor |
None |
| 738 |
CERT C Secure Coding Standard (2008) Chapter 5 - Integers (INT) |
|
Major |
Description, Name, References |
|
Minor |
None |
| 739 |
CERT C Secure Coding Standard (2008) Chapter 6 - Floating Point (FLP) |
|
Major |
Description, Name, References |
|
Minor |
None |
| 740 |
CERT C Secure Coding Standard (2008) Chapter 7 - Arrays (ARR) |
|
Major |
Description, Name, References |
|
Minor |
None |
| 741 |
CERT C Secure Coding Standard (2008) Chapter 8 - Characters and Strings (STR) |
|
Major |
Description, Name, References |
|
Minor |
None |
| 742 |
CERT C Secure Coding Standard (2008) Chapter 9 - Memory Management (MEM) |
|
Major |
Description, Name, References |
|
Minor |
None |
| 743 |
CERT C Secure Coding Standard (2008) Chapter 10 - Input Output (FIO) |
|
Major |
Description, Name, References |
|
Minor |
None |
| 744 |
CERT C Secure Coding Standard (2008) Chapter 11 - Environment (ENV) |
|
Major |
Description, Name, References |
|
Minor |
None |
| 745 |
CERT C Secure Coding Standard (2008) Chapter 12 - Signals (SIG) |
|
Major |
Description, Name, References |
|
Minor |
None |
| 746 |
CERT C Secure Coding Standard (2008) Chapter 13 - Error Handling (ERR) |
|
Major |
Description, Name, References |
|
Minor |
None |
| 747 |
CERT C Secure Coding Standard (2008) Chapter 14 - Miscellaneous (MSC) |
|
Major |
Description, Name, References |
|
Minor |
None |
| 748 |
CERT C Secure Coding Standard (2008) Appendix - POSIX (POS) |
|
Major |
Description, Name, References, Relationship_Notes, Relationships |
|
Minor |
None |
| 750 |
Weaknesses in the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors |
|
Major |
Description |
|
Minor |
None |
| 754 |
Improper Check for Unusual or Exceptional Conditions |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 758 |
Reliance on Undefined, Unspecified, or Implementation-Defined Behavior |
|
Major |
Relationships, Weakness_Ordinalities |
|
Minor |
None |
| 762 |
Mismatched Memory Management Routines |
|
Major |
Relationships |
|
Minor |
None |
| 766 |
Critical Data Element Declared Public |
|
Major |
Common_Consequences, Description, Name, References, Relationships, Taxonomy_Mappings, Weakness_Ordinalities |
|
Minor |
None |
| 767 |
Access to Critical Private Variable via Public Method |
|
Major |
Taxonomy_Mappings |
|
Minor |
None |
| 769 |
DEPRECATED: Uncontrolled File Descriptor Consumption |
|
Major |
Alternate_Terms, Description, Likelihood_of_Exploit, Name, Potential_Mitigations, References, Relationships, Time_of_Introduction, Type |
|
Minor |
None |
| 770 |
Allocation of Resources Without Limits or Throttling |
|
Major |
Demonstrative_Examples, Description, Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 771 |
Missing Reference to Active Allocated Resource |
|
Major |
Common_Consequences, Maintenance_Notes, Relationships, Theoretical_Notes |
|
Minor |
None |
| 772 |
Missing Release of Resource after Effective Lifetime |
|
Major |
Common_Consequences, References, Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 773 |
Missing Reference to Active File Descriptor or Handle |
|
Major |
Common_Consequences, Relationships, Theoretical_Notes |
|
Minor |
None |
| 774 |
Allocation of File Descriptors or Handles Without Limits or Throttling |
|
Major |
Alternate_Terms, Relationships, Theoretical_Notes |
|
Minor |
None |
| 775 |
Missing Release of File Descriptor or Handle after Effective Lifetime |
|
Major |
Common_Consequences, Relationships, Theoretical_Notes |
|
Minor |
None |
| 783 |
Operator Precedence Logic Error |
|
Major |
Taxonomy_Mappings |
|
Minor |
None |
| 786 |
Access of Memory Location Before Start of Buffer |
|
Major |
Relationships |
|
Minor |
None |
| 788 |
Access of Memory Location After End of Buffer |
|
Major |
References, Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 789 |
Uncontrolled Memory Allocation |
|
Major |
References, Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 792 |
Incomplete Filtering of One or More Instances of Special Elements |
|
Major |
None |
|
Minor |
Description |
| 794 |
Incomplete Filtering of Multiple Instances of Special Elements |
|
Major |
None |
|
Minor |
Description |
| 798 |
Use of Hard-coded Credentials |
|
Major |
References, Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 800 |
Weaknesses in the 2010 CWE/SANS Top 25 Most Dangerous Programming Errors |
|
Major |
Description |
|
Minor |
None |
| 805 |
Buffer Access with Incorrect Length Value |
|
Major |
Relationships |
|
Minor |
None |
| 807 |
Reliance on Untrusted Inputs in a Security Decision |
|
Major |
Taxonomy_Mappings |
|
Minor |
None |
| 809 |
Weaknesses in OWASP Top Ten (2010) |
|
Major |
Description |
|
Minor |
None |
| 820 |
Missing Synchronization |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 821 |
Incorrect Synchronization |
|
Major |
Relationships |
|
Minor |
None |
| 829 |
Inclusion of Functionality from Untrusted Control Sphere |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
| 833 |
Deadlock |
|
Major |
Taxonomy_Mappings |
|
Minor |
None |
| 835 |
Loop with Unreachable Exit Condition ('Infinite Loop') |
|
Major |
References, Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 838 |
Inappropriate Encoding for Output Context |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
| 839 |
Numeric Range Comparison Without Minimum Check |
|
Major |
Relationships |
|
Minor |
None |
| 843 |
Access of Resource Using Incompatible Type ('Type Confusion') |
|
Major |
Relationships |
|
Minor |
None |
| 844 |
Weaknesses Addressed by The CERT Oracle Secure Coding Standard for Java (2011) |
|
Major |
Description, Name, References, View_Audience |
|
Minor |
None |
| 845 |
The CERT Oracle Secure Coding Standard for Java (2011) Chapter 2 - Input Validation and Data Sanitization (IDS) |
|
Major |
Description, Name, References |
|
Minor |
None |
| 846 |
The CERT Oracle Secure Coding Standard for Java (2011) Chapter 3 - Declarations and Initialization (DCL) |
|
Major |
Description, Name, References |
|
Minor |
None |
| 847 |
The CERT Oracle Secure Coding Standard for Java (2011) Chapter 4 - Expressions (EXP) |
|
Major |
Description, Name, References |
|
Minor |
None |
| 848 |
The CERT Oracle Secure Coding Standard for Java (2011) Chapter 5 - Numeric Types and Operations (NUM) |
|
Major |
Description, Name, References |
|
Minor |
None |
| 849 |
The CERT Oracle Secure Coding Standard for Java (2011) Chapter 6 - Object Orientation (OBJ) |
|
Major |
Description, Name, References |
|
Minor |
None |
| 850 |
The CERT Oracle Secure Coding Standard for Java (2011) Chapter 7 - Methods (MET) |
|
Major |
Description, Name, References |
|
Minor |
None |
| 851 |
The CERT Oracle Secure Coding Standard for Java (2011) Chapter 8 - Exceptional Behavior (ERR) |
|
Major |
Description, Name, References |
|
Minor |
None |
| 852 |
The CERT Oracle Secure Coding Standard for Java (2011) Chapter 9 - Visibility and Atomicity (VNA) |
|
Major |
Description, Name, References |
|
Minor |
None |
| 853 |
The CERT Oracle Secure Coding Standard for Java (2011) Chapter 10 - Locking (LCK) |
|
Major |
Description, Name, References |
|
Minor |
None |
| 854 |
The CERT Oracle Secure Coding Standard for Java (2011) Chapter 11 - Thread APIs (THI) |
|
Major |
Description, Name, References |
|
Minor |
None |
| 855 |
The CERT Oracle Secure Coding Standard for Java (2011) Chapter 12 - Thread Pools (TPS) |
|
Major |
Description, Name, References |
|
Minor |
None |
| 856 |
The CERT Oracle Secure Coding Standard for Java (2011) Chapter 13 - Thread-Safety Miscellaneous (TSM) |
|
Major |
Description, Name, References |
|
Minor |
None |
| 857 |
The CERT Oracle Secure Coding Standard for Java (2011) Chapter 14 - Input Output (FIO) |
|
Major |
Description, Name, References |
|
Minor |
None |
| 858 |
The CERT Oracle Secure Coding Standard for Java (2011) Chapter 15 - Serialization (SER) |
|
Major |
Description, Name, References |
|
Minor |
None |
| 859 |
The CERT Oracle Secure Coding Standard for Java (2011) Chapter 16 - Platform Security (SEC) |
|
Major |
Description, Name, References |
|
Minor |
None |
| 860 |
The CERT Oracle Secure Coding Standard for Java (2011) Chapter 17 - Runtime Environment (ENV) |
|
Major |
Description, Name, References |
|
Minor |
None |
| 861 |
The CERT Oracle Secure Coding Standard for Java (2011) Chapter 18 - Miscellaneous (MSC) |
|
Major |
Description, Name, References |
|
Minor |
None |
| 868 |
Weaknesses Addressed by the SEI CERT C++ Coding Standard (2016 Version) |
|
Major |
Description, Maintenance_Notes, Name, References |
|
Minor |
None |
| 869 |
CERT C++ Secure Coding Section 01 - Preprocessor (PRE) |
|
Major |
References |
|
Minor |
None |
| 908 |
Use of Uninitialized Resource |
|
Major |
Relationships |
|
Minor |
None |
| 910 |
Use of Expired File Descriptor |
|
Major |
Relationships |
|
Minor |
None |
| 916 |
Use of Password Hash With Insufficient Computational Effort |
|
Major |
Description |
|
Minor |
None |
| 923 |
Improper Restriction of Communication Channel to Intended Endpoints |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
| 925 |
Improper Verification of Intent by Broadcast Receiver |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
| 928 |
Weaknesses in OWASP Top Ten (2013) |
|
Major |
Description |
|
Minor |
None |
| 999 |
Weaknesses without Software Fault Patterns |
|
Major |
View_Filter |
|
Minor |
None |
| 1006 |
Bad Coding Practices |
|
Major |
Relationships |
|
Minor |
None |
| 1007 |
Insufficient Visual Distinction of Homoglyphs Presented to User |
|
Major |
Demonstrative_Examples, Description, Related_Attack_Patterns |
|
Minor |
None |
| 1023 |
Incomplete Comparison with Missing Factors |
|
Major |
Relationships |
|
Minor |
None |
