Any change with respect to whitespace is ignored. "Minor"
changes are text changes that only affect capitalization and
punctuation. Most other changes are marked as "Major."
Simple schema changes are treated as Minor, such as the change from
AffectedResource to Affected_Resource in Draft 8, or the relationship
name change from "IsRequiredBy" to "RequiredBy" in
Version 1.0. For each mutual relationship between nodes A and B (such
as ParentOf and ChildOf), a relationship change is noted for both A
and B.
The "Version 4.11 Total" lists the total number of relationships
in Version 4.11. The "Shared" value is the total number of
relationships in entries that were in both Version 4.11 and Version 4.10. The
"New" value is the total number of relationships involving
entries that did not exist in Version 4.10. Thus, the total number of
relationships in Version 4.11 would combine stats from Shared entries and
New entries.
A node change is labeled "important" if it is a major field change and
the field is critical to the meaning of the node. The critical fields
are description, name, and relationships.
| | R |
5 |
J2EE Misconfiguration: Data Transmission Without Encryption |
| | R |
6 |
J2EE Misconfiguration: Insufficient Session-ID Length |
| | R |
7 |
J2EE Misconfiguration: Missing Custom Error Page |
| | R |
8 |
J2EE Misconfiguration: Entity Bean Declared Remote |
| | R |
9 |
J2EE Misconfiguration: Weak Access Permissions for EJB Methods |
| | R |
11 |
ASP.NET Misconfiguration: Creating Debug Binary |
| | R |
12 |
ASP.NET Misconfiguration: Missing Custom Error Page |
| | R |
13 |
ASP.NET Misconfiguration: Password in Configuration File |
| | R |
14 |
Compiler Removal of Code to Clear Buffers |
| | R |
15 |
External Control of System or Configuration Setting |
| | R |
19 |
Data Processing Errors |
| | R |
20 |
Improper Input Validation |
| | R |
22 |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
| | R |
23 |
Relative Path Traversal |
| | R |
24 |
Path Traversal: '../filedir' |
| | R |
25 |
Path Traversal: '/../filedir' |
| | R |
26 |
Path Traversal: '/dir/../filename' |
| | R |
27 |
Path Traversal: 'dir/../../filename' |
| | R |
28 |
Path Traversal: '..\filedir' |
| | R |
29 |
Path Traversal: '\..\filename' |
| | R |
30 |
Path Traversal: '\dir\..\filename' |
| | R |
31 |
Path Traversal: 'dir\..\..\filename' |
| | R |
32 |
Path Traversal: '...' (Triple Dot) |
| | R |
33 |
Path Traversal: '....' (Multiple Dot) |
| | R |
34 |
Path Traversal: '....//' |
| | R |
35 |
Path Traversal: '.../...//' |
| | R |
36 |
Absolute Path Traversal |
| | R |
37 |
Path Traversal: '/absolute/pathname/here' |
| | R |
38 |
Path Traversal: '\absolute\pathname\here' |
| | R |
39 |
Path Traversal: 'C:dirname' |
| | R |
40 |
Path Traversal: '\\UNC\share\name\' (Windows UNC Share) |
| | R |
41 |
Improper Resolution of Path Equivalence |
| | R |
42 |
Path Equivalence: 'filename.' (Trailing Dot) |
| | R |
43 |
Path Equivalence: 'filename....' (Multiple Trailing Dot) |
| | R |
44 |
Path Equivalence: 'file.name' (Internal Dot) |
| | R |
45 |
Path Equivalence: 'file...name' (Multiple Internal Dot) |
| | R |
46 |
Path Equivalence: 'filename ' (Trailing Space) |
| | R |
47 |
Path Equivalence: ' filename' (Leading Space) |
| | R |
48 |
Path Equivalence: 'file name' (Internal Whitespace) |
| | R |
49 |
Path Equivalence: 'filename/' (Trailing Slash) |
| | R |
50 |
Path Equivalence: '//multiple/leading/slash' |
| | R |
51 |
Path Equivalence: '/multiple//internal/slash' |
| | R |
52 |
Path Equivalence: '/multiple/trailing/slash//' |
| | R |
53 |
Path Equivalence: '\multiple\\internal\backslash' |
| | R |
54 |
Path Equivalence: 'filedir\' (Trailing Backslash) |
| | R |
55 |
Path Equivalence: '/./' (Single Dot Directory) |
| | R |
56 |
Path Equivalence: 'filedir*' (Wildcard) |
| | R |
57 |
Path Equivalence: 'fakedir/../realdir/filename' |
| | R |
58 |
Path Equivalence: Windows 8.3 Filename |
| | R |
59 |
Improper Link Resolution Before File Access ('Link Following') |
| | R |
61 |
UNIX Symbolic Link (Symlink) Following |
| | R |
62 |
UNIX Hard Link |
| | R |
64 |
Windows Shortcut Following (.LNK) |
| | R |
65 |
Windows Hard Link |
| | R |
66 |
Improper Handling of File Names that Identify Virtual Resources |
| | R |
67 |
Improper Handling of Windows Device Names |
| | R |
69 |
Improper Handling of Windows ::DATA Alternate Data Stream |
| | R |
72 |
Improper Handling of Apple HFS+ Alternate Data Stream Path |
| | R |
73 |
External Control of File Name or Path |
| | R |
74 |
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') |
| | R |
75 |
Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) |
| | R |
76 |
Improper Neutralization of Equivalent Special Elements |
| | R |
77 |
Improper Neutralization of Special Elements used in a Command ('Command Injection') |
| | R |
78 |
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
| | R |
79 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
| | R |
80 |
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) |
| | R |
81 |
Improper Neutralization of Script in an Error Message Web Page |
| | R |
82 |
Improper Neutralization of Script in Attributes of IMG Tags in a Web Page |
| | R |
83 |
Improper Neutralization of Script in Attributes in a Web Page |
| | R |
84 |
Improper Neutralization of Encoded URI Schemes in a Web Page |
| | R |
85 |
Doubled Character XSS Manipulations |
| | R |
86 |
Improper Neutralization of Invalid Characters in Identifiers in Web Pages |
| | R |
87 |
Improper Neutralization of Alternate XSS Syntax |
D | | R |
88 |
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') |
| | R |
89 |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
| | R |
90 |
Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') |
| | R |
91 |
XML Injection (aka Blind XPath Injection) |
| | R |
93 |
Improper Neutralization of CRLF Sequences ('CRLF Injection') |
| | R |
94 |
Improper Control of Generation of Code ('Code Injection') |
| | R |
95 |
Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') |
| | R |
96 |
Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') |
| | R |
97 |
Improper Neutralization of Server-Side Includes (SSI) Within a Web Page |
| | R |
98 |
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') |
| | R |
99 |
Improper Control of Resource Identifiers ('Resource Injection') |
| | R |
102 |
Struts: Duplicate Validation Forms |
| | R |
103 |
Struts: Incomplete validate() Method Definition |
| | R |
104 |
Struts: Form Bean Does Not Extend Validation Class |
| | R |
105 |
Struts: Form Field Without Validator |
| | R |
106 |
Struts: Plug-in Framework not in Use |
| | R |
107 |
Struts: Unused Validation Form |
| | R |
108 |
Struts: Unvalidated Action Form |
| | R |
109 |
Struts: Validator Turned Off |
| | R |
110 |
Struts: Validator Without Form Field |
| | R |
111 |
Direct Use of Unsafe JNI |
| | R |
112 |
Missing XML Validation |
| | R |
113 |
Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') |
| | R |
114 |
Process Control |
| | R |
115 |
Misinterpretation of Input |
| | R |
116 |
Improper Encoding or Escaping of Output |
| | R |
117 |
Improper Output Neutralization for Logs |
| | R |
118 |
Incorrect Access of Indexable Resource ('Range Error') |
| | R |
119 |
Improper Restriction of Operations within the Bounds of a Memory Buffer |
| | R |
120 |
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') |
| | R |
121 |
Stack-based Buffer Overflow |
| | R |
122 |
Heap-based Buffer Overflow |
| | R |
123 |
Write-what-where Condition |
| | R |
124 |
Buffer Underwrite ('Buffer Underflow') |
| | R |
125 |
Out-of-bounds Read |
| | R |
126 |
Buffer Over-read |
| | R |
127 |
Buffer Under-read |
| | R |
128 |
Wrap-around Error |
| | R |
129 |
Improper Validation of Array Index |
| | R |
130 |
Improper Handling of Length Parameter Inconsistency |
| | R |
131 |
Incorrect Calculation of Buffer Size |
| | R |
133 |
String Errors |
| | R |
134 |
Use of Externally-Controlled Format String |
| | R |
135 |
Incorrect Calculation of Multi-Byte String Length |
| | R |
136 |
Type Errors |
| | R |
137 |
Data Neutralization Issues |
| | R |
138 |
Improper Neutralization of Special Elements |
| | R |
140 |
Improper Neutralization of Delimiters |
| | R |
141 |
Improper Neutralization of Parameter/Argument Delimiters |
| | R |
142 |
Improper Neutralization of Value Delimiters |
| | R |
143 |
Improper Neutralization of Record Delimiters |
| | R |
144 |
Improper Neutralization of Line Delimiters |
| | R |
145 |
Improper Neutralization of Section Delimiters |
| | R |
146 |
Improper Neutralization of Expression/Command Delimiters |
| | R |
147 |
Improper Neutralization of Input Terminators |
| | R |
148 |
Improper Neutralization of Input Leaders |
| | R |
149 |
Improper Neutralization of Quoting Syntax |
| | R |
150 |
Improper Neutralization of Escape, Meta, or Control Sequences |
| | R |
151 |
Improper Neutralization of Comment Delimiters |
| | R |
152 |
Improper Neutralization of Macro Symbols |
| | R |
153 |
Improper Neutralization of Substitution Characters |
| | R |
154 |
Improper Neutralization of Variable Name Delimiters |
| | R |
155 |
Improper Neutralization of Wildcards or Matching Symbols |
| | R |
156 |
Improper Neutralization of Whitespace |
| | R |
157 |
Failure to Sanitize Paired Delimiters |
| | R |
158 |
Improper Neutralization of Null Byte or NUL Character |
| | R |
159 |
Improper Handling of Invalid Use of Special Elements |
| | R |
160 |
Improper Neutralization of Leading Special Elements |
| | R |
161 |
Improper Neutralization of Multiple Leading Special Elements |
| | R |
162 |
Improper Neutralization of Trailing Special Elements |
| | R |
163 |
Improper Neutralization of Multiple Trailing Special Elements |
| | R |
164 |
Improper Neutralization of Internal Special Elements |
| | R |
165 |
Improper Neutralization of Multiple Internal Special Elements |
| | R |
166 |
Improper Handling of Missing Special Element |
| | R |
167 |
Improper Handling of Additional Special Element |
| | R |
168 |
Improper Handling of Inconsistent Special Elements |
| | R |
170 |
Improper Null Termination |
| | R |
172 |
Encoding Error |
| | R |
173 |
Improper Handling of Alternate Encoding |
| | R |
174 |
Double Decoding of the Same Data |
| | R |
175 |
Improper Handling of Mixed Encoding |
| | R |
176 |
Improper Handling of Unicode Encoding |
| | R |
177 |
Improper Handling of URL Encoding (Hex Encoding) |
| | R |
178 |
Improper Handling of Case Sensitivity |
| | R |
179 |
Incorrect Behavior Order: Early Validation |
| | R |
180 |
Incorrect Behavior Order: Validate Before Canonicalize |
| | R |
181 |
Incorrect Behavior Order: Validate Before Filter |
| | R |
182 |
Collapse of Data into Unsafe Value |
| | R |
183 |
Permissive List of Allowed Inputs |
| | R |
184 |
Incomplete List of Disallowed Inputs |
| | R |
185 |
Incorrect Regular Expression |
| | R |
186 |
Overly Restrictive Regular Expression |
| | R |
187 |
Partial String Comparison |
| | R |
188 |
Reliance on Data/Memory Layout |
| | R |
189 |
Numeric Errors |
| | R |
190 |
Integer Overflow or Wraparound |
| | R |
191 |
Integer Underflow (Wrap or Wraparound) |
| | R |
192 |
Integer Coercion Error |
| | R |
193 |
Off-by-one Error |
| | R |
194 |
Unexpected Sign Extension |
| | R |
195 |
Signed to Unsigned Conversion Error |
| | R |
196 |
Unsigned to Signed Conversion Error |
| | R |
197 |
Numeric Truncation Error |
| | R |
198 |
Use of Incorrect Byte Ordering |
| | R |
199 |
Information Management Errors |
| | R |
200 |
Exposure of Sensitive Information to an Unauthorized Actor |
| | R |
201 |
Insertion of Sensitive Information Into Sent Data |
| | R |
202 |
Exposure of Sensitive Information Through Data Queries |
| | R |
203 |
Observable Discrepancy |
| | R |
204 |
Observable Response Discrepancy |
| | R |
205 |
Observable Behavioral Discrepancy |
| | R |
206 |
Observable Internal Behavioral Discrepancy |
| | R |
207 |
Observable Behavioral Discrepancy With Equivalent Products |
| | R |
208 |
Observable Timing Discrepancy |
| | R |
209 |
Generation of Error Message Containing Sensitive Information |
| | R |
210 |
Self-generated Error Message Containing Sensitive Information |
| | R |
211 |
Externally-Generated Error Message Containing Sensitive Information |
| | R |
212 |
Improper Removal of Sensitive Information Before Storage or Transfer |
| | R |
213 |
Exposure of Sensitive Information Due to Incompatible Policies |
| | R |
214 |
Invocation of Process Using Visible Sensitive Information |
| | R |
215 |
Insertion of Sensitive Information Into Debugging Code |
| | R |
219 |
Storage of File with Sensitive Data Under Web Root |
| | R |
220 |
Storage of File With Sensitive Data Under FTP Root |
| | R |
221 |
Information Loss or Omission |
| | R |
222 |
Truncation of Security-relevant Information |
| | R |
223 |
Omission of Security-relevant Information |
| | R |
224 |
Obscured Security-relevant Information by Alternate Name |
| | R |
226 |
Sensitive Information in Resource Not Removed Before Reuse |
| | R |
228 |
Improper Handling of Syntactically Invalid Structure |
| | R |
229 |
Improper Handling of Values |
| | R |
230 |
Improper Handling of Missing Values |
| | R |
231 |
Improper Handling of Extra Values |
| | R |
232 |
Improper Handling of Undefined Values |
| | R |
233 |
Improper Handling of Parameters |
| | R |
234 |
Failure to Handle Missing Parameter |
| | R |
235 |
Improper Handling of Extra Parameters |
| | R |
236 |
Improper Handling of Undefined Parameters |
| | R |
237 |
Improper Handling of Structural Elements |
| | R |
238 |
Improper Handling of Incomplete Structural Elements |
| | R |
239 |
Failure to Handle Incomplete Element |
| | R |
240 |
Improper Handling of Inconsistent Structural Elements |
| | R |
241 |
Improper Handling of Unexpected Data Type |
| | R |
242 |
Use of Inherently Dangerous Function |
| | R |
243 |
Creation of chroot Jail Without Changing Working Directory |
| | R |
244 |
Improper Clearing of Heap Memory Before Release ('Heap Inspection') |
| | R |
245 |
J2EE Bad Practices: Direct Management of Connections |
| | R |
246 |
J2EE Bad Practices: Direct Use of Sockets |
| | R |
248 |
Uncaught Exception |
| | R |
250 |
Execution with Unnecessary Privileges |
| | R |
252 |
Unchecked Return Value |
| | R |
253 |
Incorrect Check of Function Return Value |
| | R |
255 |
Credentials Management Errors |
| | R |
256 |
Plaintext Storage of a Password |
| | R |
257 |
Storing Passwords in a Recoverable Format |
| | R |
258 |
Empty Password in Configuration File |
| | R |
259 |
Use of Hard-coded Password |
| | R |
260 |
Password in Configuration File |
| | R |
261 |
Weak Encoding for Password |
| | R |
262 |
Not Using Password Aging |
| | R |
263 |
Password Aging with Long Expiration |
| | R |
266 |
Incorrect Privilege Assignment |
| | R |
267 |
Privilege Defined With Unsafe Actions |
| | R |
268 |
Privilege Chaining |
| | R |
269 |
Improper Privilege Management |
| | R |
270 |
Privilege Context Switching Error |
| | R |
271 |
Privilege Dropping / Lowering Errors |
| | R |
272 |
Least Privilege Violation |
| | R |
273 |
Improper Check for Dropped Privileges |
| | R |
274 |
Improper Handling of Insufficient Privileges |
| | R |
276 |
Incorrect Default Permissions |
| | R |
277 |
Insecure Inherited Permissions |
| | R |
278 |
Insecure Preserved Inherited Permissions |
| | R |
279 |
Incorrect Execution-Assigned Permissions |
| | R |
280 |
Improper Handling of Insufficient Permissions or Privileges |
| | R |
281 |
Improper Preservation of Permissions |
| | R |
282 |
Improper Ownership Management |
| | R |
283 |
Unverified Ownership |
| | R |
284 |
Improper Access Control |
| | R |
285 |
Improper Authorization |
| | R |
286 |
Incorrect User Management |
| | R |
287 |
Improper Authentication |
| | R |
288 |
Authentication Bypass Using an Alternate Path or Channel |
| | R |
289 |
Authentication Bypass by Alternate Name |
| | R |
290 |
Authentication Bypass by Spoofing |
| | R |
291 |
Reliance on IP Address for Authentication |
| | R |
293 |
Using Referer Field for Authentication |
| | R |
294 |
Authentication Bypass by Capture-replay |
| | R |
295 |
Improper Certificate Validation |
| | R |
296 |
Improper Following of a Certificate's Chain of Trust |
| | R |
297 |
Improper Validation of Certificate with Host Mismatch |
| | R |
298 |
Improper Validation of Certificate Expiration |
| | R |
299 |
Improper Check for Certificate Revocation |
| | R |
300 |
Channel Accessible by Non-Endpoint |
| | R |
301 |
Reflection Attack in an Authentication Protocol |
| | R |
302 |
Authentication Bypass by Assumed-Immutable Data |
| | R |
303 |
Incorrect Implementation of Authentication Algorithm |
| | R |
304 |
Missing Critical Step in Authentication |
| | R |
305 |
Authentication Bypass by Primary Weakness |
| | R |
306 |
Missing Authentication for Critical Function |
| | R |
307 |
Improper Restriction of Excessive Authentication Attempts |
| | R |
308 |
Use of Single-factor Authentication |
| | R |
309 |
Use of Password System for Primary Authentication |
| | R |
310 |
Cryptographic Issues |
| | R |
311 |
Missing Encryption of Sensitive Data |
| | R |
312 |
Cleartext Storage of Sensitive Information |
| | R |
313 |
Cleartext Storage in a File or on Disk |
| | R |
314 |
Cleartext Storage in the Registry |
| | R |
315 |
Cleartext Storage of Sensitive Information in a Cookie |
| | R |
316 |
Cleartext Storage of Sensitive Information in Memory |
| | R |
317 |
Cleartext Storage of Sensitive Information in GUI |
| | R |
318 |
Cleartext Storage of Sensitive Information in Executable |
| | R |
319 |
Cleartext Transmission of Sensitive Information |
| | R |
320 |
Key Management Errors |
| | R |
321 |
Use of Hard-coded Cryptographic Key |
| | R |
322 |
Key Exchange without Entity Authentication |
| | R |
323 |
Reusing a Nonce, Key Pair in Encryption |
| | R |
324 |
Use of a Key Past its Expiration Date |
| | R |
325 |
Missing Cryptographic Step |
| | R |
326 |
Inadequate Encryption Strength |
| | R |
327 |
Use of a Broken or Risky Cryptographic Algorithm |
| | R |
328 |
Use of Weak Hash |
| | R |
329 |
Generation of Predictable IV with CBC Mode |
| | R |
330 |
Use of Insufficiently Random Values |
| | R |
331 |
Insufficient Entropy |
| | R |
332 |
Insufficient Entropy in PRNG |
| | R |
333 |
Improper Handling of Insufficient Entropy in TRNG |
| | R |
334 |
Small Space of Random Values |
| | R |
335 |
Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) |
| | R |
336 |
Same Seed in Pseudo-Random Number Generator (PRNG) |
| | R |
337 |
Predictable Seed in Pseudo-Random Number Generator (PRNG) |
| | R |
338 |
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) |
| | R |
339 |
Small Seed Space in PRNG |
| | R |
340 |
Generation of Predictable Numbers or Identifiers |
| | R |
341 |
Predictable from Observable State |
| | R |
342 |
Predictable Exact Value from Previous Values |
| | R |
343 |
Predictable Value Range from Previous Values |
| | R |
344 |
Use of Invariant Value in Dynamically Changing Context |
| | R |
345 |
Insufficient Verification of Data Authenticity |
| | R |
346 |
Origin Validation Error |
| | R |
347 |
Improper Verification of Cryptographic Signature |
| | R |
348 |
Use of Less Trusted Source |
| | R |
349 |
Acceptance of Extraneous Untrusted Data With Trusted Data |
| | R |
350 |
Reliance on Reverse DNS Resolution for a Security-Critical Action |
| | R |
351 |
Insufficient Type Distinction |
| | R |
352 |
Cross-Site Request Forgery (CSRF) |
| | R |
353 |
Missing Support for Integrity Check |
| | R |
354 |
Improper Validation of Integrity Check Value |
| | R |
355 |
User Interface Security Issues |
| | R |
356 |
Product UI does not Warn User of Unsafe Actions |
| | R |
357 |
Insufficient UI Warning of Dangerous Operations |
| | R |
358 |
Improperly Implemented Security Check for Standard |
| | R |
359 |
Exposure of Private Personal Information to an Unauthorized Actor |
| | R |
360 |
Trust of System Event Data |
| | R |
362 |
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') |
| | R |
363 |
Race Condition Enabling Link Following |
| | R |
364 |
Signal Handler Race Condition |
| | R |
366 |
Race Condition within a Thread |
| | R |
367 |
Time-of-check Time-of-use (TOCTOU) Race Condition |
| | R |
368 |
Context Switching Race Condition |
| | R |
369 |
Divide By Zero |
| | R |
370 |
Missing Check for Certificate Revocation after Initial Check |
| | R |
372 |
Incomplete Internal State Distinction |
| | R |
374 |
Passing Mutable Objects to an Untrusted Method |
| | R |
375 |
Returning a Mutable Object to an Untrusted Caller |
| | R |
377 |
Insecure Temporary File |
| | R |
378 |
Creation of Temporary File With Insecure Permissions |
| | R |
379 |
Creation of Temporary File in Directory with Insecure Permissions |
| | R |
382 |
J2EE Bad Practices: Use of System.exit() |
| | R |
383 |
J2EE Bad Practices: Direct Use of Threads |
| | R |
384 |
Session Fixation |
| | R |
385 |
Covert Timing Channel |
| | R |
386 |
Symbolic Name not Mapping to Correct Object |
| | R |
387 |
Signal Errors |
| | R |
389 |
Error Conditions, Return Values, Status Codes |
| | R |
390 |
Detection of Error Condition Without Action |
| | R |
391 |
Unchecked Error Condition |
| | R |
392 |
Missing Report of Error Condition |
| | R |
393 |
Return of Wrong Status Code |
| | R |
394 |
Unexpected Status Code or Return Value |
| | R |
395 |
Use of NullPointerException Catch to Detect NULL Pointer Dereference |
D | | R |
396 |
Declaration of Catch for Generic Exception |
| | R |
397 |
Declaration of Throws for Generic Exception |
| | R |
399 |
Resource Management Errors |
| | R |
400 |
Uncontrolled Resource Consumption |
| | R |
401 |
Missing Release of Memory after Effective Lifetime |
| | R |
402 |
Transmission of Private Resources into a New Sphere ('Resource Leak') |
| | R |
403 |
Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak') |
| | R |
404 |
Improper Resource Shutdown or Release |
| | R |
405 |
Asymmetric Resource Consumption (Amplification) |
| | R |
406 |
Insufficient Control of Network Message Volume (Network Amplification) |
| | R |
407 |
Inefficient Algorithmic Complexity |
| | R |
408 |
Incorrect Behavior Order: Early Amplification |
| | R |
409 |
Improper Handling of Highly Compressed Data (Data Amplification) |
| | R |
410 |
Insufficient Resource Pool |
| | R |
412 |
Unrestricted Externally Accessible Lock |
| | R |
413 |
Improper Resource Locking |
| | R |
414 |
Missing Lock Check |
| | R |
415 |
Double Free |
| | R |
416 |
Use After Free |
| | R |
417 |
Communication Channel Errors |
| | R |
419 |
Unprotected Primary Channel |
| | R |
420 |
Unprotected Alternate Channel |
| | R |
421 |
Race Condition During Access to Alternate Channel |
| | R |
422 |
Unprotected Windows Messaging Channel ('Shatter') |
| | R |
424 |
Improper Protection of Alternate Path |
| | R |
425 |
Direct Request ('Forced Browsing') |
| | R |
426 |
Untrusted Search Path |
| | R |
427 |
Uncontrolled Search Path Element |
| | R |
428 |
Unquoted Search Path or Element |
| | R |
429 |
Handler Errors |
| | R |
430 |
Deployment of Wrong Handler |
| | R |
431 |
Missing Handler |
| | R |
432 |
Dangerous Signal Handler not Disabled During Sensitive Operations |
| | R |
433 |
Unparsed Raw Web Content Delivery |
| | R |
434 |
Unrestricted Upload of File with Dangerous Type |
| | R |
435 |
Improper Interaction Between Multiple Correctly-Behaving Entities |
| | R |
436 |
Interpretation Conflict |
| | R |
437 |
Incomplete Model of Endpoint Features |
| | R |
439 |
Behavioral Change in New Version or Environment |
| | R |
440 |
Expected Behavior Violation |
| | R |
441 |
Unintended Proxy or Intermediary ('Confused Deputy') |
| | R |
444 |
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') |
| | R |
446 |
UI Discrepancy for Security Feature |
| | R |
447 |
Unimplemented or Unsupported Feature in UI |
| | R |
448 |
Obsolete Feature in UI |
| | R |
449 |
The UI Performs the Wrong Action |
| | R |
450 |
Multiple Interpretations of UI Input |
| | R |
451 |
User Interface (UI) Misrepresentation of Critical Information |
| | R |
452 |
Initialization and Cleanup Errors |
| | R |
453 |
Insecure Default Variable Initialization |
| | R |
454 |
External Initialization of Trusted Variables or Data Stores |
| | R |
455 |
Non-exit on Failed Initialization |
| | R |
456 |
Missing Initialization of a Variable |
| | R |
457 |
Use of Uninitialized Variable |
| | R |
459 |
Incomplete Cleanup |
| | R |
460 |
Improper Cleanup on Thrown Exception |
| | R |
462 |
Duplicate Key in Associative List (Alist) |
| | R |
463 |
Deletion of Data Structure Sentinel |
| | R |
464 |
Addition of Data Structure Sentinel |
| | R |
465 |
Pointer Issues |
| | R |
466 |
Return of Pointer Value Outside of Expected Range |
| | R |
467 |
Use of sizeof() on a Pointer Type |
| | R |
468 |
Incorrect Pointer Scaling |
| | R |
469 |
Use of Pointer Subtraction to Determine Size |
| | R |
470 |
Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') |
| | R |
471 |
Modification of Assumed-Immutable Data (MAID) |
| | R |
472 |
External Control of Assumed-Immutable Web Parameter |
| | R |
473 |
PHP External Variable Modification |
| | R |
474 |
Use of Function with Inconsistent Implementations |
| | R |
475 |
Undefined Behavior for Input to API |
| | R |
476 |
NULL Pointer Dereference |
| | R |
477 |
Use of Obsolete Function |
| | R |
478 |
Missing Default Case in Multiple Condition Expression |
| | R |
479 |
Signal Handler Use of a Non-reentrant Function |
| | R |
480 |
Use of Incorrect Operator |
| | R |
481 |
Assigning instead of Comparing |
| | R |
482 |
Comparing instead of Assigning |
| | R |
483 |
Incorrect Block Delimitation |
| | R |
484 |
Omitted Break Statement in Switch |
| | R |
486 |
Comparison of Classes by Name |
| | R |
487 |
Reliance on Package-level Scope |
| | R |
488 |
Exposure of Data Element to Wrong Session |
| | R |
489 |
Active Debug Code |
| | R |
491 |
Public cloneable() Method Without Final ('Object Hijack') |
| | R |
492 |
Use of Inner Class Containing Sensitive Data |
| | R |
493 |
Critical Public Variable Without Final Modifier |
| | R |
494 |
Download of Code Without Integrity Check |
| | R |
495 |
Private Data Structure Returned From A Public Method |
| | R |
496 |
Public Data Assigned to Private Array-Typed Field |
| | R |
497 |
Exposure of Sensitive System Information to an Unauthorized Control Sphere |
| | R |
498 |
Cloneable Class Containing Sensitive Information |
| | R |
499 |
Serializable Class Containing Sensitive Data |
| | R |
500 |
Public Static Field Not Marked Final |
| | R |
501 |
Trust Boundary Violation |
| | R |
502 |
Deserialization of Untrusted Data |
| | R |
506 |
Embedded Malicious Code |
| | R |
507 |
Trojan Horse |
| | R |
508 |
Non-Replicating Malicious Code |
| | R |
509 |
Replicating Malicious Code (Virus or Worm) |
| | R |
510 |
Trapdoor |
| | R |
511 |
Logic/Time Bomb |
| | R |
512 |
Spyware |
| | R |
514 |
Covert Channel |
| | R |
515 |
Covert Storage Channel |
| | R |
520 |
.NET Misconfiguration: Use of Impersonation |
| | R |
521 |
Weak Password Requirements |
| | R |
522 |
Insufficiently Protected Credentials |
| | R |
523 |
Unprotected Transport of Credentials |
| | R |
524 |
Use of Cache Containing Sensitive Information |
| | R |
525 |
Use of Web Browser Cache Containing Sensitive Information |
| | R |
526 |
Cleartext Storage of Sensitive Information in an Environment Variable |
| | R |
527 |
Exposure of Version-Control Repository to an Unauthorized Control Sphere |
| | R |
528 |
Exposure of Core Dump File to an Unauthorized Control Sphere |
| | R |
529 |
Exposure of Access Control List Files to an Unauthorized Control Sphere |
| | R |
530 |
Exposure of Backup File to an Unauthorized Control Sphere |
| | R |
531 |
Inclusion of Sensitive Information in Test Code |
| | R |
532 |
Insertion of Sensitive Information into Log File |
| | R |
535 |
Exposure of Information Through Shell Error Message |
| | R |
536 |
Servlet Runtime Error Message Containing Sensitive Information |
| | R |
537 |
Java Runtime Error Message Containing Sensitive Information |
| | R |
538 |
Insertion of Sensitive Information into Externally-Accessible File or Directory |
| | R |
539 |
Use of Persistent Cookies Containing Sensitive Information |
| | R |
540 |
Inclusion of Sensitive Information in Source Code |
| | R |
541 |
Inclusion of Sensitive Information in an Include File |
| | R |
543 |
Use of Singleton Pattern Without Synchronization in a Multithreaded Context |
| | R |
544 |
Missing Standardized Error Handling Mechanism |
| | R |
546 |
Suspicious Comment |
| | R |
547 |
Use of Hard-coded, Security-relevant Constants |
| | R |
548 |
Exposure of Information Through Directory Listing |
| | R |
549 |
Missing Password Field Masking |
| | R |
550 |
Server-generated Error Message Containing Sensitive Information |
| | R |
551 |
Incorrect Behavior Order: Authorization Before Parsing and Canonicalization |
D | | R |
552 |
Files or Directories Accessible to External Parties |
| | R |
553 |
Command Shell in Externally Accessible Directory |
| | R |
554 |
ASP.NET Misconfiguration: Not Using Input Validation Framework |
| | R |
555 |
J2EE Misconfiguration: Plaintext Password in Configuration File |
| | R |
556 |
ASP.NET Misconfiguration: Use of Identity Impersonation |
| | R |
557 |
Concurrency Issues |
| | R |
558 |
Use of getlogin() in Multithreaded Application |
| | R |
560 |
Use of umask() with chmod-style Argument |
| | R |
561 |
Dead Code |
| | R |
562 |
Return of Stack Variable Address |
| | R |
563 |
Assignment to Variable without Use |
| | R |
564 |
SQL Injection: Hibernate |
| | R |
565 |
Reliance on Cookies without Validation and Integrity Checking |
| | R |
566 |
Authorization Bypass Through User-Controlled SQL Primary Key |
| | R |
567 |
Unsynchronized Access to Shared Data in a Multithreaded Context |
| | R |
568 |
finalize() Method Without super.finalize() |
| | R |
569 |
Expression Issues |
| | R |
570 |
Expression is Always False |
| | R |
571 |
Expression is Always True |
| | R |
572 |
Call to Thread run() instead of start() |
| | R |
573 |
Improper Following of Specification by Caller |
| | R |
574 |
EJB Bad Practices: Use of Synchronization Primitives |
| | R |
575 |
EJB Bad Practices: Use of AWT Swing |
| | R |
576 |
EJB Bad Practices: Use of Java I/O |
| | R |
577 |
EJB Bad Practices: Use of Sockets |
| | R |
578 |
EJB Bad Practices: Use of Class Loader |
| | R |
579 |
J2EE Bad Practices: Non-serializable Object Stored in Session |
| | R |
580 |
clone() Method Without super.clone() |
| | R |
581 |
Object Model Violation: Just One of Equals and Hashcode Defined |
| | R |
582 |
Array Declared Public, Final, and Static |
| | R |
583 |
finalize() Method Declared Public |
| | R |
584 |
Return Inside Finally Block |
| | R |
585 |
Empty Synchronized Block |
| | R |
586 |
Explicit Call to Finalize() |
| | R |
587 |
Assignment of a Fixed Address to a Pointer |
| | R |
588 |
Attempt to Access Child of a Non-structure Pointer |
| | R |
589 |
Call to Non-ubiquitous API |
| | R |
590 |
Free of Memory not on the Heap |
| | R |
591 |
Sensitive Data Storage in Improperly Locked Memory |
| | R |
593 |
Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created |
| | R |
594 |
J2EE Framework: Saving Unserializable Objects to Disk |
| | R |
595 |
Comparison of Object References Instead of Object Contents |
| | R |
597 |
Use of Wrong Operator in String Comparison |
| | R |
598 |
Use of GET Request Method With Sensitive Query Strings |
| | R |
599 |
Missing Validation of OpenSSL Certificate |
| | R |
600 |
Uncaught Exception in Servlet |
D | | R |
601 |
URL Redirection to Untrusted Site ('Open Redirect') |
| | R |
602 |
Client-Side Enforcement of Server-Side Security |
| | R |
603 |
Use of Client-Side Authentication |
| | R |
605 |
Multiple Binds to the Same Port |
| | R |
606 |
Unchecked Input for Loop Condition |
| | R |
607 |
Public Static Final Field References Mutable Object |
| | R |
608 |
Struts: Non-private Field in ActionForm Class |
| | R |
609 |
Double-Checked Locking |
| | R |
610 |
Externally Controlled Reference to a Resource in Another Sphere |
| | R |
611 |
Improper Restriction of XML External Entity Reference |
| | R |
612 |
Improper Authorization of Index Containing Sensitive Information |
| | R |
613 |
Insufficient Session Expiration |
| | R |
614 |
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute |
| | R |
615 |
Inclusion of Sensitive Information in Source Code Comments |
| | R |
616 |
Incomplete Identification of Uploaded File Variables (PHP) |
| | R |
617 |
Reachable Assertion |
| | R |
618 |
Exposed Unsafe ActiveX Method |
| | R |
619 |
Dangling Database Cursor ('Cursor Injection') |
| | R |
620 |
Unverified Password Change |
| | R |
621 |
Variable Extraction Error |
| | R |
622 |
Improper Validation of Function Hook Arguments |
| | R |
623 |
Unsafe ActiveX Control Marked Safe For Scripting |
| | R |
624 |
Executable Regular Expression Error |
| | R |
625 |
Permissive Regular Expression |
| | R |
626 |
Null Byte Interaction Error (Poison Null Byte) |
| | R |
627 |
Dynamic Variable Evaluation |
| | R |
628 |
Function Call with Incorrectly Specified Arguments |
| | R |
636 |
Not Failing Securely ('Failing Open') |
| | R |
637 |
Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism') |
| | R |
638 |
Not Using Complete Mediation |
| | R |
639 |
Authorization Bypass Through User-Controlled Key |
| | R |
640 |
Weak Password Recovery Mechanism for Forgotten Password |
| | R |
641 |
Improper Restriction of Names for Files and Other Resources |
| | R |
642 |
External Control of Critical State Data |
| | R |
643 |
Improper Neutralization of Data within XPath Expressions ('XPath Injection') |
| | R |
644 |
Improper Neutralization of HTTP Headers for Scripting Syntax |
| | R |
645 |
Overly Restrictive Account Lockout Mechanism |
| | R |
646 |
Reliance on File Name or Extension of Externally-Supplied File |
| | R |
647 |
Use of Non-Canonical URL Paths for Authorization Decisions |
| | R |
648 |
Incorrect Use of Privileged APIs |
| | R |
649 |
Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking |
| | R |
650 |
Trusting HTTP Permission Methods on the Server Side |
| | R |
651 |
Exposure of WSDL File Containing Sensitive Information |
| | R |
652 |
Improper Neutralization of Data within XQuery Expressions ('XQuery Injection') |
| | R |
653 |
Improper Isolation or Compartmentalization |
| | R |
654 |
Reliance on a Single Factor in a Security Decision |
| | R |
655 |
Insufficient Psychological Acceptability |
| | R |
656 |
Reliance on Security Through Obscurity |
| | R |
657 |
Violation of Secure Design Principles |
| | R |
662 |
Improper Synchronization |
| | R |
663 |
Use of a Non-reentrant Function in a Concurrent Context |
| | R |
664 |
Improper Control of a Resource Through its Lifetime |
| | R |
665 |
Improper Initialization |
| | R |
666 |
Operation on Resource in Wrong Phase of Lifetime |
| | R |
667 |
Improper Locking |
| | R |
668 |
Exposure of Resource to Wrong Sphere |
| | R |
669 |
Incorrect Resource Transfer Between Spheres |
| | R |
670 |
Always-Incorrect Control Flow Implementation |
| | R |
671 |
Lack of Administrator Control over Security |
| | R |
672 |
Operation on a Resource after Expiration or Release |
| | R |
673 |
External Influence of Sphere Definition |
| | R |
674 |
Uncontrolled Recursion |
| | R |
675 |
Multiple Operations on Resource in Single-Operation Context |
| | R |
676 |
Use of Potentially Dangerous Function |
| | R |
680 |
Integer Overflow to Buffer Overflow |
| | R |
681 |
Incorrect Conversion between Numeric Types |
| | R |
682 |
Incorrect Calculation |
| | R |
683 |
Function Call With Incorrect Order of Arguments |
| | R |
684 |
Incorrect Provision of Specified Functionality |
| | R |
685 |
Function Call With Incorrect Number of Arguments |
| | R |
686 |
Function Call With Incorrect Argument Type |
| | R |
687 |
Function Call With Incorrectly Specified Argument Value |
| | R |
688 |
Function Call With Incorrect Variable or Reference as Argument |
| | R |
689 |
Permission Race Condition During Resource Copy |
| | R |
690 |
Unchecked Return Value to NULL Pointer Dereference |
| | R |
691 |
Insufficient Control Flow Management |
| | R |
692 |
Incomplete Denylist to Cross-Site Scripting |
| | R |
693 |
Protection Mechanism Failure |
| | R |
694 |
Use of Multiple Resources with Duplicate Identifier |
| | R |
695 |
Use of Low-Level Functionality |
| | R |
696 |
Incorrect Behavior Order |
| | R |
697 |
Incorrect Comparison |
| | R |
698 |
Execution After Redirect (EAR) |
| | R |
703 |
Improper Check or Handling of Exceptional Conditions |
| | R |
704 |
Incorrect Type Conversion or Cast |
| | R |
705 |
Incorrect Control Flow Scoping |
| | R |
706 |
Use of Incorrectly-Resolved Name or Reference |
| | R |
707 |
Improper Neutralization |
| | R |
708 |
Incorrect Ownership Assignment |
| | R |
710 |
Improper Adherence to Coding Standards |
D | | R |
732 |
Incorrect Permission Assignment for Critical Resource |
| | R |
733 |
Compiler Optimization Removal or Modification of Security-critical Code |
| | R |
749 |
Exposed Dangerous Method or Function |
| | R |
754 |
Improper Check for Unusual or Exceptional Conditions |
| | R |
755 |
Improper Handling of Exceptional Conditions |
| | R |
756 |
Missing Custom Error Page |
| | R |
757 |
Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') |
| | R |
758 |
Reliance on Undefined, Unspecified, or Implementation-Defined Behavior |
| | R |
759 |
Use of a One-Way Hash without a Salt |
| | R |
760 |
Use of a One-Way Hash with a Predictable Salt |
| | R |
761 |
Free of Pointer not at Start of Buffer |
| | R |
762 |
Mismatched Memory Management Routines |
| | R |
763 |
Release of Invalid Pointer or Reference |
| | R |
764 |
Multiple Locks of a Critical Resource |
| | R |
765 |
Multiple Unlocks of a Critical Resource |
| | R |
766 |
Critical Data Element Declared Public |
| | R |
767 |
Access to Critical Private Variable via Public Method |
| | R |
768 |
Incorrect Short Circuit Evaluation |
| | R |
770 |
Allocation of Resources Without Limits or Throttling |
| | R |
771 |
Missing Reference to Active Allocated Resource |
| | R |
772 |
Missing Release of Resource after Effective Lifetime |
| | R |
773 |
Missing Reference to Active File Descriptor or Handle |
| | R |
774 |
Allocation of File Descriptors or Handles Without Limits or Throttling |
| | R |
775 |
Missing Release of File Descriptor or Handle after Effective Lifetime |
| | R |
776 |
Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') |
| | R |
777 |
Regular Expression without Anchors |
| | R |
778 |
Insufficient Logging |
| | R |
779 |
Logging of Excessive Data |
| | R |
780 |
Use of RSA Algorithm without OAEP |
| | R |
781 |
Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code |
| | R |
782 |
Exposed IOCTL with Insufficient Access Control |
| | R |
783 |
Operator Precedence Logic Error |
| | R |
784 |
Reliance on Cookies without Validation and Integrity Checking in a Security Decision |
| | R |
785 |
Use of Path Manipulation Function without Maximum-sized Buffer |
| | R |
786 |
Access of Memory Location Before Start of Buffer |
| | R |
787 |
Out-of-bounds Write |
| | R |
788 |
Access of Memory Location After End of Buffer |
| | R |
789 |
Memory Allocation with Excessive Size Value |
| | R |
790 |
Improper Filtering of Special Elements |
| | R |
791 |
Incomplete Filtering of Special Elements |
| | R |
792 |
Incomplete Filtering of One or More Instances of Special Elements |
| | R |
793 |
Only Filtering One Instance of a Special Element |
| | R |
794 |
Incomplete Filtering of Multiple Instances of Special Elements |
| | R |
795 |
Only Filtering Special Elements at a Specified Location |
| | R |
796 |
Only Filtering Special Elements Relative to a Marker |
| | R |
797 |
Only Filtering Special Elements at an Absolute Position |
| | R |
798 |
Use of Hard-coded Credentials |
| | R |
799 |
Improper Control of Interaction Frequency |
| | R |
804 |
Guessable CAPTCHA |
| | R |
805 |
Buffer Access with Incorrect Length Value |
| | R |
806 |
Buffer Access Using Size of Source Buffer |
| | R |
807 |
Reliance on Untrusted Inputs in a Security Decision |
| | R |
820 |
Missing Synchronization |
| | R |
821 |
Incorrect Synchronization |
| | R |
822 |
Untrusted Pointer Dereference |
| | R |
823 |
Use of Out-of-range Pointer Offset |
| | R |
824 |
Access of Uninitialized Pointer |
| | R |
825 |
Expired Pointer Dereference |
| | R |
826 |
Premature Release of Resource During Expected Lifetime |
| | R |
827 |
Improper Control of Document Type Definition |
| | R |
828 |
Signal Handler with Functionality that is not Asynchronous-Safe |
| | R |
829 |
Inclusion of Functionality from Untrusted Control Sphere |
| | R |
830 |
Inclusion of Web Functionality from an Untrusted Source |
| | R |
831 |
Signal Handler Function Associated with Multiple Signals |
| | R |
832 |
Unlock of a Resource that is not Locked |
| | R |
833 |
Deadlock |
| | R |
834 |
Excessive Iteration |
| | R |
835 |
Loop with Unreachable Exit Condition ('Infinite Loop') |
| | R |
836 |
Use of Password Hash Instead of Password for Authentication |
| | R |
837 |
Improper Enforcement of a Single, Unique Action |
| | R |
838 |
Inappropriate Encoding for Output Context |
| | R |
839 |
Numeric Range Comparison Without Minimum Check |
| | R |
840 |
Business Logic Errors |
| | R |
841 |
Improper Enforcement of Behavioral Workflow |
| | R |
842 |
Placement of User into Incorrect Group |
| | R |
843 |
Access of Resource Using Incompatible Type ('Type Confusion') |
| | R |
862 |
Missing Authorization |
| | R |
863 |
Incorrect Authorization |
| | R |
908 |
Use of Uninitialized Resource |
| | R |
909 |
Missing Initialization of Resource |
| | R |
910 |
Use of Expired File Descriptor |
| | R |
911 |
Improper Update of Reference Count |
| | R |
912 |
Hidden Functionality |
| | R |
913 |
Improper Control of Dynamically-Managed Code Resources |
| | R |
914 |
Improper Control of Dynamically-Identified Variables |
| | R |
915 |
Improperly Controlled Modification of Dynamically-Determined Object Attributes |
| | R |
916 |
Use of Password Hash With Insufficient Computational Effort |
| | R |
917 |
Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') |
| | R |
918 |
Server-Side Request Forgery (SSRF) |
| | R |
920 |
Improper Restriction of Power Consumption |
| | R |
921 |
Storage of Sensitive Data in a Mechanism without Access Control |
| | R |
922 |
Insecure Storage of Sensitive Information |
| | R |
923 |
Improper Restriction of Communication Channel to Intended Endpoints |
| | R |
924 |
Improper Enforcement of Message Integrity During Transmission in a Communication Channel |
| | R |
925 |
Improper Verification of Intent by Broadcast Receiver |
| | R |
926 |
Improper Export of Android Application Components |
| | R |
927 |
Use of Implicit Intent for Sensitive Communication |
| | R |
939 |
Improper Authorization in Handler for Custom URL Scheme |
| | R |
940 |
Improper Verification of Source of a Communication Channel |
| | R |
941 |
Incorrectly Specified Destination in a Communication Channel |
| | R |
942 |
Permissive Cross-domain Policy with Untrusted Domains |
| | R |
943 |
Improper Neutralization of Special Elements in Data Query Logic |
| | R |
1004 |
Sensitive Cookie Without 'HttpOnly' Flag |
| | R |
1006 |
Bad Coding Practices |
| | R |
1007 |
Insufficient Visual Distinction of Homoglyphs Presented to User |
| | R |
1021 |
Improper Restriction of Rendered UI Layers or Frames |
| | R |
1022 |
Use of Web Link to Untrusted Target with window.opener Access |
| | R |
1023 |
Incomplete Comparison with Missing Factors |
| | R |
1024 |
Comparison of Incompatible Types |
| | R |
1025 |
Comparison Using Wrong Factors |
| | R |
1037 |
Processor Optimization Removal or Modification of Security-critical Code |
| | R |
1038 |
Insecure Automated Optimizations |
| | R |
1039 |
Automated Recognition Mechanism with Inadequate Detection or Handling of Adversarial Input Perturbations |
| | R |
1041 |
Use of Redundant Code |
| | R |
1042 |
Static Member Data Element outside of a Singleton Class Element |
| | R |
1043 |
Data Element Aggregating an Excessively Large Number of Non-Primitive Elements |
| | R |
1044 |
Architecture with Number of Horizontal Layers Outside of Expected Range |
| | R |
1045 |
Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor |
| | R |
1046 |
Creation of Immutable Text Using String Concatenation |
| | R |
1047 |
Modules with Circular Dependencies |
| | R |
1048 |
Invokable Control Element with Large Number of Outward Calls |
| | R |
1049 |
Excessive Data Query Operations in a Large Data Table |
| | R |
1050 |
Excessive Platform Resource Consumption within a Loop |
| | R |
1051 |
Initialization with Hard-Coded Network Resource Configuration Data |
| | R |
1052 |
Excessive Use of Hard-Coded Literals in Initialization |
| | R |
1053 |
Missing Documentation for Design |
| | R |
1054 |
Invocation of a Control Element at an Unnecessarily Deep Horizontal Layer |
| | R |
1055 |
Multiple Inheritance from Concrete Classes |
| | R |
1056 |
Invokable Control Element with Variadic Parameters |
| | R |
1057 |
Data Access Operations Outside of Expected Data Manager Component |
| | R |
1058 |
Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element |
| | R |
1059 |
Insufficient Technical Documentation |
| | R |
1060 |
Excessive Number of Inefficient Server-Side Data Accesses |
| | R |
1061 |
Insufficient Encapsulation |
| | R |
1062 |
Parent Class with References to Child Class |
| | R |
1063 |
Creation of Class Instance within a Static Code Block |
| | R |
1064 |
Invokable Control Element with Signature Containing an Excessive Number of Parameters |
| | R |
1065 |
Runtime Resource Management Control Element in a Component Built to Run on Application Servers |
| | R |
1066 |
Missing Serialization Control Element |
| | R |
1067 |
Excessive Execution of Sequential Searches of Data Resource |
| | R |
1068 |
Inconsistency Between Implementation and Documented Design |
| | R |
1069 |
Empty Exception Block |
| | R |
1070 |
Serializable Data Element Containing non-Serializable Item Elements |
| | R |
1071 |
Empty Code Block |
| | R |
1072 |
Data Resource Access without Use of Connection Pooling |
| | R |
1073 |
Non-SQL Invokable Control Element with Excessive Number of Data Resource Accesses |
| | R |
1074 |
Class with Excessively Deep Inheritance |
| | R |
1075 |
Unconditional Control Flow Transfer outside of Switch Block |
| | R |
1076 |
Insufficient Adherence to Expected Conventions |
| | R |
1077 |
Floating Point Comparison with Incorrect Operator |
| | R |
1078 |
Inappropriate Source Code Style or Formatting |
| | R |
1079 |
Parent Class without Virtual Destructor Method |
| | R |
1080 |
Source Code File with Excessive Number of Lines of Code |
| | R |
1082 |
Class Instance Self Destruction Control Element |
| | R |
1083 |
Data Access from Outside Expected Data Manager Component |
| | R |
1084 |
Invokable Control Element with Excessive File or Data Access Operations |
| | R |
1085 |
Invokable Control Element with Excessive Volume of Commented-out Code |
| | R |
1086 |
Class with Excessive Number of Child Classes |
| | R |
1087 |
Class with Virtual Method without a Virtual Destructor |
| | R |
1088 |
Synchronous Access of Remote Resource without Timeout |
| | R |
1089 |
Large Data Table with Excessive Number of Indices |
| | R |
1090 |
Method Containing Access of a Member Element from Another Class |
| | R |
1091 |
Use of Object without Invoking Destructor Method |
| | R |
1092 |
Use of Same Invokable Control Element in Multiple Architectural Layers |
| | R |
1093 |
Excessively Complex Data Representation |
| | R |
1094 |
Excessive Index Range Scan for a Data Resource |
| | R |
1095 |
Loop Condition Value Update within the Loop |
| | R |
1096 |
Singleton Class Instance Creation without Proper Locking or Synchronization |
| | R |
1097 |
Persistent Storable Data Element without Associated Comparison Control Element |
| | R |
1098 |
Data Element containing Pointer Item without Proper Copy Control Element |
| | R |
1099 |
Inconsistent Naming Conventions for Identifiers |
| | R |
1100 |
Insufficient Isolation of System-Dependent Functions |
| | R |
1101 |
Reliance on Runtime Component in Generated Code |
| | R |
1102 |
Reliance on Machine-Dependent Data Representation |
| | R |
1103 |
Use of Platform-Dependent Third Party Components |
| | R |
1104 |
Use of Unmaintained Third Party Components |
| | R |
1105 |
Insufficient Encapsulation of Machine-Dependent Functionality |
| | R |
1106 |
Insufficient Use of Symbolic Constants |
| | R |
1107 |
Insufficient Isolation of Symbolic Constant Definitions |
| | R |
1108 |
Excessive Reliance on Global Variables |
| | R |
1109 |
Use of Same Variable for Multiple Purposes |
| | R |
1110 |
Incomplete Design Documentation |
| | R |
1111 |
Incomplete I/O Documentation |
| | R |
1112 |
Incomplete Documentation of Program Execution |
| | R |
1113 |
Inappropriate Comment Style |
| | R |
1114 |
Inappropriate Whitespace Style |
| | R |
1115 |
Source Code Element without Standard Prologue |
| | R |
1116 |
Inaccurate Comments |
| | R |
1117 |
Callable with Insufficient Behavioral Summary |
| | R |
1118 |
Insufficient Documentation of Error Handling Techniques |
| | R |
1119 |
Excessive Use of Unconditional Branching |
| | R |
1120 |
Excessive Code Complexity |
| | R |
1121 |
Excessive McCabe Cyclomatic Complexity |
| | R |
1122 |
Excessive Halstead Complexity |
| | R |
1123 |
Excessive Use of Self-Modifying Code |
| | R |
1124 |
Excessively Deep Nesting |
| | R |
1125 |
Excessive Attack Surface |
| | R |
1126 |
Declaration of Variable with Unnecessarily Wide Scope |
| | R |
1127 |
Compilation with Insufficient Warnings or Errors |
| | R |
1164 |
Irrelevant Code |
| | R |
1173 |
Improper Use of Validation Framework |
| | R |
1174 |
ASP.NET Misconfiguration: Improper Model Validation |
| | R |
1176 |
Inefficient CPU Computation |
| | R |
1177 |
Use of Prohibited Code |
| | R |
1188 |
Insecure Default Initialization of Resource |
| | R |
1189 |
Improper Isolation of Shared Resources on System-on-a-Chip (SoC) |
| | R |
1190 |
DMA Device Enabled Too Early in Boot Phase |
| | R |
1191 |
On-Chip Debug and Test Interface With Improper Access Control |
| | R |
1192 |
System-on-Chip (SoC) Using Components without Unique, Immutable Identifiers |
| | R |
1193 |
Power-On of Untrusted Execution Core Before Enabling Fabric Access Control |
| | R |
1204 |
Generation of Weak Initialization Vector (IV) |
| | R |
1209 |
Failure to Disable Reserved Bits |
| | R |
1210 |
Audit / Logging Errors |
| | R |
1211 |
Authentication Errors |
| | R |
1212 |
Authorization Errors |
| | R |
1213 |
Random Number Issues |
| | R |
1215 |
Data Validation Issues |
| | R |
1218 |
Memory Buffer Errors |
| | R |
1219 |
File Handling Issues |
| | R |
1220 |
Insufficient Granularity of Access Control |
| | R |
1221 |
Incorrect Register Defaults or Module Parameters |
| | R |
1222 |
Insufficient Granularity of Address Regions Protected by Register Locks |
| | R |
1223 |
Race Condition for Write-Once Attributes |
| | R |
1224 |
Improper Restriction of Write-Once Bit Fields |
| | R |
1226 |
Complexity Issues |
| | R |
1229 |
Creation of Emergent Resource |
| | R |
1230 |
Exposure of Sensitive Information Through Metadata |
| | R |
1231 |
Improper Prevention of Lock Bit Modification |
| | R |
1232 |
Improper Lock Behavior After Power State Transition |
| | R |
1233 |
Security-Sensitive Hardware Controls with Missing Lock Bit Protection |
| | R |
1234 |
Hardware Internal or Debug Modes Allow Override of Locks |
| | R |
1235 |
Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations |
| | R |
1236 |
Improper Neutralization of Formula Elements in a CSV File |
| | R |
1239 |
Improper Zeroization of Hardware Register |
| | R |
1240 |
Use of a Cryptographic Primitive with a Risky Implementation |
| | R |
1241 |
Use of Predictable Algorithm in Random Number Generator |
| | R |
1242 |
Inclusion of Undocumented Features or Chicken Bits |
| | R |
1243 |
Sensitive Non-Volatile Information Not Protected During Debug |
| | R |
1244 |
Internal Asset Exposed to Unsafe Debug Access Level or State |
| | R |
1245 |
Improper Finite State Machines (FSMs) in Hardware Logic |
| | R |
1246 |
Improper Write Handling in Limited-write Non-Volatile Memories |
| | R |
1247 |
Improper Protection Against Voltage and Clock Glitches |
D | | R |
1248 |
Semiconductor Defects in Hardware Logic with Security-Sensitive Implications |
| | R |
1249 |
Application-Level Admin Tool with Inconsistent View of Underlying Operating System |
| | R |
1250 |
Improper Preservation of Consistency Between Independent Representations of Shared State |
| | R |
1251 |
Mirrored Regions with Different Values |
| | R |
1252 |
CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations |
| | R |
1253 |
Incorrect Selection of Fuse Values |
| | R |
1254 |
Incorrect Comparison Logic Granularity |
| | R |
1255 |
Comparison Logic is Vulnerable to Power Side-Channel Attacks |
| | R |
1256 |
Improper Restriction of Software Interfaces to Hardware Features |
| | R |
1257 |
Improper Access Control Applied to Mirrored or Aliased Memory Regions |
| | R |
1258 |
Exposure of Sensitive System Information Due to Uncleared Debug Information |
| | R |
1259 |
Improper Restriction of Security Token Assignment |
| | R |
1260 |
Improper Handling of Overlap Between Protected Memory Ranges |
| | R |
1261 |
Improper Handling of Single Event Upsets |
| | R |
1262 |
Improper Access Control for Register Interface |
| | R |
1263 |
Improper Physical Access Control |
| | R |
1264 |
Hardware Logic with Insecure De-Synchronization between Control and Data Channels |
| | R |
1265 |
Unintended Reentrant Invocation of Non-reentrant Code Via Nested Calls |
| | R |
1266 |
Improper Scrubbing of Sensitive Data from Decommissioned Device |
| | R |
1267 |
Policy Uses Obsolete Encoding |
| | R |
1268 |
Policy Privileges are not Assigned Consistently Between Control and Data Agents |
| | R |
1269 |
Product Released in Non-Release Configuration |
| | R |
1270 |
Generation of Incorrect Security Tokens |
| | R |
1271 |
Uninitialized Value on Reset for Registers Holding Security Settings |
| | R |
1272 |
Sensitive Information Uncleared Before Debug/Power State Transition |
| | R |
1273 |
Device Unlock Credential Sharing |
| | R |
1274 |
Improper Access Control for Volatile Memory Containing Boot Code |
| | R |
1275 |
Sensitive Cookie with Improper SameSite Attribute |
| | R |
1276 |
Hardware Child Block Incorrectly Connected to Parent System |
| | R |
1277 |
Firmware Not Updateable |
| | R |
1278 |
Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques |
| | R |
1279 |
Cryptographic Operations are run Before Supporting Units are Ready |
| | R |
1280 |
Access Control Check Implemented After Asset is Accessed |
D | | R |
1281 |
Sequence of Processor Instructions Leads to Unexpected Behavior |
| | R |
1282 |
Assumed-Immutable Data is Stored in Writable Memory |
| | R |
1283 |
Mutable Attestation or Measurement Reporting Data |
| | R |
1284 |
Improper Validation of Specified Quantity in Input |
| | R |
1285 |
Improper Validation of Specified Index, Position, or Offset in Input |
| | R |
1286 |
Improper Validation of Syntactic Correctness of Input |
| | R |
1287 |
Improper Validation of Specified Type of Input |
| | R |
1288 |
Improper Validation of Consistency within Input |
| | R |
1289 |
Improper Validation of Unsafe Equivalence in Input |
| | R |
1290 |
Incorrect Decoding of Security Identifiers |
| | R |
1291 |
Public Key Re-Use for Signing both Debug and Production Code |
| | R |
1292 |
Incorrect Conversion of Security Identifiers |
| | R |
1293 |
Missing Source Correlation of Multiple Independent Data |
| | R |
1294 |
Insecure Security Identifier Mechanism |
| | R |
1295 |
Debug Messages Revealing Unnecessary Information |
| | R |
1296 |
Incorrect Chaining or Granularity of Debug Components |
| | R |
1297 |
Unprotected Confidential Information on Device is Accessible by OSAT Vendors |
| | R |
1298 |
Hardware Logic Contains Race Conditions |
| | R |
1299 |
Missing Protection Mechanism for Alternate Hardware Interface |
| | R |
1300 |
Improper Protection of Physical Side Channels |
| | R |
1301 |
Insufficient or Incomplete Data Removal within Hardware Component |
| | R |
1302 |
Missing Security Identifier |
| | R |
1303 |
Non-Transparent Sharing of Microarchitectural Resources |
| | R |
1304 |
Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation |
| | R |
1310 |
Missing Ability to Patch ROM Code |
| | R |
1311 |
Improper Translation of Security Attributes by Fabric Bridge |
| | R |
1312 |
Missing Protection for Mirrored Regions in On-Chip Fabric Firewall |
| | R |
1313 |
Hardware Allows Activation of Test or Debug Logic at Runtime |
| | R |
1314 |
Missing Write Protection for Parametric Data Values |
| | R |
1315 |
Improper Setting of Bus Controlling Capability in Fabric End-point |
| | R |
1316 |
Fabric-Address Map Allows Programming of Unwarranted Overlaps of Protected and Unprotected Ranges |
| | R |
1317 |
Improper Access Control in Fabric Bridge |
| | R |
1318 |
Missing Support for Security Features in On-chip Fabrics or Buses |
| | R |
1319 |
Improper Protection against Electromagnetic Fault Injection (EM-FI) |
| | R |
1320 |
Improper Protection for Outbound Error Messages and Alert Signals |
| | R |
1321 |
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') |
| | R |
1322 |
Use of Blocking Code in Single-threaded, Non-blocking Context |
| | R |
1323 |
Improper Management of Sensitive Trace Data |
| | R |
1325 |
Improperly Controlled Sequential Memory Allocation |
| | R |
1326 |
Missing Immutable Root of Trust in Hardware |
| | R |
1327 |
Binding to an Unrestricted IP Address |
| | R |
1328 |
Security Version Number Mutable to Older Versions |
| | R |
1329 |
Reliance on Component That is Not Updateable |
| | R |
1330 |
Remanent Data Readable after Memory Erase |
| | R |
1331 |
Improper Isolation of Shared Resources in Network On Chip (NoC) |
| | R |
1332 |
Improper Handling of Faults that Lead to Instruction Skips |
| | R |
1333 |
Inefficient Regular Expression Complexity |
| | R |
1334 |
Unauthorized Error Injection Can Degrade Hardware Redundancy |
| | R |
1335 |
Incorrect Bitwise Shift of Integer |
| | R |
1336 |
Improper Neutralization of Special Elements Used in a Template Engine |
| | R |
1338 |
Improper Protections Against Hardware Overheating |
| | R |
1339 |
Insufficient Precision or Accuracy of a Real Number |
| | R |
1341 |
Multiple Releases of Same Resource or Handle |
| | R |
1342 |
Information Exposure through Microarchitectural State after Transient Execution |
| | R |
1351 |
Improper Handling of Hardware Behavior in Exceptionally Cold Environments |
| | R |
1357 |
Reliance on Insufficiently Trustworthy Component |
| | R |
1364 |
ICS Communications: Zone Boundary Failures |
| | R |
1365 |
ICS Communications: Unreliability |
| | R |
1366 |
ICS Communications: Frail Security in Protocols |
| | R |
1370 |
ICS Supply Chain: Common Mode Frailties |
| | R |
1372 |
ICS Supply Chain: OT Counterfeit and Malicious Corruption |
| | R |
1375 |
ICS Engineering (Construction/Deployment): Gaps in Details/Data |
| | R |
1384 |
Improper Handling of Physical or Environmental Conditions |
| | R |
1385 |
Missing Origin Validation in WebSockets |
| | R |
1386 |
Insecure Operation on Windows Junction / Mount Point |
| | R |
1389 |
Incorrect Parsing of Numbers with Different Radices |
| | R |
1390 |
Weak Authentication |
| | R |
1391 |
Use of Weak Credentials |
| | R |
1392 |
Use of Default Credentials |
| | R |
1393 |
Use of Default Password |
| | R |
1394 |
Use of Default Cryptographic Key |
| | R |
1395 |
Dependency on Vulnerable Third-Party Component |
2 |
7PK - Environment |
|
Major |
Mapping_Notes |
|
Minor |
None |
5 |
J2EE Misconfiguration: Data Transmission Without Encryption |
|
Major |
Relationships |
|
Minor |
None |
6 |
J2EE Misconfiguration: Insufficient Session-ID Length |
|
Major |
References, Relationships |
|
Minor |
None |
7 |
J2EE Misconfiguration: Missing Custom Error Page |
|
Major |
Relationships, Time_of_Introduction |
|
Minor |
None |
8 |
J2EE Misconfiguration: Entity Bean Declared Remote |
|
Major |
Relationships |
|
Minor |
None |
9 |
J2EE Misconfiguration: Weak Access Permissions for EJB Methods |
|
Major |
Relationships |
|
Minor |
None |
11 |
ASP.NET Misconfiguration: Creating Debug Binary |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
12 |
ASP.NET Misconfiguration: Missing Custom Error Page |
|
Major |
Relationships |
|
Minor |
None |
13 |
ASP.NET Misconfiguration: Password in Configuration File |
|
Major |
References, Relationships |
|
Minor |
None |
14 |
Compiler Removal of Code to Clear Buffers |
|
Major |
References, Relationships |
|
Minor |
None |
15 |
External Control of System or Configuration Setting |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
19 |
Data Processing Errors |
|
Major |
Mapping_Notes, Relationships |
|
Minor |
None |
20 |
Improper Input Validation |
|
Major |
References, Relationships |
|
Minor |
None |
22 |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
|
Major |
Demonstrative_Examples, References, Relationships, Time_of_Introduction |
|
Minor |
None |
23 |
Relative Path Traversal |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
24 |
Path Traversal: '../filedir' |
|
Major |
Relationships, Time_of_Introduction |
|
Minor |
None |
25 |
Path Traversal: '/../filedir' |
|
Major |
Relationships |
|
Minor |
None |
26 |
Path Traversal: '/dir/../filename' |
|
Major |
Relationships |
|
Minor |
None |
27 |
Path Traversal: 'dir/../../filename' |
|
Major |
Relationships |
|
Minor |
None |
28 |
Path Traversal: '..\filedir' |
|
Major |
Relationships |
|
Minor |
None |
29 |
Path Traversal: '\..\filename' |
|
Major |
Relationships |
|
Minor |
None |
30 |
Path Traversal: '\dir\..\filename' |
|
Major |
Relationships |
|
Minor |
None |
31 |
Path Traversal: 'dir\..\..\filename' |
|
Major |
Relationships |
|
Minor |
None |
32 |
Path Traversal: '...' (Triple Dot) |
|
Major |
Relationships |
|
Minor |
None |
33 |
Path Traversal: '....' (Multiple Dot) |
|
Major |
Relationships |
|
Minor |
None |
34 |
Path Traversal: '....//' |
|
Major |
Relationships |
|
Minor |
None |
35 |
Path Traversal: '.../...//' |
|
Major |
Relationships |
|
Minor |
None |
36 |
Absolute Path Traversal |
|
Major |
Demonstrative_Examples, Detection_Factors, Relationships, Time_of_Introduction |
|
Minor |
None |
37 |
Path Traversal: '/absolute/pathname/here' |
|
Major |
Relationships |
|
Minor |
None |
38 |
Path Traversal: '\absolute\pathname\here' |
|
Major |
Relationships |
|
Minor |
None |
39 |
Path Traversal: 'C:dirname' |
|
Major |
Relationships |
|
Minor |
None |
40 |
Path Traversal: '\\UNC\share\name\' (Windows UNC Share) |
|
Major |
Relationships |
|
Minor |
None |
41 |
Improper Resolution of Path Equivalence |
|
Major |
Relationships |
|
Minor |
None |
42 |
Path Equivalence: 'filename.' (Trailing Dot) |
|
Major |
Relationships |
|
Minor |
None |
43 |
Path Equivalence: 'filename....' (Multiple Trailing Dot) |
|
Major |
Relationships |
|
Minor |
None |
44 |
Path Equivalence: 'file.name' (Internal Dot) |
|
Major |
Relationships |
|
Minor |
None |
45 |
Path Equivalence: 'file...name' (Multiple Internal Dot) |
|
Major |
Relationships |
|
Minor |
None |
46 |
Path Equivalence: 'filename ' (Trailing Space) |
|
Major |
Relationships |
|
Minor |
None |
47 |
Path Equivalence: ' filename' (Leading Space) |
|
Major |
Relationships |
|
Minor |
None |
48 |
Path Equivalence: 'file name' (Internal Whitespace) |
|
Major |
Relationships |
|
Minor |
None |
49 |
Path Equivalence: 'filename/' (Trailing Slash) |
|
Major |
Relationships |
|
Minor |
None |
50 |
Path Equivalence: '//multiple/leading/slash' |
|
Major |
Relationships |
|
Minor |
None |
51 |
Path Equivalence: '/multiple//internal/slash' |
|
Major |
Relationships |
|
Minor |
None |
52 |
Path Equivalence: '/multiple/trailing/slash//' |
|
Major |
Relationships |
|
Minor |
None |
53 |
Path Equivalence: '\multiple\\internal\backslash' |
|
Major |
Relationships |
|
Minor |
None |
54 |
Path Equivalence: 'filedir\' (Trailing Backslash) |
|
Major |
Relationships |
|
Minor |
None |
55 |
Path Equivalence: '/./' (Single Dot Directory) |
|
Major |
Relationships |
|
Minor |
None |
56 |
Path Equivalence: 'filedir*' (Wildcard) |
|
Major |
Relationships |
|
Minor |
None |
57 |
Path Equivalence: 'fakedir/../realdir/filename' |
|
Major |
Relationships |
|
Minor |
None |
58 |
Path Equivalence: Windows 8.3 Filename |
|
Major |
Relationships |
|
Minor |
None |
59 |
Improper Link Resolution Before File Access ('Link Following') |
|
Major |
Relationships |
|
Minor |
None |
61 |
UNIX Symbolic Link (Symlink) Following |
|
Major |
References, Relationships |
|
Minor |
None |
62 |
UNIX Hard Link |
|
Major |
Relationships |
|
Minor |
None |
64 |
Windows Shortcut Following (.LNK) |
|
Major |
Relationships |
|
Minor |
None |
65 |
Windows Hard Link |
|
Major |
Relationships |
|
Minor |
None |
66 |
Improper Handling of File Names that Identify Virtual Resources |
|
Major |
Relationships, Time_of_Introduction |
|
Minor |
None |
67 |
Improper Handling of Windows Device Names |
|
Major |
Relationships, Time_of_Introduction |
|
Minor |
None |
69 |
Improper Handling of Windows ::DATA Alternate Data Stream |
|
Major |
References, Relationships, Time_of_Introduction |
|
Minor |
None |
72 |
Improper Handling of Apple HFS+ Alternate Data Stream Path |
|
Major |
References, Relationships, Time_of_Introduction |
|
Minor |
None |
73 |
External Control of File Name or Path |
|
Major |
Potential_Mitigations, Relationships |
|
Minor |
None |
74 |
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') |
|
Major |
Detection_Factors, Relationships, Time_of_Introduction |
|
Minor |
None |
75 |
Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) |
|
Major |
Relationships, Time_of_Introduction |
|
Minor |
None |
76 |
Improper Neutralization of Equivalent Special Elements |
|
Major |
Relationships, Time_of_Introduction |
|
Minor |
None |
77 |
Improper Neutralization of Special Elements used in a Command ('Command Injection') |
|
Major |
Detection_Factors, Relationships, Time_of_Introduction |
|
Minor |
None |
78 |
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
|
Major |
Detection_Factors, References, Relationships, Time_of_Introduction |
|
Minor |
None |
79 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
|
Major |
References, Relationships, Time_of_Introduction |
|
Minor |
None |
80 |
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
81 |
Improper Neutralization of Script in an Error Message Web Page |
|
Major |
Relationships |
|
Minor |
None |
82 |
Improper Neutralization of Script in Attributes of IMG Tags in a Web Page |
|
Major |
Relationships |
|
Minor |
None |
83 |
Improper Neutralization of Script in Attributes in a Web Page |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
84 |
Improper Neutralization of Encoded URI Schemes in a Web Page |
|
Major |
Relationships, Time_of_Introduction |
|
Minor |
None |
85 |
Doubled Character XSS Manipulations |
|
Major |
Relationships |
|
Minor |
None |
86 |
Improper Neutralization of Invalid Characters in Identifiers in Web Pages |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
87 |
Improper Neutralization of Alternate XSS Syntax |
|
Major |
Relationships |
|
Minor |
None |
88 |
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') |
|
Major |
Description, Detection_Factors, References, Relationships, Time_of_Introduction |
|
Minor |
None |
89 |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
|
Major |
References, Relationships, Time_of_Introduction |
|
Minor |
None |
90 |
Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') |
|
Major |
Detection_Factors, Relationships, Time_of_Introduction |
|
Minor |
None |
91 |
XML Injection (aka Blind XPath Injection) |
|
Major |
Detection_Factors, References, Relationships, Time_of_Introduction |
|
Minor |
None |
93 |
Improper Neutralization of CRLF Sequences ('CRLF Injection') |
|
Major |
Detection_Factors, Relationships, Time_of_Introduction |
|
Minor |
None |
94 |
Improper Control of Generation of Code ('Code Injection') |
|
Major |
Demonstrative_Examples, Detection_Factors, Relationships, Time_of_Introduction |
|
Minor |
None |
95 |
Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') |
|
Major |
Demonstrative_Examples, Detection_Factors, Relationships, Time_of_Introduction |
|
Minor |
None |
96 |
Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') |
|
Major |
Modes_of_Introduction, Relationships, Time_of_Introduction |
|
Minor |
None |
97 |
Improper Neutralization of Server-Side Includes (SSI) Within a Web Page |
|
Major |
Relationships, Time_of_Introduction |
|
Minor |
None |
98 |
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') |
|
Major |
References, Relationships, Time_of_Introduction |
|
Minor |
None |
99 |
Improper Control of Resource Identifiers ('Resource Injection') |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
102 |
Struts: Duplicate Validation Forms |
|
Major |
Relationships |
|
Minor |
None |
103 |
Struts: Incomplete validate() Method Definition |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
104 |
Struts: Form Bean Does Not Extend Validation Class |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
105 |
Struts: Form Field Without Validator |
|
Major |
Relationships |
|
Minor |
None |
106 |
Struts: Plug-in Framework not in Use |
|
Major |
Relationships |
|
Minor |
None |
107 |
Struts: Unused Validation Form |
|
Major |
Relationships |
|
Minor |
None |
108 |
Struts: Unvalidated Action Form |
|
Major |
Relationships |
|
Minor |
None |
109 |
Struts: Validator Turned Off |
|
Major |
Relationships |
|
Minor |
None |
110 |
Struts: Validator Without Form Field |
|
Major |
Relationships |
|
Minor |
None |
111 |
Direct Use of Unsafe JNI |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
112 |
Missing XML Validation |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
113 |
Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') |
|
Major |
Detection_Factors, References, Relationships |
|
Minor |
None |
114 |
Process Control |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
115 |
Misinterpretation of Input |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
116 |
Improper Encoding or Escaping of Output |
|
Major |
References, Relationships, Time_of_Introduction |
|
Minor |
None |
117 |
Improper Output Neutralization for Logs |
|
Major |
Detection_Factors, References, Relationships |
|
Minor |
None |
118 |
Incorrect Access of Indexable Resource ('Range Error') |
|
Major |
Relationships, Time_of_Introduction |
|
Minor |
None |
119 |
Improper Restriction of Operations within the Bounds of a Memory Buffer |
|
Major |
Potential_Mitigations, References, Relationships, Time_of_Introduction |
|
Minor |
None |
120 |
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') |
|
Major |
Potential_Mitigations, References, Relationships |
|
Minor |
None |
121 |
Stack-based Buffer Overflow |
|
Major |
Detection_Factors, Potential_Mitigations, References, Relationships, Time_of_Introduction |
|
Minor |
None |
122 |
Heap-based Buffer Overflow |
|
Major |
Detection_Factors, Potential_Mitigations, References, Relationships, Time_of_Introduction |
|
Minor |
None |
123 |
Write-what-where Condition |
|
Major |
Relationships |
|
Minor |
None |
124 |
Buffer Underwrite ('Buffer Underflow') |
|
Major |
References, Relationships, Time_of_Introduction |
|
Minor |
None |
125 |
Out-of-bounds Read |
|
Major |
Detection_Factors, References, Relationships |
|
Minor |
None |
126 |
Buffer Over-read |
|
Major |
Detection_Factors, References, Relationships |
|
Minor |
None |
127 |
Buffer Under-read |
|
Major |
References, Relationships |
|
Minor |
None |
128 |
Wrap-around Error |
|
Major |
Relationships |
|
Minor |
None |
129 |
Improper Validation of Array Index |
|
Major |
Potential_Mitigations, References, Relationships |
|
Minor |
None |
130 |
Improper Handling of Length Parameter Inconsistency |
|
Major |
Relationships, Time_of_Introduction |
|
Minor |
None |
131 |
Incorrect Calculation of Buffer Size |
|
Major |
Potential_Mitigations, References, Relationships |
|
Minor |
None |
133 |
String Errors |
|
Major |
Mapping_Notes, Relationships |
|
Minor |
None |
134 |
Use of Externally-Controlled Format String |
|
Major |
References, Relationships |
|
Minor |
None |
135 |
Incorrect Calculation of Multi-Byte String Length |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
136 |
Type Errors |
|
Major |
Mapping_Notes, Relationships |
|
Minor |
None |
137 |
Data Neutralization Issues |
|
Major |
Mapping_Notes, Relationships |
|
Minor |
None |
138 |
Improper Neutralization of Special Elements |
|
Major |
Relationships |
|
Minor |
None |
140 |
Improper Neutralization of Delimiters |
|
Major |
Relationships |
|
Minor |
None |
141 |
Improper Neutralization of Parameter/Argument Delimiters |
|
Major |
Relationships |
|
Minor |
None |
142 |
Improper Neutralization of Value Delimiters |
|
Major |
Relationships |
|
Minor |
None |
143 |
Improper Neutralization of Record Delimiters |
|
Major |
Relationships |
|
Minor |
None |
144 |
Improper Neutralization of Line Delimiters |
|
Major |
Relationships |
|
Minor |
None |
145 |
Improper Neutralization of Section Delimiters |
|
Major |
Relationships |
|
Minor |
None |
146 |
Improper Neutralization of Expression/Command Delimiters |
|
Major |
Relationships |
|
Minor |
None |
147 |
Improper Neutralization of Input Terminators |
|
Major |
Relationships |
|
Minor |
None |
148 |
Improper Neutralization of Input Leaders |
|
Major |
Relationships |
|
Minor |
None |
149 |
Improper Neutralization of Quoting Syntax |
|
Major |
Relationships |
|
Minor |
None |
150 |
Improper Neutralization of Escape, Meta, or Control Sequences |
|
Major |
Relationships |
|
Minor |
None |
151 |
Improper Neutralization of Comment Delimiters |
|
Major |
Relationships |
|
Minor |
None |
152 |
Improper Neutralization of Macro Symbols |
|
Major |
Relationships |
|
Minor |
None |
153 |
Improper Neutralization of Substitution Characters |
|
Major |
Relationships |
|
Minor |
None |
154 |
Improper Neutralization of Variable Name Delimiters |
|
Major |
Relationships |
|
Minor |
None |
155 |
Improper Neutralization of Wildcards or Matching Symbols |
|
Major |
Relationships |
|
Minor |
None |
156 |
Improper Neutralization of Whitespace |
|
Major |
Relationships |
|
Minor |
None |
157 |
Failure to Sanitize Paired Delimiters |
|
Major |
Relationships |
|
Minor |
None |
158 |
Improper Neutralization of Null Byte or NUL Character |
|
Major |
Relationships |
|
Minor |
None |
159 |
Improper Handling of Invalid Use of Special Elements |
|
Major |
Relationships |
|
Minor |
None |
160 |
Improper Neutralization of Leading Special Elements |
|
Major |
Relationships |
|
Minor |
None |
161 |
Improper Neutralization of Multiple Leading Special Elements |
|
Major |
Relationships |
|
Minor |
None |
162 |
Improper Neutralization of Trailing Special Elements |
|
Major |
Relationships |
|
Minor |
None |
163 |
Improper Neutralization of Multiple Trailing Special Elements |
|
Major |
Relationships |
|
Minor |
None |
164 |
Improper Neutralization of Internal Special Elements |
|
Major |
Relationships |
|
Minor |
None |
165 |
Improper Neutralization of Multiple Internal Special Elements |
|
Major |
Relationships |
|
Minor |
None |
166 |
Improper Handling of Missing Special Element |
|
Major |
Relationships |
|
Minor |
None |
167 |
Improper Handling of Additional Special Element |
|
Major |
Relationships |
|
Minor |
None |
168 |
Improper Handling of Inconsistent Special Elements |
|
Major |
Relationships |
|
Minor |
None |
170 |
Improper Null Termination |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
172 |
Encoding Error |
|
Major |
Relationships |
|
Minor |
None |
173 |
Improper Handling of Alternate Encoding |
|
Major |
Relationships |
|
Minor |
None |
174 |
Double Decoding of the Same Data |
|
Major |
Relationships |
|
Minor |
None |
175 |
Improper Handling of Mixed Encoding |
|
Major |
Relationships |
|
Minor |
None |
176 |
Improper Handling of Unicode Encoding |
|
Major |
Relationships |
|
Minor |
None |
177 |
Improper Handling of URL Encoding (Hex Encoding) |
|
Major |
Relationships |
|
Minor |
None |
178 |
Improper Handling of Case Sensitivity |
|
Major |
Relationships |
|
Minor |
None |
179 |
Incorrect Behavior Order: Early Validation |
|
Major |
Relationships |
|
Minor |
None |
180 |
Incorrect Behavior Order: Validate Before Canonicalize |
|
Major |
Relationships |
|
Minor |
None |
181 |
Incorrect Behavior Order: Validate Before Filter |
|
Major |
Relationships |
|
Minor |
None |
182 |
Collapse of Data into Unsafe Value |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
183 |
Permissive List of Allowed Inputs |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
184 |
Incomplete List of Disallowed Inputs |
|
Major |
References, Relationships |
|
Minor |
None |
185 |
Incorrect Regular Expression |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
186 |
Overly Restrictive Regular Expression |
|
Major |
Relationships |
|
Minor |
None |
187 |
Partial String Comparison |
|
Major |
Relationships |
|
Minor |
None |
188 |
Reliance on Data/Memory Layout |
|
Major |
Detection_Factors, Relationships, Time_of_Introduction |
|
Minor |
None |
189 |
Numeric Errors |
|
Major |
Relationships |
|
Minor |
None |
190 |
Integer Overflow or Wraparound |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
191 |
Integer Underflow (Wrap or Wraparound) |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
192 |
Integer Coercion Error |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
193 |
Off-by-one Error |
|
Major |
Detection_Factors, References, Relationships |
|
Minor |
None |
194 |
Unexpected Sign Extension |
|
Major |
References, Relationships |
|
Minor |
None |
195 |
Signed to Unsigned Conversion Error |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
196 |
Unsigned to Signed Conversion Error |
|
Major |
Relationships |
|
Minor |
None |
197 |
Numeric Truncation Error |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
198 |
Use of Incorrect Byte Ordering |
|
Major |
Relationships, Time_of_Introduction, Type |
|
Minor |
None |
199 |
Information Management Errors |
|
Major |
Mapping_Notes, Relationships |
|
Minor |
None |
200 |
Exposure of Sensitive Information to an Unauthorized Actor |
|
Major |
References, Relationships |
|
Minor |
None |
201 |
Insertion of Sensitive Information Into Sent Data |
|
Major |
Detection_Factors, Relationships, Time_of_Introduction |
|
Minor |
None |
202 |
Exposure of Sensitive Information Through Data Queries |
|
Major |
Relationships, Type |
|
Minor |
None |
203 |
Observable Discrepancy |
|
Major |
Relationships |
|
Minor |
None |
204 |
Observable Response Discrepancy |
|
Major |
Relationships |
|
Minor |
None |
205 |
Observable Behavioral Discrepancy |
|
Major |
Relationships |
|
Minor |
None |
206 |
Observable Internal Behavioral Discrepancy |
|
Major |
Relationships |
|
Minor |
None |
207 |
Observable Behavioral Discrepancy With Equivalent Products |
|
Major |
Relationships |
|
Minor |
None |
208 |
Observable Timing Discrepancy |
|
Major |
Observed_Examples, Relationships |
|
Minor |
None |
209 |
Generation of Error Message Containing Sensitive Information |
|
Major |
Detection_Factors, References, Relationships |
|
Minor |
None |
210 |
Self-generated Error Message Containing Sensitive Information |
|
Major |
Relationships |
|
Minor |
None |
211 |
Externally-Generated Error Message Containing Sensitive Information |
|
Major |
Relationships |
|
Minor |
None |
212 |
Improper Removal of Sensitive Information Before Storage or Transfer |
|
Major |
Relationships |
|
Minor |
None |
213 |
Exposure of Sensitive Information Due to Incompatible Policies |
|
Major |
Relationships |
|
Minor |
None |
214 |
Invocation of Process Using Visible Sensitive Information |
|
Major |
Relationships |
|
Minor |
None |
215 |
Insertion of Sensitive Information Into Debugging Code |
|
Major |
Detection_Factors, Relationships, Time_of_Introduction |
|
Minor |
None |
219 |
Storage of File with Sensitive Data Under Web Root |
|
Major |
Relationships |
|
Minor |
None |
220 |
Storage of File With Sensitive Data Under FTP Root |
|
Major |
Relationships |
|
Minor |
None |
221 |
Information Loss or Omission |
|
Major |
Relationships |
|
Minor |
None |
222 |
Truncation of Security-relevant Information |
|
Major |
Relationships, Time_of_Introduction |
|
Minor |
None |
223 |
Omission of Security-relevant Information |
|
Major |
Relationships |
|
Minor |
None |
224 |
Obscured Security-relevant Information by Alternate Name |
|
Major |
Relationships, Time_of_Introduction |
|
Minor |
None |
226 |
Sensitive Information in Resource Not Removed Before Reuse |
|
Major |
Detection_Factors, Relationships, Time_of_Introduction |
|
Minor |
None |
227 |
7PK - API Abuse |
|
Major |
Mapping_Notes |
|
Minor |
None |
228 |
Improper Handling of Syntactically Invalid Structure |
|
Major |
Detection_Factors, Relationships, Time_of_Introduction |
|
Minor |
None |
229 |
Improper Handling of Values |
|
Major |
Relationships, Time_of_Introduction |
|
Minor |
None |
230 |
Improper Handling of Missing Values |
|
Major |
Relationships |
|
Minor |
None |
231 |
Improper Handling of Extra Values |
|
Major |
Relationships |
|
Minor |
None |
232 |
Improper Handling of Undefined Values |
|
Major |
Relationships, Time_of_Introduction |
|
Minor |
None |
233 |
Improper Handling of Parameters |
|
Major |
Detection_Factors, Relationships, Time_of_Introduction |
|
Minor |
None |
234 |
Failure to Handle Missing Parameter |
|
Major |
Relationships, Time_of_Introduction |
|
Minor |
None |
235 |
Improper Handling of Extra Parameters |
|
Major |
Relationships |
|
Minor |
None |
236 |
Improper Handling of Undefined Parameters |
|
Major |
Relationships, Time_of_Introduction |
|
Minor |
None |
237 |
Improper Handling of Structural Elements |
|
Major |
Relationships |
|
Minor |
None |
238 |
Improper Handling of Incomplete Structural Elements |
|
Major |
Relationships, Time_of_Introduction |
|
Minor |
None |
239 |
Failure to Handle Incomplete Element |
|
Major |
Relationships, Time_of_Introduction |
|
Minor |
None |
240 |
Improper Handling of Inconsistent Structural Elements |
|
Major |
Relationships, Time_of_Introduction |
|
Minor |
None |
241 |
Improper Handling of Unexpected Data Type |
|
Major |
Relationships, Time_of_Introduction |
|
Minor |
None |
242 |
Use of Inherently Dangerous Function |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
243 |
Creation of chroot Jail Without Changing Working Directory |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
244 |
Improper Clearing of Heap Memory Before Release ('Heap Inspection') |
|
Major |
Relationships |
|
Minor |
None |
245 |
J2EE Bad Practices: Direct Management of Connections |
|
Major |
Detection_Factors, Relationships, Time_of_Introduction |
|
Minor |
None |
246 |
J2EE Bad Practices: Direct Use of Sockets |
|
Major |
Detection_Factors, Relationships, Time_of_Introduction |
|
Minor |
None |
248 |
Uncaught Exception |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
250 |
Execution with Unnecessary Privileges |
|
Major |
Potential_Mitigations, References, Relationships, Taxonomy_Mappings |
|
Minor |
None |
251 |
Often Misused: String Management |
|
Major |
Mapping_Notes |
|
Minor |
None |
252 |
Unchecked Return Value |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
253 |
Incorrect Check of Function Return Value |
|
Major |
Relationships |
|
Minor |
None |
255 |
Credentials Management Errors |
|
Major |
Relationships |
|
Minor |
None |
256 |
Plaintext Storage of a Password |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
257 |
Storing Passwords in a Recoverable Format |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
258 |
Empty Password in Configuration File |
|
Major |
Relationships |
|
Minor |
None |
259 |
Use of Hard-coded Password |
|
Major |
Detection_Factors, References, Relationships |
|
Minor |
None |
260 |
Password in Configuration File |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
261 |
Weak Encoding for Password |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
262 |
Not Using Password Aging |
|
Major |
References, Relationships |
|
Minor |
None |
263 |
Password Aging with Long Expiration |
|
Major |
References, Relationships |
|
Minor |
None |
265 |
Privilege Issues |
|
Major |
Mapping_Notes |
|
Minor |
None |
266 |
Incorrect Privilege Assignment |
|
Major |
References, Relationships, Time_of_Introduction |
|
Minor |
None |
267 |
Privilege Defined With Unsafe Actions |
|
Major |
References, Relationships |
|
Minor |
None |
268 |
Privilege Chaining |
|
Major |
References, Relationships |
|
Minor |
None |
269 |
Improper Privilege Management |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
270 |
Privilege Context Switching Error |
|
Major |
References, Relationships |
|
Minor |
None |
271 |
Privilege Dropping / Lowering Errors |
|
Major |
Relationships |
|
Minor |
None |
272 |
Least Privilege Violation |
|
Major |
Relationships, Time_of_Introduction |
|
Minor |
None |
273 |
Improper Check for Dropped Privileges |
|
Major |
Detection_Factors, Relationships, Time_of_Introduction |
|
Minor |
None |
274 |
Improper Handling of Insufficient Privileges |
|
Major |
Detection_Factors, Relationships, Time_of_Introduction |
|
Minor |
None |
276 |
Incorrect Default Permissions |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
277 |
Insecure Inherited Permissions |
|
Major |
Relationships |
|
Minor |
None |
278 |
Insecure Preserved Inherited Permissions |
|
Major |
Relationships |
|
Minor |
None |
279 |
Incorrect Execution-Assigned Permissions |
|
Major |
Relationships |
|
Minor |
None |
280 |
Improper Handling of Insufficient Permissions or Privileges |
|
Major |
Relationships, Time_of_Introduction |
|
Minor |
None |
281 |
Improper Preservation of Permissions |
|
Major |
Relationships, Time_of_Introduction |
|
Minor |
None |
282 |
Improper Ownership Management |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
283 |
Unverified Ownership |
|
Major |
Relationships |
|
Minor |
None |
284 |
Improper Access Control |
|
Major |
Relationships |
|
Minor |
None |
285 |
Improper Authorization |
|
Major |
References, Relationships |
|
Minor |
None |
286 |
Incorrect User Management |
|
Major |
Relationships |
|
Minor |
None |
287 |
Improper Authentication |
|
Major |
Demonstrative_Examples, References, Relationships |
|
Minor |
None |
288 |
Authentication Bypass Using an Alternate Path or Channel |
|
Major |
Relationships |
|
Minor |
None |
289 |
Authentication Bypass by Alternate Name |
|
Major |
Relationships |
|
Minor |
None |
290 |
Authentication Bypass by Spoofing |
|
Major |
Modes_of_Introduction, Relationships, Time_of_Introduction |
|
Minor |
None |
291 |
Reliance on IP Address for Authentication |
|
Major |
Relationships |
|
Minor |
None |
293 |
Using Referer Field for Authentication |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
294 |
Authentication Bypass by Capture-replay |
|
Major |
Relationships |
|
Minor |
None |
295 |
Improper Certificate Validation |
|
Major |
Relationships |
|
Minor |
None |
296 |
Improper Following of a Certificate's Chain of Trust |
|
Major |
Detection_Factors, Relationships, Time_of_Introduction |
|
Minor |
None |
297 |
Improper Validation of Certificate with Host Mismatch |
|
Major |
Detection_Factors, References, Relationships, Time_of_Introduction |
|
Minor |
None |
298 |
Improper Validation of Certificate Expiration |
|
Major |
Relationships, Time_of_Introduction |
|
Minor |
None |
299 |
Improper Check for Certificate Revocation |
|
Major |
Detection_Factors, Relationships, Time_of_Introduction |
|
Minor |
None |
300 |
Channel Accessible by Non-Endpoint |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
301 |
Reflection Attack in an Authentication Protocol |
|
Major |
Relationships |
|
Minor |
None |
302 |
Authentication Bypass by Assumed-Immutable Data |
|
Major |
Relationships |
|
Minor |
None |
303 |
Incorrect Implementation of Authentication Algorithm |
|
Major |
Relationships |
|
Minor |
None |
304 |
Missing Critical Step in Authentication |
|
Major |
Detection_Factors, Relationships, Time_of_Introduction |
|
Minor |
None |
305 |
Authentication Bypass by Primary Weakness |
|
Major |
Relationships, Time_of_Introduction |
|
Minor |
None |
306 |
Missing Authentication for Critical Function |
|
Major |
References, Relationships, Taxonomy_Mappings |
|
Minor |
None |
307 |
Improper Restriction of Excessive Authentication Attempts |
|
Major |
Demonstrative_Examples, References, Relationships |
|
Minor |
None |
308 |
Use of Single-factor Authentication |
|
Major |
Relationships |
|
Minor |
None |
309 |
Use of Password System for Primary Authentication |
|
Major |
Relationships |
|
Minor |
None |
310 |
Cryptographic Issues |
|
Major |
Relationships |
|
Minor |
None |
311 |
Missing Encryption of Sensitive Data |
|
Major |
References, Relationships |
|
Minor |
None |
312 |
Cleartext Storage of Sensitive Information |
|
Major |
Detection_Factors, References, Relationships, Taxonomy_Mappings |
|
Minor |
None |
313 |
Cleartext Storage in a File or on Disk |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
314 |
Cleartext Storage in the Registry |
|
Major |
Relationships |
|
Minor |
None |
315 |
Cleartext Storage of Sensitive Information in a Cookie |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
316 |
Cleartext Storage of Sensitive Information in Memory |
|
Major |
Relationships |
|
Minor |
None |
317 |
Cleartext Storage of Sensitive Information in GUI |
|
Major |
Relationships |
|
Minor |
None |
318 |
Cleartext Storage of Sensitive Information in Executable |
|
Major |
Modes_of_Introduction, Relationships, Time_of_Introduction |
|
Minor |
None |
319 |
Cleartext Transmission of Sensitive Information |
|
Major |
Detection_Factors, References, Relationships |
|
Minor |
None |
320 |
Key Management Errors |
|
Major |
Relationships |
|
Minor |
None |
321 |
Use of Hard-coded Cryptographic Key |
|
Major |
Detection_Factors, Relationships, Taxonomy_Mappings |
|
Minor |
None |
322 |
Key Exchange without Entity Authentication |
|
Major |
Relationships |
|
Minor |
None |
323 |
Reusing a Nonce, Key Pair in Encryption |
|
Major |
Relationships, Type |
|
Minor |
None |
324 |
Use of a Key Past its Expiration Date |
|
Major |
Relationships |
|
Minor |
None |
325 |
Missing Cryptographic Step |
|
Major |
Relationships, Time_of_Introduction |
|
Minor |
None |
326 |
Inadequate Encryption Strength |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
327 |
Use of a Broken or Risky Cryptographic Algorithm |
|
Major |
References, Relationships |
|
Minor |
None |
328 |
Use of Weak Hash |
|
Major |
Detection_Factors, References, Relationships |
|
Minor |
None |
329 |
Generation of Predictable IV with CBC Mode |
|
Major |
Detection_Factors, Modes_of_Introduction, Relationships, Time_of_Introduction |
|
Minor |
None |
330 |
Use of Insufficiently Random Values |
|
Major |
References, Relationships |
|
Minor |
None |
331 |
Insufficient Entropy |
|
Major |
Relationships |
|
Minor |
None |
332 |
Insufficient Entropy in PRNG |
|
Major |
References, Relationships |
|
Minor |
None |
333 |
Improper Handling of Insufficient Entropy in TRNG |
|
Major |
Relationships |
|
Minor |
None |
334 |
Small Space of Random Values |
|
Major |
References, Relationships |
|
Minor |
None |
335 |
Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) |
|
Major |
Relationships, Time_of_Introduction |
|
Minor |
None |
336 |
Same Seed in Pseudo-Random Number Generator (PRNG) |
|
Major |
Detection_Factors, Modes_of_Introduction, References, Relationships, Time_of_Introduction |
|
Minor |
None |
337 |
Predictable Seed in Pseudo-Random Number Generator (PRNG) |
|
Major |
References, Relationships, Time_of_Introduction |
|
Minor |
None |
338 |
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
339 |
Small Seed Space in PRNG |
|
Major |
References, Relationships, Time_of_Introduction |
|
Minor |
None |
340 |
Generation of Predictable Numbers or Identifiers |
|
Major |
Relationships |
|
Minor |
None |
341 |
Predictable from Observable State |
|
Major |
References, Relationships |
|
Minor |
None |
342 |
Predictable Exact Value from Previous Values |
|
Major |
References, Relationships |
|
Minor |
None |
343 |
Predictable Value Range from Previous Values |
|
Major |
References, Relationships |
|
Minor |
None |
344 |
Use of Invariant Value in Dynamically Changing Context |
|
Major |
References, Relationships |
|
Minor |
None |
345 |
Insufficient Verification of Data Authenticity |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
346 |
Origin Validation Error |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
347 |
Improper Verification of Cryptographic Signature |
|
Major |
Detection_Factors, Relationships, Taxonomy_Mappings |
|
Minor |
None |
348 |
Use of Less Trusted Source |
|
Major |
Relationships |
|
Minor |
None |
349 |
Acceptance of Extraneous Untrusted Data With Trusted Data |
|
Major |
Modes_of_Introduction, Relationships, Time_of_Introduction |
|
Minor |
None |
350 |
Reliance on Reverse DNS Resolution for a Security-Critical Action |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
351 |
Insufficient Type Distinction |
|
Major |
Relationships |
|
Minor |
None |
352 |
Cross-Site Request Forgery (CSRF) |
|
Major |
References, Relationships |
|
Minor |
None |
353 |
Missing Support for Integrity Check |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
354 |
Improper Validation of Integrity Check Value |
|
Major |
Relationships |
|
Minor |
None |
355 |
User Interface Security Issues |
|
Major |
Mapping_Notes, Relationships |
|
Minor |
None |
356 |
Product UI does not Warn User of Unsafe Actions |
|
Major |
Relationships |
|
Minor |
None |
357 |
Insufficient UI Warning of Dangerous Operations |
|
Major |
Relationships |
|
Minor |
None |
358 |
Improperly Implemented Security Check for Standard |
|
Major |
Relationships |
|
Minor |
None |
359 |
Exposure of Private Personal Information to an Unauthorized Actor |
|
Major |
Detection_Factors, References, Relationships |
|
Minor |
None |
360 |
Trust of System Event Data |
|
Major |
Relationships |
|
Minor |
None |
361 |
7PK - Time and State |
|
Major |
Mapping_Notes |
|
Minor |
None |
362 |
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') |
|
Major |
References, Relationships |
|
Minor |
None |
363 |
Race Condition Enabling Link Following |
|
Major |
Relationships |
|
Minor |
None |
364 |
Signal Handler Race Condition |
|
Major |
References, Relationships, Time_of_Introduction |
|
Minor |
None |
366 |
Race Condition within a Thread |
|
Major |
Detection_Factors, Relationships, Time_of_Introduction |
|
Minor |
None |
367 |
Time-of-check Time-of-use (TOCTOU) Race Condition |
|
Major |
Detection_Factors, References, Relationships |
|
Minor |
None |
368 |
Context Switching Race Condition |
|
Major |
Relationships |
|
Minor |
None |
369 |
Divide By Zero |
|
Major |
Demonstrative_Examples, Detection_Factors, References, Relationships |
|
Minor |
None |
370 |
Missing Check for Certificate Revocation after Initial Check |
|
Major |
Modes_of_Introduction, Relationships, Time_of_Introduction |
|
Minor |
None |
371 |
State Issues |
|
Major |
Mapping_Notes |
|
Minor |
None |
372 |
Incomplete Internal State Distinction |
|
Major |
Relationships, Time_of_Introduction |
|
Minor |
None |
374 |
Passing Mutable Objects to an Untrusted Method |
|
Major |
References, Relationships |
|
Minor |
None |
375 |
Returning a Mutable Object to an Untrusted Caller |
|
Major |
Relationships |
|
Minor |
None |
377 |
Insecure Temporary File |
|
Major |
Detection_Factors, Relationships, Time_of_Introduction |
|
Minor |
None |
378 |
Creation of Temporary File With Insecure Permissions |
|
Major |
Relationships, Time_of_Introduction |
|
Minor |
None |
379 |
Creation of Temporary File in Directory with Insecure Permissions |
|
Major |
Detection_Factors, Relationships, Time_of_Introduction |
|
Minor |
None |
382 |
J2EE Bad Practices: Use of System.exit() |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
383 |
J2EE Bad Practices: Direct Use of Threads |
|
Major |
Detection_Factors, Relationships, Time_of_Introduction |
|
Minor |
None |
384 |
Session Fixation |
|
Major |
Relationships |
|
Minor |
None |
385 |
Covert Timing Channel |
|
Major |
Relationships |
|
Minor |
None |
386 |
Symbolic Name not Mapping to Correct Object |
|
Major |
Relationships |
|
Minor |
None |
387 |
Signal Errors |
|
Major |
Mapping_Notes, Relationships |
|
Minor |
None |
389 |
Error Conditions, Return Values, Status Codes |
|
Major |
Mapping_Notes, Relationships |
|
Minor |
None |
390 |
Detection of Error Condition Without Action |
|
Major |
Detection_Factors, Relationships, Time_of_Introduction |
|
Minor |
None |
391 |
Unchecked Error Condition |
|
Major |
Detection_Factors, Relationships, Time_of_Introduction |
|
Minor |
None |
392 |
Missing Report of Error Condition |
|
Major |
Modes_of_Introduction, Relationships, Time_of_Introduction |
|
Minor |
None |
393 |
Return of Wrong Status Code |
|
Major |
Detection_Factors, Relationships, Time_of_Introduction |
|
Minor |
None |
394 |
Unexpected Status Code or Return Value |
|
Major |
Relationships, Time_of_Introduction |
|
Minor |
None |
395 |
Use of NullPointerException Catch to Detect NULL Pointer Dereference |
|
Major |
Relationships |
|
Minor |
None |
396 |
Declaration of Catch for Generic Exception |
|
Major |
Applicable_Platforms, Description, Detection_Factors, Relationships, Time_of_Introduction |
|
Minor |
None |
397 |
Declaration of Throws for Generic Exception |
|
Major |
Detection_Factors, Relationships, Time_of_Introduction |
|
Minor |
None |
398 |
7PK - Code Quality |
|
Major |
Mapping_Notes |
|
Minor |
None |
399 |
Resource Management Errors |
|
Major |
Relationships |
|
Minor |
None |
400 |
Uncontrolled Resource Consumption |
|
Major |
Demonstrative_Examples, Relationships, Taxonomy_Mappings |
|
Minor |
None |
401 |
Missing Release of Memory after Effective Lifetime |
|
Major |
Detection_Factors, References, Relationships, Time_of_Introduction |
|
Minor |
None |
402 |
Transmission of Private Resources into a New Sphere ('Resource Leak') |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
403 |
Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak') |
|
Major |
References, Relationships, Time_of_Introduction |
|
Minor |
None |
404 |
Improper Resource Shutdown or Release |
|
Major |
Detection_Factors, Relationships, Time_of_Introduction |
|
Minor |
None |
405 |
Asymmetric Resource Consumption (Amplification) |
|
Major |
Relationships |
|
Minor |
None |
406 |
Insufficient Control of Network Message Volume (Network Amplification) |
|
Major |
Relationships |
|
Minor |
None |
407 |
Inefficient Algorithmic Complexity |
|
Major |
Relationships |
|
Minor |
None |
408 |
Incorrect Behavior Order: Early Amplification |
|
Major |
Relationships |
|
Minor |
None |
409 |
Improper Handling of Highly Compressed Data (Data Amplification) |
|
Major |
Relationships |
|
Minor |
None |
410 |
Insufficient Resource Pool |
|
Major |
Relationships |
|
Minor |
None |
411 |
Resource Locking Problems |
|
Major |
Mapping_Notes |
|
Minor |
None |
412 |
Unrestricted Externally Accessible Lock |
|
Major |
Relationships |
|
Minor |
None |
413 |
Improper Resource Locking |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
414 |
Missing Lock Check |
|
Major |
Relationships |
|
Minor |
None |
415 |
Double Free |
|
Major |
Detection_Factors, Relationships, Time_of_Introduction |
|
Minor |
None |
416 |
Use After Free |
|
Major |
Detection_Factors, Relationships, Time_of_Introduction |
|
Minor |
None |
417 |
Communication Channel Errors |
|
Major |
Mapping_Notes, Relationships |
|
Minor |
None |
419 |
Unprotected Primary Channel |
|
Major |
Relationships |
|
Minor |
None |
420 |
Unprotected Alternate Channel |
|
Major |
Relationships |
|
Minor |
None |
421 |
Race Condition During Access to Alternate Channel |
|
Major |
References, Relationships |
|
Minor |
None |
422 |
Unprotected Windows Messaging Channel ('Shatter') |
|
Major |
Relationships |
|
Minor |
None |
424 |
Improper Protection of Alternate Path |
|
Major |
Relationships |
|
Minor |
None |
425 |
Direct Request ('Forced Browsing') |
|
Major |
Modes_of_Introduction, Relationships, Time_of_Introduction |
|
Minor |
None |
426 |
Untrusted Search Path |
|
Major |
Detection_Factors, Relationships, Time_of_Introduction |
|
Minor |
None |
427 |
Uncontrolled Search Path Element |
|
Major |
Demonstrative_Examples, Detection_Factors, References, Relationships |
|
Minor |
None |
428 |
Unquoted Search Path or Element |
|
Major |
Relationships |
|
Minor |
None |
429 |
Handler Errors |
|
Major |
Mapping_Notes, Relationships |
|
Minor |
None |
430 |
Deployment of Wrong Handler |
|
Major |
Relationships |
|
Minor |
None |
431 |
Missing Handler |
|
Major |
Relationships |
|
Minor |
None |
432 |
Dangerous Signal Handler not Disabled During Sensitive Operations |
|
Major |
Relationships, Time_of_Introduction |
|
Minor |
None |
433 |
Unparsed Raw Web Content Delivery |
|
Major |
Relationships |
|
Minor |
None |
434 |
Unrestricted Upload of File with Dangerous Type |
|
Major |
References, Relationships |
|
Minor |
None |
435 |
Improper Interaction Between Multiple Correctly-Behaving Entities |
|
Major |
References, Relationships |
|
Minor |
None |
436 |
Interpretation Conflict |
|
Major |
References, Relationships |
|
Minor |
None |
437 |
Incomplete Model of Endpoint Features |
|
Major |
Relationships |
|
Minor |
None |
438 |
Behavioral Problems |
|
Major |
Mapping_Notes |
|
Minor |
None |
439 |
Behavioral Change in New Version or Environment |
|
Major |
Relationships |
|
Minor |
None |
440 |
Expected Behavior Violation |
|
Major |
Relationships |
|
Minor |
None |
441 |
Unintended Proxy or Intermediary ('Confused Deputy') |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
444 |
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') |
|
Major |
References, Relationships, Time_of_Introduction |
|
Minor |
None |
446 |
UI Discrepancy for Security Feature |
|
Major |
Relationships |
|
Minor |
None |
447 |
Unimplemented or Unsupported Feature in UI |
|
Major |
Relationships, Time_of_Introduction |
|
Minor |
None |
448 |
Obsolete Feature in UI |
|
Major |
Relationships |
|
Minor |
None |
449 |
The UI Performs the Wrong Action |
|
Major |
Relationships |
|
Minor |
None |
450 |
Multiple Interpretations of UI Input |
|
Major |
Relationships, Time_of_Introduction |
|
Minor |
None |
451 |
User Interface (UI) Misrepresentation of Critical Information |
|
Major |
Relationships |
|
Minor |
None |
452 |
Initialization and Cleanup Errors |
|
Major |
Mapping_Notes, Relationships |
|
Minor |
None |
453 |
Insecure Default Variable Initialization |
|
Major |
Relationships, Time_of_Introduction |
|
Minor |
None |
454 |
External Initialization of Trusted Variables or Data Stores |
|
Major |
Relationships |
|
Minor |
None |
455 |
Non-exit on Failed Initialization |
|
Major |
Relationships, Time_of_Introduction |
|
Minor |
None |
456 |
Missing Initialization of a Variable |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
457 |
Use of Uninitialized Variable |
|
Major |
Detection_Factors, References, Relationships |
|
Minor |
None |
459 |
Incomplete Cleanup |
|
Major |
Detection_Factors, Relationships, Time_of_Introduction |
|
Minor |
None |
460 |
Improper Cleanup on Thrown Exception |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
462 |
Duplicate Key in Associative List (Alist) |
|
Major |
Relationships, Time_of_Introduction, Type |
|
Minor |
None |
463 |
Deletion of Data Structure Sentinel |
|
Major |
Relationships, Time_of_Introduction |
|
Minor |
None |
464 |
Addition of Data Structure Sentinel |
|
Major |
Relationships, Time_of_Introduction |
|
Minor |
None |
465 |
Pointer Issues |
|
Major |
Mapping_Notes, Relationships |
|
Minor |
None |
466 |
Return of Pointer Value Outside of Expected Range |
|
Major |
Relationships, Time_of_Introduction |
|
Minor |
None |
467 |
Use of sizeof() on a Pointer Type |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
468 |
Incorrect Pointer Scaling |
|
Major |
Relationships |
|
Minor |
None |
469 |
Use of Pointer Subtraction to Determine Size |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
470 |
Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
471 |
Modification of Assumed-Immutable Data (MAID) |
|
Major |
Relationships |
|
Minor |
None |
472 |
External Control of Assumed-Immutable Web Parameter |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
473 |
PHP External Variable Modification |
|
Major |
Relationships |
|
Minor |
None |
474 |
Use of Function with Inconsistent Implementations |
|
Major |
Detection_Factors, Relationships, Time_of_Introduction |
|
Minor |
None |
475 |
Undefined Behavior for Input to API |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
476 |
NULL Pointer Dereference |
|
Major |
Demonstrative_Examples, Detection_Factors, References, Relationships |
|
Minor |
None |
477 |
Use of Obsolete Function |
|
Major |
Relationships |
|
Minor |
None |
478 |
Missing Default Case in Multiple Condition Expression |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
479 |
Signal Handler Use of a Non-reentrant Function |
|
Major |
Detection_Factors, Relationships, Time_of_Introduction |
|
Minor |
None |
480 |
Use of Incorrect Operator |
|
Major |
Relationships |
|
Minor |
None |
481 |
Assigning instead of Comparing |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
482 |
Comparing instead of Assigning |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
483 |
Incorrect Block Delimitation |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
484 |
Omitted Break Statement in Switch |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
485 |
7PK - Encapsulation |
|
Major |
Mapping_Notes |
|
Minor |
None |
486 |
Comparison of Classes by Name |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
487 |
Reliance on Package-level Scope |
|
Major |
Relationships |
|
Minor |
None |
488 |
Exposure of Data Element to Wrong Session |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
489 |
Active Debug Code |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
491 |
Public cloneable() Method Without Final ('Object Hijack') |
|
Major |
Relationships |
|
Minor |
None |
492 |
Use of Inner Class Containing Sensitive Data |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
493 |
Critical Public Variable Without Final Modifier |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
494 |
Download of Code Without Integrity Check |
|
Major |
Detection_Factors, References, Relationships |
|
Minor |
None |
495 |
Private Data Structure Returned From A Public Method |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
496 |
Public Data Assigned to Private Array-Typed Field |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
497 |
Exposure of Sensitive System Information to an Unauthorized Control Sphere |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
498 |
Cloneable Class Containing Sensitive Information |
|
Major |
Relationships |
|
Minor |
None |
499 |
Serializable Class Containing Sensitive Data |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
500 |
Public Static Field Not Marked Final |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
501 |
Trust Boundary Violation |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
502 |
Deserialization of Untrusted Data |
|
Major |
Detection_Factors, References, Relationships |
|
Minor |
None |
506 |
Embedded Malicious Code |
|
Major |
Relationships |
|
Minor |
None |
507 |
Trojan Horse |
|
Major |
Relationships |
|
Minor |
None |
508 |
Non-Replicating Malicious Code |
|
Major |
Relationships |
|
Minor |
None |
509 |
Replicating Malicious Code (Virus or Worm) |
|
Major |
Relationships |
|
Minor |
None |
510 |
Trapdoor |
|
Major |
Relationships |
|
Minor |
None |
511 |
Logic/Time Bomb |
|
Major |
References, Relationships |
|
Minor |
None |
512 |
Spyware |
|
Major |
Relationships |
|
Minor |
None |
514 |
Covert Channel |
|
Major |
Relationships |
|
Minor |
None |
515 |
Covert Storage Channel |
|
Major |
Relationships |
|
Minor |
None |
520 |
.NET Misconfiguration: Use of Impersonation |
|
Major |
Relationships |
|
Minor |
None |
521 |
Weak Password Requirements |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
522 |
Insufficiently Protected Credentials |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
523 |
Unprotected Transport of Credentials |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
524 |
Use of Cache Containing Sensitive Information |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
525 |
Use of Web Browser Cache Containing Sensitive Information |
|
Major |
Relationships |
|
Minor |
None |
526 |
Cleartext Storage of Sensitive Information in an Environment Variable |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
527 |
Exposure of Version-Control Repository to an Unauthorized Control Sphere |
|
Major |
Relationships |
|
Minor |
None |
528 |
Exposure of Core Dump File to an Unauthorized Control Sphere |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
529 |
Exposure of Access Control List Files to an Unauthorized Control Sphere |
|
Major |
Relationships |
|
Minor |
None |
530 |
Exposure of Backup File to an Unauthorized Control Sphere |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
531 |
Inclusion of Sensitive Information in Test Code |
|
Major |
Relationships |
|
Minor |
None |
532 |
Insertion of Sensitive Information into Log File |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
535 |
Exposure of Information Through Shell Error Message |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
536 |
Servlet Runtime Error Message Containing Sensitive Information |
|
Major |
Relationships |
|
Minor |
None |
537 |
Java Runtime Error Message Containing Sensitive Information |
|
Major |
Relationships |
|
Minor |
None |
538 |
Insertion of Sensitive Information into Externally-Accessible File or Directory |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
539 |
Use of Persistent Cookies Containing Sensitive Information |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
540 |
Inclusion of Sensitive Information in Source Code |
|
Major |
Relationships |
|
Minor |
None |
541 |
Inclusion of Sensitive Information in an Include File |
|
Major |
Relationships |
|
Minor |
None |
543 |
Use of Singleton Pattern Without Synchronization in a Multithreaded Context |
|
Major |
Relationships |
|
Minor |
None |
544 |
Missing Standardized Error Handling Mechanism |
|
Major |
Relationships |
|
Minor |
None |
546 |
Suspicious Comment |
|
Major |
Relationships |
|
Minor |
None |
547 |
Use of Hard-coded, Security-relevant Constants |
|
Major |
Detection_Factors, Relationships, Type |
|
Minor |
None |
548 |
Exposure of Information Through Directory Listing |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
549 |
Missing Password Field Masking |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
550 |
Server-generated Error Message Containing Sensitive Information |
|
Major |
Relationships |
|
Minor |
None |
551 |
Incorrect Behavior Order: Authorization Before Parsing and Canonicalization |
|
Major |
Relationships |
|
Minor |
None |
552 |
Files or Directories Accessible to External Parties |
|
Major |
Applicable_Platforms, Demonstrative_Examples, Description, Detection_Factors, References, Relationships, Time_of_Introduction |
|
Minor |
None |
553 |
Command Shell in Externally Accessible Directory |
|
Major |
Relationships |
|
Minor |
None |
554 |
ASP.NET Misconfiguration: Not Using Input Validation Framework |
|
Major |
Relationships |
|
Minor |
None |
555 |
J2EE Misconfiguration: Plaintext Password in Configuration File |
|
Major |
Relationships |
|
Minor |
None |
556 |
ASP.NET Misconfiguration: Use of Identity Impersonation |
|
Major |
Relationships |
|
Minor |
None |
557 |
Concurrency Issues |
|
Major |
Mapping_Notes, Relationships |
|
Minor |
None |
558 |
Use of getlogin() in Multithreaded Application |
|
Major |
Relationships |
|
Minor |
None |
560 |
Use of umask() with chmod-style Argument |
|
Major |
Relationships |
|
Minor |
None |
561 |
Dead Code |
|
Major |
References, Relationships |
|
Minor |
None |
562 |
Return of Stack Variable Address |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
563 |
Assignment to Variable without Use |
|
Major |
Detection_Factors, Relationships, Type |
|
Minor |
None |
564 |
SQL Injection: Hibernate |
|
Major |
Relationships |
|
Minor |
None |
565 |
Reliance on Cookies without Validation and Integrity Checking |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
566 |
Authorization Bypass Through User-Controlled SQL Primary Key |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
567 |
Unsynchronized Access to Shared Data in a Multithreaded Context |
|
Major |
Detection_Factors, Relationships, Time_of_Introduction |
|
Minor |
None |
568 |
finalize() Method Without super.finalize() |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
569 |
Expression Issues |
|
Major |
Mapping_Notes, Relationships |
|
Minor |
None |
570 |
Expression is Always False |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
571 |
Expression is Always True |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
572 |
Call to Thread run() instead of start() |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
573 |
Improper Following of Specification by Caller |
|
Major |
Relationships |
|
Minor |
None |
574 |
EJB Bad Practices: Use of Synchronization Primitives |
|
Major |
Relationships, Time_of_Introduction |
|
Minor |
None |
575 |
EJB Bad Practices: Use of AWT Swing |
|
Major |
Relationships, Time_of_Introduction |
|
Minor |
None |
576 |
EJB Bad Practices: Use of Java I/O |
|
Major |
Relationships, Time_of_Introduction |
|
Minor |
None |
577 |
EJB Bad Practices: Use of Sockets |
|
Major |
Relationships, Time_of_Introduction |
|
Minor |
None |
578 |
EJB Bad Practices: Use of Class Loader |
|
Major |
Relationships, Time_of_Introduction |
|
Minor |
None |
579 |
J2EE Bad Practices: Non-serializable Object Stored in Session |
|
Major |
Detection_Factors, Relationships, Time_of_Introduction |
|
Minor |
None |
580 |
clone() Method Without super.clone() |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
581 |
Object Model Violation: Just One of Equals and Hashcode Defined |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
582 |
Array Declared Public, Final, and Static |
|
Major |
Relationships |
|
Minor |
None |
583 |
finalize() Method Declared Public |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
584 |
Return Inside Finally Block |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
585 |
Empty Synchronized Block |
|
Major |
Detection_Factors, References, Relationships, Type |
|
Minor |
None |
586 |
Explicit Call to Finalize() |
|
Major |
Detection_Factors, Relationships, Type |
|
Minor |
None |
587 |
Assignment of a Fixed Address to a Pointer |
|
Major |
Relationships, Time_of_Introduction, Type |
|
Minor |
None |
588 |
Attempt to Access Child of a Non-structure Pointer |
|
Major |
Relationships, Time_of_Introduction |
|
Minor |
None |
589 |
Call to Non-ubiquitous API |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
590 |
Free of Memory not on the Heap |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
591 |
Sensitive Data Storage in Improperly Locked Memory |
|
Major |
Relationships |
|
Minor |
None |
593 |
Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created |
|
Major |
Relationships, Time_of_Introduction |
|
Minor |
None |
594 |
J2EE Framework: Saving Unserializable Objects to Disk |
|
Major |
Relationships, Time_of_Introduction |
|
Minor |
None |
595 |
Comparison of Object References Instead of Object Contents |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
597 |
Use of Wrong Operator in String Comparison |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
598 |
Use of GET Request Method With Sensitive Query Strings |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
599 |
Missing Validation of OpenSSL Certificate |
|
Major |
Modes_of_Introduction, Relationships, Time_of_Introduction |
|
Minor |
None |
600 |
Uncaught Exception in Servlet |
|
Major |
Relationships, Type |
|
Minor |
None |
601 |
URL Redirection to Untrusted Site ('Open Redirect') |
|
Major |
Description, Detection_Factors, References, Relationships |
|
Minor |
None |
602 |
Client-Side Enforcement of Server-Side Security |
|
Major |
Relationships |
|
Minor |
None |
603 |
Use of Client-Side Authentication |
|
Major |
Relationships |
|
Minor |
None |
605 |
Multiple Binds to the Same Port |
|
Major |
Relationships, Time_of_Introduction |
|
Minor |
None |
606 |
Unchecked Input for Loop Condition |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
607 |
Public Static Final Field References Mutable Object |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
608 |
Struts: Non-private Field in ActionForm Class |
|
Major |
Relationships |
|
Minor |
None |
609 |
Double-Checked Locking |
|
Major |
Relationships |
|
Minor |
None |
610 |
Externally Controlled Reference to a Resource in Another Sphere |
|
Major |
Relationships |
|
Minor |
None |
611 |
Improper Restriction of XML External Entity Reference |
|
Major |
Detection_Factors, References, Relationships |
|
Minor |
None |
612 |
Improper Authorization of Index Containing Sensitive Information |
|
Major |
Relationships |
|
Minor |
None |
613 |
Insufficient Session Expiration |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
614 |
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
615 |
Inclusion of Sensitive Information in Source Code Comments |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
616 |
Incomplete Identification of Uploaded File Variables (PHP) |
|
Major |
Relationships |
|
Minor |
None |
617 |
Reachable Assertion |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
618 |
Exposed Unsafe ActiveX Method |
|
Major |
Detection_Factors, References, Relationships, Type |
|
Minor |
None |
619 |
Dangling Database Cursor ('Cursor Injection') |
|
Major |
References, Relationships |
|
Minor |
None |
620 |
Unverified Password Change |
|
Major |
Relationships |
|
Minor |
None |
621 |
Variable Extraction Error |
|
Major |
Relationships, Type |
|
Minor |
None |
622 |
Improper Validation of Function Hook Arguments |
|
Major |
Relationships |
|
Minor |
None |
623 |
Unsafe ActiveX Control Marked Safe For Scripting |
|
Major |
References, Relationships |
|
Minor |
None |
624 |
Executable Regular Expression Error |
|
Major |
Relationships |
|
Minor |
None |
625 |
Permissive Regular Expression |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
626 |
Null Byte Interaction Error (Poison Null Byte) |
|
Major |
References, Relationships |
|
Minor |
None |
627 |
Dynamic Variable Evaluation |
|
Major |
References, Relationships, Type |
|
Minor |
None |
628 |
Function Call with Incorrectly Specified Arguments |
|
Major |
Relationships |
|
Minor |
None |
629 |
Weaknesses in OWASP Top Ten (2007) |
|
Major |
References |
|
Minor |
None |
636 |
Not Failing Securely ('Failing Open') |
|
Major |
References, Relationships |
|
Minor |
None |
637 |
Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism') |
|
Major |
References, Relationships |
|
Minor |
None |
638 |
Not Using Complete Mediation |
|
Major |
References, Relationships, Time_of_Introduction |
|
Minor |
None |
639 |
Authorization Bypass Through User-Controlled Key |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
640 |
Weak Password Recovery Mechanism for Forgotten Password |
|
Major |
Relationships |
|
Minor |
None |
641 |
Improper Restriction of Names for Files and Other Resources |
|
Major |
Relationships |
|
Minor |
None |
642 |
External Control of Critical State Data |
|
Major |
Detection_Factors, Potential_Mitigations, References, Relationships |
|
Minor |
None |
643 |
Improper Neutralization of Data within XPath Expressions ('XPath Injection') |
|
Major |
Detection_Factors, References, Relationships |
|
Minor |
None |
644 |
Improper Neutralization of HTTP Headers for Scripting Syntax |
|
Major |
Relationships, Time_of_Introduction |
|
Minor |
None |
645 |
Overly Restrictive Account Lockout Mechanism |
|
Major |
Relationships |
|
Minor |
None |
646 |
Reliance on File Name or Extension of Externally-Supplied File |
|
Major |
Relationships |
|
Minor |
None |
647 |
Use of Non-Canonical URL Paths for Authorization Decisions |
|
Major |
Detection_Factors, Relationships, Time_of_Introduction |
|
Minor |
None |
648 |
Incorrect Use of Privileged APIs |
|
Major |
Relationships |
|
Minor |
None |
649 |
Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking |
|
Major |
Relationships |
|
Minor |
None |
650 |
Trusting HTTP Permission Methods on the Server Side |
|
Major |
Relationships |
|
Minor |
None |
651 |
Exposure of WSDL File Containing Sensitive Information |
|
Major |
Relationships, Time_of_Introduction |
|
Minor |
None |
652 |
Improper Neutralization of Data within XQuery Expressions ('XQuery Injection') |
|
Major |
Relationships |
|
Minor |
None |
653 |
Improper Isolation or Compartmentalization |
|
Major |
References, Relationships |
|
Minor |
None |
654 |
Reliance on a Single Factor in a Security Decision |
|
Major |
References, Relationships, Taxonomy_Mappings |
|
Minor |
None |
655 |
Insufficient Psychological Acceptability |
|
Major |
References, Relationships, Time_of_Introduction, Type |
|
Minor |
None |
656 |
Reliance on Security Through Obscurity |
|
Major |
Demonstrative_Examples, References, Relationships, Type |
|
Minor |
None |
657 |
Violation of Secure Design Principles |
|
Major |
References, Relationships |
|
Minor |
None |
662 |
Improper Synchronization |
|
Major |
Relationships |
|
Minor |
None |
663 |
Use of a Non-reentrant Function in a Concurrent Context |
|
Major |
References, Relationships, Time_of_Introduction |
|
Minor |
None |
664 |
Improper Control of a Resource Through its Lifetime |
|
Major |
Relationships |
|
Minor |
None |
665 |
Improper Initialization |
|
Major |
Detection_Factors, References, Relationships |
|
Minor |
None |
666 |
Operation on Resource in Wrong Phase of Lifetime |
|
Major |
Relationships |
|
Minor |
None |
667 |
Improper Locking |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
668 |
Exposure of Resource to Wrong Sphere |
|
Major |
Relationships |
|
Minor |
None |
669 |
Incorrect Resource Transfer Between Spheres |
|
Major |
Relationships |
|
Minor |
None |
670 |
Always-Incorrect Control Flow Implementation |
|
Major |
Relationships, Time_of_Introduction |
|
Minor |
None |
671 |
Lack of Administrator Control over Security |
|
Major |
Relationships |
|
Minor |
None |
672 |
Operation on a Resource after Expiration or Release |
|
Major |
Relationships, Time_of_Introduction |
|
Minor |
None |
673 |
External Influence of Sphere Definition |
|
Major |
Relationships |
|
Minor |
None |
674 |
Uncontrolled Recursion |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
675 |
Multiple Operations on Resource in Single-Operation Context |
|
Major |
Relationships |
|
Minor |
None |
676 |
Use of Potentially Dangerous Function |
|
Major |
References, Relationships, Time_of_Introduction |
|
Minor |
None |
680 |
Integer Overflow to Buffer Overflow |
|
Major |
Relationships |
|
Minor |
None |
681 |
Incorrect Conversion between Numeric Types |
|
Major |
Relationships |
|
Minor |
None |
682 |
Incorrect Calculation |
|
Major |
Relationships, Time_of_Introduction |
|
Minor |
None |
683 |
Function Call With Incorrect Order of Arguments |
|
Major |
Relationships |
|
Minor |
None |
684 |
Incorrect Provision of Specified Functionality |
|
Major |
Relationships |
|
Minor |
None |
685 |
Function Call With Incorrect Number of Arguments |
|
Major |
Relationships |
|
Minor |
None |
686 |
Function Call With Incorrect Argument Type |
|
Major |
Relationships |
|
Minor |
None |
687 |
Function Call With Incorrectly Specified Argument Value |
|
Major |
Relationships |
|
Minor |
None |
688 |
Function Call With Incorrect Variable or Reference as Argument |
|
Major |
Relationships |
|
Minor |
None |
689 |
Permission Race Condition During Resource Copy |
|
Major |
Relationships |
|
Minor |
None |
690 |
Unchecked Return Value to NULL Pointer Dereference |
|
Major |
Relationships |
|
Minor |
None |
691 |
Insufficient Control Flow Management |
|
Major |
Relationships |
|
Minor |
None |
692 |
Incomplete Denylist to Cross-Site Scripting |
|
Major |
Relationships |
|
Minor |
None |
693 |
Protection Mechanism Failure |
|
Major |
Relationships |
|
Minor |
None |
694 |
Use of Multiple Resources with Duplicate Identifier |
|
Major |
Relationships |
|
Minor |
None |
695 |
Use of Low-Level Functionality |
|
Major |
Detection_Factors, Relationships, Time_of_Introduction |
|
Minor |
None |
696 |
Incorrect Behavior Order |
|
Major |
Relationships |
|
Minor |
None |
697 |
Incorrect Comparison |
|
Major |
Relationships |
|
Minor |
None |
698 |
Execution After Redirect (EAR) |
|
Major |
Relationships |
|
Minor |
None |
701 |
Weaknesses Introduced During Design |
|
Major |
View_Filter |
|
Minor |
None |
703 |
Improper Check or Handling of Exceptional Conditions |
|
Major |
References, Relationships |
|
Minor |
None |
704 |
Incorrect Type Conversion or Cast |
|
Major |
Detection_Factors, Relationships, Time_of_Introduction |
|
Minor |
None |
705 |
Incorrect Control Flow Scoping |
|
Major |
Relationships, Time_of_Introduction |
|
Minor |
None |
706 |
Use of Incorrectly-Resolved Name or Reference |
|
Major |
Relationships |
|
Minor |
None |
707 |
Improper Neutralization |
|
Major |
Relationships, Time_of_Introduction |
|
Minor |
None |
708 |
Incorrect Ownership Assignment |
|
Major |
Relationships |
|
Minor |
None |
710 |
Improper Adherence to Coding Standards |
|
Major |
Relationships |
|
Minor |
None |
711 |
Weaknesses in OWASP Top Ten (2004) |
|
Major |
References |
|
Minor |
None |
712 |
OWASP Top Ten 2007 Category A1 - Cross Site Scripting (XSS) |
|
Major |
Mapping_Notes |
|
Minor |
None |
713 |
OWASP Top Ten 2007 Category A2 - Injection Flaws |
|
Major |
Mapping_Notes |
|
Minor |
None |
714 |
OWASP Top Ten 2007 Category A3 - Malicious File Execution |
|
Major |
Mapping_Notes |
|
Minor |
None |
715 |
OWASP Top Ten 2007 Category A4 - Insecure Direct Object Reference |
|
Major |
Mapping_Notes |
|
Minor |
None |
716 |
OWASP Top Ten 2007 Category A5 - Cross Site Request Forgery (CSRF) |
|
Major |
Mapping_Notes |
|
Minor |
None |
717 |
OWASP Top Ten 2007 Category A6 - Information Leakage and Improper Error Handling |
|
Major |
Mapping_Notes |
|
Minor |
None |
718 |
OWASP Top Ten 2007 Category A7 - Broken Authentication and Session Management |
|
Major |
Mapping_Notes |
|
Minor |
None |
719 |
OWASP Top Ten 2007 Category A8 - Insecure Cryptographic Storage |
|
Major |
Mapping_Notes |
|
Minor |
None |
720 |
OWASP Top Ten 2007 Category A9 - Insecure Communications |
|
Major |
Mapping_Notes |
|
Minor |
None |
721 |
OWASP Top Ten 2007 Category A10 - Failure to Restrict URL Access |
|
Major |
Mapping_Notes |
|
Minor |
None |
722 |
OWASP Top Ten 2004 Category A1 - Unvalidated Input |
|
Major |
Mapping_Notes |
|
Minor |
None |
723 |
OWASP Top Ten 2004 Category A2 - Broken Access Control |
|
Major |
Mapping_Notes |
|
Minor |
None |
724 |
OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management |
|
Major |
Mapping_Notes |
|
Minor |
None |
725 |
OWASP Top Ten 2004 Category A4 - Cross-Site Scripting (XSS) Flaws |
|
Major |
Mapping_Notes |
|
Minor |
None |
726 |
OWASP Top Ten 2004 Category A5 - Buffer Overflows |
|
Major |
Mapping_Notes |
|
Minor |
None |
727 |
OWASP Top Ten 2004 Category A6 - Injection Flaws |
|
Major |
Mapping_Notes |
|
Minor |
None |
728 |
OWASP Top Ten 2004 Category A7 - Improper Error Handling |
|
Major |
Mapping_Notes |
|
Minor |
None |
729 |
OWASP Top Ten 2004 Category A8 - Insecure Storage |
|
Major |
Mapping_Notes |
|
Minor |
None |
730 |
OWASP Top Ten 2004 Category A9 - Denial of Service |
|
Major |
Mapping_Notes |
|
Minor |
None |
731 |
OWASP Top Ten 2004 Category A10 - Insecure Configuration Management |
|
Major |
Mapping_Notes |
|
Minor |
None |
732 |
Incorrect Permission Assignment for Critical Resource |
|
Major |
Demonstrative_Examples, Description, Potential_Mitigations, References, Relationships |
|
Minor |
None |
733 |
Compiler Optimization Removal or Modification of Security-critical Code |
|
Major |
Relationships |
|
Minor |
None |
735 |
CERT C Secure Coding Standard (2008) Chapter 2 - Preprocessor (PRE) |
|
Major |
Mapping_Notes |
|
Minor |
None |
736 |
CERT C Secure Coding Standard (2008) Chapter 3 - Declarations and Initialization (DCL) |
|
Major |
Mapping_Notes |
|
Minor |
None |
737 |
CERT C Secure Coding Standard (2008) Chapter 4 - Expressions (EXP) |
|
Major |
Mapping_Notes |
|
Minor |
None |
738 |
CERT C Secure Coding Standard (2008) Chapter 5 - Integers (INT) |
|
Major |
Mapping_Notes |
|
Minor |
None |
739 |
CERT C Secure Coding Standard (2008) Chapter 6 - Floating Point (FLP) |
|
Major |
Mapping_Notes |
|
Minor |
None |
740 |
CERT C Secure Coding Standard (2008) Chapter 7 - Arrays (ARR) |
|
Major |
Mapping_Notes |
|
Minor |
None |
741 |
CERT C Secure Coding Standard (2008) Chapter 8 - Characters and Strings (STR) |
|
Major |
Mapping_Notes |
|
Minor |
None |
742 |
CERT C Secure Coding Standard (2008) Chapter 9 - Memory Management (MEM) |
|
Major |
Mapping_Notes |
|
Minor |
None |
743 |
CERT C Secure Coding Standard (2008) Chapter 10 - Input Output (FIO) |
|
Major |
Mapping_Notes |
|
Minor |
None |
744 |
CERT C Secure Coding Standard (2008) Chapter 11 - Environment (ENV) |
|
Major |
Mapping_Notes |
|
Minor |
None |
745 |
CERT C Secure Coding Standard (2008) Chapter 12 - Signals (SIG) |
|
Major |
Mapping_Notes |
|
Minor |
None |
746 |
CERT C Secure Coding Standard (2008) Chapter 13 - Error Handling (ERR) |
|
Major |
Mapping_Notes |
|
Minor |
None |
747 |
CERT C Secure Coding Standard (2008) Chapter 14 - Miscellaneous (MSC) |
|
Major |
Mapping_Notes |
|
Minor |
None |
748 |
CERT C Secure Coding Standard (2008) Appendix - POSIX (POS) |
|
Major |
Mapping_Notes |
|
Minor |
None |
749 |
Exposed Dangerous Method or Function |
|
Major |
Detection_Factors, References, Relationships |
|
Minor |
None |
751 |
2009 Top 25 - Insecure Interaction Between Components |
|
Major |
Mapping_Notes |
|
Minor |
None |
752 |
2009 Top 25 - Risky Resource Management |
|
Major |
Mapping_Notes |
|
Minor |
None |
753 |
2009 Top 25 - Porous Defenses |
|
Major |
Mapping_Notes |
|
Minor |
None |
754 |
Improper Check for Unusual or Exceptional Conditions |
|
Major |
References, Relationships, Taxonomy_Mappings |
|
Minor |
None |
755 |
Improper Handling of Exceptional Conditions |
|
Major |
Relationships |
|
Minor |
None |
756 |
Missing Custom Error Page |
|
Major |
Relationships |
|
Minor |
None |
757 |
Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
758 |
Reliance on Undefined, Unspecified, or Implementation-Defined Behavior |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
759 |
Use of a One-Way Hash without a Salt |
|
Major |
References, Relationships |
|
Minor |
None |
760 |
Use of a One-Way Hash with a Predictable Salt |
|
Major |
Detection_Factors, References, Relationships |
|
Minor |
None |
761 |
Free of Pointer not at Start of Buffer |
|
Major |
References, Relationships |
|
Minor |
None |
762 |
Mismatched Memory Management Routines |
|
Major |
References, Relationships |
|
Minor |
None |
763 |
Release of Invalid Pointer or Reference |
|
Major |
Detection_Factors, References, Relationships |
|
Minor |
None |
764 |
Multiple Locks of a Critical Resource |
|
Major |
Relationships, Time_of_Introduction |
|
Minor |
None |
765 |
Multiple Unlocks of a Critical Resource |
|
Major |
Relationships |
|
Minor |
None |
766 |
Critical Data Element Declared Public |
|
Major |
Detection_Factors, References, Relationships, Time_of_Introduction, Type |
|
Minor |
None |
767 |
Access to Critical Private Variable via Public Method |
|
Major |
Relationships, Time_of_Introduction, Type |
|
Minor |
None |
768 |
Incorrect Short Circuit Evaluation |
|
Major |
Relationships |
|
Minor |
None |
770 |
Allocation of Resources Without Limits or Throttling |
|
Major |
References, Relationships |
|
Minor |
None |
771 |
Missing Reference to Active Allocated Resource |
|
Major |
Relationships, Taxonomy_Mappings, Time_of_Introduction |
|
Minor |
None |
772 |
Missing Release of Resource after Effective Lifetime |
|
Major |
Relationships, Time_of_Introduction |
|
Minor |
None |
773 |
Missing Reference to Active File Descriptor or Handle |
|
Major |
Relationships, Time_of_Introduction |
|
Minor |
None |
774 |
Allocation of File Descriptors or Handles Without Limits or Throttling |
|
Major |
Relationships |
|
Minor |
None |
775 |
Missing Release of File Descriptor or Handle after Effective Lifetime |
|
Major |
Relationships |
|
Minor |
None |
776 |
Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') |
|
Major |
Detection_Factors, References, Relationships |
|
Minor |
None |
777 |
Regular Expression without Anchors |
|
Major |
Relationships |
|
Minor |
None |
778 |
Insufficient Logging |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
779 |
Logging of Excessive Data |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
780 |
Use of RSA Algorithm without OAEP |
|
Major |
Detection_Factors, References, Relationships, Time_of_Introduction |
|
Minor |
None |
781 |
Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code |
|
Major |
References, Relationships, Time_of_Introduction |
|
Minor |
None |
782 |
Exposed IOCTL with Insufficient Access Control |
|
Major |
References, Relationships |
|
Minor |
None |
783 |
Operator Precedence Logic Error |
|
Major |
Relationships |
|
Minor |
None |
784 |
Reliance on Cookies without Validation and Integrity Checking in a Security Decision |
|
Major |
Modes_of_Introduction, Relationships, Time_of_Introduction |
|
Minor |
None |
785 |
Use of Path Manipulation Function without Maximum-sized Buffer |
|
Major |
Relationships |
|
Minor |
None |
786 |
Access of Memory Location Before Start of Buffer |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
787 |
Out-of-bounds Write |
|
Major |
Potential_Mitigations, References, Relationships, Taxonomy_Mappings |
|
Minor |
None |
788 |
Access of Memory Location After End of Buffer |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
789 |
Memory Allocation with Excessive Size Value |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
790 |
Improper Filtering of Special Elements |
|
Major |
Relationships |
|
Minor |
None |
791 |
Incomplete Filtering of Special Elements |
|
Major |
Relationships |
|
Minor |
None |
792 |
Incomplete Filtering of One or More Instances of Special Elements |
|
Major |
Relationships |
|
Minor |
None |
793 |
Only Filtering One Instance of a Special Element |
|
Major |
Relationships |
|
Minor |
None |
794 |
Incomplete Filtering of Multiple Instances of Special Elements |
|
Major |
Relationships |
|
Minor |
None |
795 |
Only Filtering Special Elements at a Specified Location |
|
Major |
Relationships |
|
Minor |
None |
796 |
Only Filtering Special Elements Relative to a Marker |
|
Major |
Relationships |
|
Minor |
None |
797 |
Only Filtering Special Elements at an Absolute Position |
|
Major |
Relationships |
|
Minor |
None |
798 |
Use of Hard-coded Credentials |
|
Major |
References, Relationships |
|
Minor |
None |
799 |
Improper Control of Interaction Frequency |
|
Major |
Relationships |
|
Minor |
None |
801 |
2010 Top 25 - Insecure Interaction Between Components |
|
Major |
Mapping_Notes |
|
Minor |
None |
802 |
2010 Top 25 - Risky Resource Management |
|
Major |
Mapping_Notes |
|
Minor |
None |
803 |
2010 Top 25 - Porous Defenses |
|
Major |
Mapping_Notes |
|
Minor |
None |
804 |
Guessable CAPTCHA |
|
Major |
Relationships |
|
Minor |
None |
805 |
Buffer Access with Incorrect Length Value |
|
Major |
Potential_Mitigations, References, Relationships |
|
Minor |
None |
806 |
Buffer Access Using Size of Source Buffer |
|
Major |
Potential_Mitigations, References, Relationships |
|
Minor |
None |
807 |
Reliance on Untrusted Inputs in a Security Decision |
|
Major |
Potential_Mitigations, References, Relationships |
|
Minor |
None |
808 |
2010 Top 25 - Weaknesses On the Cusp |
|
Major |
Mapping_Notes |
|
Minor |
None |
810 |
OWASP Top Ten 2010 Category A1 - Injection |
|
Major |
Mapping_Notes |
|
Minor |
None |
811 |
OWASP Top Ten 2010 Category A2 - Cross-Site Scripting (XSS) |
|
Major |
Mapping_Notes |
|
Minor |
None |
812 |
OWASP Top Ten 2010 Category A3 - Broken Authentication and Session Management |
|
Major |
Mapping_Notes |
|
Minor |
None |
813 |
OWASP Top Ten 2010 Category A4 - Insecure Direct Object References |
|
Major |
Mapping_Notes |
|
Minor |
None |
814 |
OWASP Top Ten 2010 Category A5 - Cross-Site Request Forgery(CSRF) |
|
Major |
Mapping_Notes |
|
Minor |
None |
815 |
OWASP Top Ten 2010 Category A6 - Security Misconfiguration |
|
Major |
Mapping_Notes |
|
Minor |
None |
816 |
OWASP Top Ten 2010 Category A7 - Insecure Cryptographic Storage |
|
Major |
Mapping_Notes |
|
Minor |
None |
817 |
OWASP Top Ten 2010 Category A8 - Failure to Restrict URL Access |
|
Major |
Mapping_Notes |
|
Minor |
None |
818 |
OWASP Top Ten 2010 Category A9 - Insufficient Transport Layer Protection |
|
Major |
Mapping_Notes |
|
Minor |
None |
819 |
OWASP Top Ten 2010 Category A10 - Unvalidated Redirects and Forwards |
|
Major |
Mapping_Notes |
|
Minor |
None |
820 |
Missing Synchronization |
|
Major |
Relationships |
|
Minor |
None |
821 |
Incorrect Synchronization |
|
Major |
Relationships |
|
Minor |
None |
822 |
Untrusted Pointer Dereference |
|
Major |
Relationships |
|
Minor |
None |
823 |
Use of Out-of-range Pointer Offset |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
824 |
Access of Uninitialized Pointer |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
825 |
Expired Pointer Dereference |
|
Major |
Relationships |
|
Minor |
None |
826 |
Premature Release of Resource During Expected Lifetime |
|
Major |
Relationships |
|
Minor |
None |
827 |
Improper Control of Document Type Definition |
|
Major |
Relationships |
|
Minor |
None |
828 |
Signal Handler with Functionality that is not Asynchronous-Safe |
|
Major |
References, Relationships, Type |
|
Minor |
None |
829 |
Inclusion of Functionality from Untrusted Control Sphere |
|
Major |
References, Relationships |
|
Minor |
None |
830 |
Inclusion of Web Functionality from an Untrusted Source |
|
Major |
References, Relationships |
|
Minor |
None |
831 |
Signal Handler Function Associated with Multiple Signals |
|
Major |
References, Relationships, Type |
|
Minor |
None |
832 |
Unlock of a Resource that is not Locked |
|
Major |
Relationships |
|
Minor |
None |
833 |
Deadlock |
|
Major |
Relationships |
|
Minor |
None |
834 |
Excessive Iteration |
|
Major |
Relationships |
|
Minor |
None |
835 |
Loop with Unreachable Exit Condition ('Infinite Loop') |
|
Major |
Relationships |
|
Minor |
None |
836 |
Use of Password Hash Instead of Password for Authentication |
|
Major |
Relationships |
|
Minor |
None |
837 |
Improper Enforcement of a Single, Unique Action |
|
Major |
Relationships |
|
Minor |
None |
838 |
Inappropriate Encoding for Output Context |
|
Major |
Detection_Factors, References, Relationships |
|
Minor |
None |
839 |
Numeric Range Comparison Without Minimum Check |
|
Major |
Relationships |
|
Minor |
None |
840 |
Business Logic Errors |
|
Major |
Mapping_Notes, References, Relationships |
|
Minor |
None |
841 |
Improper Enforcement of Behavioral Workflow |
|
Major |
References, Relationships |
|
Minor |
None |
842 |
Placement of User into Incorrect Group |
|
Major |
Relationships |
|
Minor |
None |
843 |
Access of Resource Using Incompatible Type ('Type Confusion') |
|
Major |
References, Relationships |
|
Minor |
None |
845 |
The CERT Oracle Secure Coding Standard for Java (2011) Chapter 2 - Input Validation and Data Sanitization (IDS) |
|
Major |
Mapping_Notes |
|
Minor |
None |
846 |
The CERT Oracle Secure Coding Standard for Java (2011) Chapter 3 - Declarations and Initialization (DCL) |
|
Major |
Mapping_Notes |
|
Minor |
None |
847 |
The CERT Oracle Secure Coding Standard for Java (2011) Chapter 4 - Expressions (EXP) |
|
Major |
Mapping_Notes |
|
Minor |
None |
848 |
The CERT Oracle Secure Coding Standard for Java (2011) Chapter 5 - Numeric Types and Operations (NUM) |
|
Major |
Mapping_Notes |
|
Minor |
None |
849 |
The CERT Oracle Secure Coding Standard for Java (2011) Chapter 6 - Object Orientation (OBJ) |
|
Major |
Mapping_Notes |
|
Minor |
None |
850 |
The CERT Oracle Secure Coding Standard for Java (2011) Chapter 7 - Methods (MET) |
|
Major |
Mapping_Notes |
|
Minor |
None |
851 |
The CERT Oracle Secure Coding Standard for Java (2011) Chapter 8 - Exceptional Behavior (ERR) |
|
Major |
Mapping_Notes |
|
Minor |
None |
852 |
The CERT Oracle Secure Coding Standard for Java (2011) Chapter 9 - Visibility and Atomicity (VNA) |
|
Major |
Mapping_Notes |
|
Minor |
None |
853 |
The CERT Oracle Secure Coding Standard for Java (2011) Chapter 10 - Locking (LCK) |
|
Major |
Mapping_Notes |
|
Minor |
None |
854 |
The CERT Oracle Secure Coding Standard for Java (2011) Chapter 11 - Thread APIs (THI) |
|
Major |
Mapping_Notes |
|
Minor |
None |
855 |
The CERT Oracle Secure Coding Standard for Java (2011) Chapter 12 - Thread Pools (TPS) |
|
Major |
Mapping_Notes |
|
Minor |
None |
856 |
The CERT Oracle Secure Coding Standard for Java (2011) Chapter 13 - Thread-Safety Miscellaneous (TSM) |
|
Major |
Mapping_Notes |
|
Minor |
None |
857 |
The CERT Oracle Secure Coding Standard for Java (2011) Chapter 14 - Input Output (FIO) |
|
Major |
Mapping_Notes |
|
Minor |
None |
858 |
The CERT Oracle Secure Coding Standard for Java (2011) Chapter 15 - Serialization (SER) |
|
Major |
Mapping_Notes |
|
Minor |
None |
859 |
The CERT Oracle Secure Coding Standard for Java (2011) Chapter 16 - Platform Security (SEC) |
|
Major |
Mapping_Notes |
|
Minor |
None |
860 |
The CERT Oracle Secure Coding Standard for Java (2011) Chapter 17 - Runtime Environment (ENV) |
|
Major |
Mapping_Notes |
|
Minor |
None |
861 |
The CERT Oracle Secure Coding Standard for Java (2011) Chapter 18 - Miscellaneous (MSC) |
|
Major |
Mapping_Notes |
|
Minor |
None |
862 |
Missing Authorization |
|
Major |
References, Relationships, Taxonomy_Mappings |
|
Minor |
None |
863 |
Incorrect Authorization |
|
Major |
References, Relationships |
|
Minor |
None |
864 |
2011 Top 25 - Insecure Interaction Between Components |
|
Major |
Mapping_Notes |
|
Minor |
None |
865 |
2011 Top 25 - Risky Resource Management |
|
Major |
Mapping_Notes |
|
Minor |
None |
866 |
2011 Top 25 - Porous Defenses |
|
Major |
Mapping_Notes |
|
Minor |
None |
867 |
2011 Top 25 - Weaknesses On the Cusp |
|
Major |
Mapping_Notes |
|
Minor |
None |
869 |
CERT C++ Secure Coding Section 01 - Preprocessor (PRE) |
|
Major |
Mapping_Notes |
|
Minor |
None |
870 |
CERT C++ Secure Coding Section 02 - Declarations and Initialization (DCL) |
|
Major |
Mapping_Notes |
|
Minor |
None |
871 |
CERT C++ Secure Coding Section 03 - Expressions (EXP) |
|
Major |
Mapping_Notes |
|
Minor |
None |
872 |
CERT C++ Secure Coding Section 04 - Integers (INT) |
|
Major |
Mapping_Notes |
|
Minor |
None |
873 |
CERT C++ Secure Coding Section 05 - Floating Point Arithmetic (FLP) |
|
Major |
Mapping_Notes |
|
Minor |
None |
874 |
CERT C++ Secure Coding Section 06 - Arrays and the STL (ARR) |
|
Major |
Mapping_Notes |
|
Minor |
None |
875 |
CERT C++ Secure Coding Section 07 - Characters and Strings (STR) |
|
Major |
Mapping_Notes |
|
Minor |
None |
876 |
CERT C++ Secure Coding Section 08 - Memory Management (MEM) |
|
Major |
Mapping_Notes |
|
Minor |
None |
877 |
CERT C++ Secure Coding Section 09 - Input Output (FIO) |
|
Major |
Mapping_Notes |
|
Minor |
None |
878 |
CERT C++ Secure Coding Section 10 - Environment (ENV) |
|
Major |
Mapping_Notes |
|
Minor |
None |
879 |
CERT C++ Secure Coding Section 11 - Signals (SIG) |
|
Major |
Mapping_Notes |
|
Minor |
None |
880 |
CERT C++ Secure Coding Section 12 - Exceptions and Error Handling (ERR) |
|
Major |
Mapping_Notes |
|
Minor |
None |
881 |
CERT C++ Secure Coding Section 13 - Object Oriented Programming (OOP) |
|
Major |
Mapping_Notes |
|
Minor |
None |
882 |
CERT C++ Secure Coding Section 14 - Concurrency (CON) |
|
Major |
Mapping_Notes |
|
Minor |
None |
883 |
CERT C++ Secure Coding Section 49 - Miscellaneous (MSC) |
|
Major |
Mapping_Notes |
|
Minor |
None |
885 |
SFP Primary Cluster: Risky Values |
|
Major |
Mapping_Notes |
|
Minor |
None |
886 |
SFP Primary Cluster: Unused entities |
|
Major |
Mapping_Notes |
|
Minor |
None |
887 |
SFP Primary Cluster: API |
|
Major |
Mapping_Notes |
|
Minor |
None |
889 |
SFP Primary Cluster: Exception Management |
|
Major |
Mapping_Notes |
|
Minor |
None |
890 |
SFP Primary Cluster: Memory Access |
|
Major |
Mapping_Notes |
|
Minor |
None |
891 |
SFP Primary Cluster: Memory Management |
|
Major |
Mapping_Notes |
|
Minor |
None |
892 |
SFP Primary Cluster: Resource Management |
|
Major |
Mapping_Notes |
|
Minor |
None |
893 |
SFP Primary Cluster: Path Resolution |
|
Major |
Mapping_Notes |
|
Minor |
None |
894 |
SFP Primary Cluster: Synchronization |
|
Major |
Mapping_Notes |
|
Minor |
None |
895 |
SFP Primary Cluster: Information Leak |
|
Major |
Mapping_Notes |
|
Minor |
None |
896 |
SFP Primary Cluster: Tainted Input |
|
Major |
Mapping_Notes |
|
Minor |
None |
897 |
SFP Primary Cluster: Entry Points |
|
Major |
Mapping_Notes |
|
Minor |
None |
898 |
SFP Primary Cluster: Authentication |
|
Major |
Mapping_Notes |
|
Minor |
None |
899 |
SFP Primary Cluster: Access Control |
|
Major |
Mapping_Notes |
|
Minor |
None |
901 |
SFP Primary Cluster: Privilege |
|
Major |
Mapping_Notes |
|
Minor |
None |
902 |
SFP Primary Cluster: Channel |
|
Major |
Mapping_Notes |
|
Minor |
None |
903 |
SFP Primary Cluster: Cryptography |
|
Major |
Mapping_Notes |
|
Minor |
None |
904 |
SFP Primary Cluster: Malware |
|
Major |
Mapping_Notes |
|
Minor |
None |
905 |
SFP Primary Cluster: Predictability |
|
Major |
Mapping_Notes |
|
Minor |
None |
906 |
SFP Primary Cluster: UI |
|
Major |
Mapping_Notes |
|
Minor |
None |
907 |
SFP Primary Cluster: Other |
|
Major |
Mapping_Notes |
|
Minor |
None |
908 |
Use of Uninitialized Resource |
|
Major |
Relationships |
|
Minor |
None |
909 |
Missing Initialization of Resource |
|
Major |
Relationships |
|
Minor |
None |
910 |
Use of Expired File Descriptor |
|
Major |
Relationships |
|
Minor |
None |
911 |
Improper Update of Reference Count |
|
Major |
References, Relationships |
|
Minor |
None |
912 |
Hidden Functionality |
|
Major |
Relationships |
|
Minor |
None |
913 |
Improper Control of Dynamically-Managed Code Resources |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
914 |
Improper Control of Dynamically-Identified Variables |
|
Major |
Relationships, Time_of_Introduction |
|
Minor |
None |
915 |
Improperly Controlled Modification of Dynamically-Determined Object Attributes |
|
Major |
Detection_Factors, References, Relationships |
|
Minor |
None |
916 |
Use of Password Hash With Insufficient Computational Effort |
|
Major |
References, Relationships |
|
Minor |
None |
917 |
Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') |
|
Major |
Detection_Factors, References, Relationships |
|
Minor |
None |
918 |
Server-Side Request Forgery (SSRF) |
|
Major |
Detection_Factors, References, Relationships |
|
Minor |
None |
920 |
Improper Restriction of Power Consumption |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
921 |
Storage of Sensitive Data in a Mechanism without Access Control |
|
Major |
References, Relationships |
|
Minor |
None |
922 |
Insecure Storage of Sensitive Information |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
923 |
Improper Restriction of Communication Channel to Intended Endpoints |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
924 |
Improper Enforcement of Message Integrity During Transmission in a Communication Channel |
|
Major |
Relationships |
|
Minor |
None |
925 |
Improper Verification of Intent by Broadcast Receiver |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
926 |
Improper Export of Android Application Components |
|
Major |
Detection_Factors, References, Relationships |
|
Minor |
None |
927 |
Use of Implicit Intent for Sensitive Communication |
|
Major |
Detection_Factors, References, Relationships |
|
Minor |
None |
929 |
OWASP Top Ten 2013 Category A1 - Injection |
|
Major |
Mapping_Notes |
|
Minor |
None |
930 |
OWASP Top Ten 2013 Category A2 - Broken Authentication and Session Management |
|
Major |
Mapping_Notes |
|
Minor |
None |
931 |
OWASP Top Ten 2013 Category A3 - Cross-Site Scripting (XSS) |
|
Major |
Mapping_Notes |
|
Minor |
None |
932 |
OWASP Top Ten 2013 Category A4 - Insecure Direct Object References |
|
Major |
Mapping_Notes |
|
Minor |
None |
933 |
OWASP Top Ten 2013 Category A5 - Security Misconfiguration |
|
Major |
Mapping_Notes |
|
Minor |
None |
934 |
OWASP Top Ten 2013 Category A6 - Sensitive Data Exposure |
|
Major |
Mapping_Notes |
|
Minor |
None |
935 |
OWASP Top Ten 2013 Category A7 - Missing Function Level Access Control |
|
Major |
Mapping_Notes |
|
Minor |
None |
936 |
OWASP Top Ten 2013 Category A8 - Cross-Site Request Forgery (CSRF) |
|
Major |
Mapping_Notes |
|
Minor |
None |
937 |
OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities |
|
Major |
Mapping_Notes |
|
Minor |
None |
938 |
OWASP Top Ten 2013 Category A10 - Unvalidated Redirects and Forwards |
|
Major |
Mapping_Notes |
|
Minor |
None |
939 |
Improper Authorization in Handler for Custom URL Scheme |
|
Major |
References, Relationships |
|
Minor |
None |
940 |
Improper Verification of Source of a Communication Channel |
|
Major |
Relationships |
|
Minor |
None |
941 |
Incorrectly Specified Destination in a Communication Channel |
|
Major |
References, Relationships |
|
Minor |
None |
942 |
Permissive Cross-domain Policy with Untrusted Domains |
|
Major |
Detection_Factors, References, Relationships |
|
Minor |
None |
943 |
Improper Neutralization of Special Elements in Data Query Logic |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
944 |
SFP Secondary Cluster: Access Management |
|
Major |
Mapping_Notes |
|
Minor |
None |
945 |
SFP Secondary Cluster: Insecure Resource Access |
|
Major |
Mapping_Notes |
|
Minor |
None |
946 |
SFP Secondary Cluster: Insecure Resource Permissions |
|
Major |
Mapping_Notes |
|
Minor |
None |
947 |
SFP Secondary Cluster: Authentication Bypass |
|
Major |
Mapping_Notes |
|
Minor |
None |
948 |
SFP Secondary Cluster: Digital Certificate |
|
Major |
Mapping_Notes |
|
Minor |
None |
949 |
SFP Secondary Cluster: Faulty Endpoint Authentication |
|
Major |
Mapping_Notes |
|
Minor |
None |
950 |
SFP Secondary Cluster: Hardcoded Sensitive Data |
|
Major |
Mapping_Notes |
|
Minor |
None |
951 |
SFP Secondary Cluster: Insecure Authentication Policy |
|
Major |
Mapping_Notes |
|
Minor |
None |
952 |
SFP Secondary Cluster: Missing Authentication |
|
Major |
Mapping_Notes |
|
Minor |
None |
953 |
SFP Secondary Cluster: Missing Endpoint Authentication |
|
Major |
Mapping_Notes |
|
Minor |
None |
954 |
SFP Secondary Cluster: Multiple Binds to the Same Port |
|
Major |
Mapping_Notes |
|
Minor |
None |
955 |
SFP Secondary Cluster: Unrestricted Authentication |
|
Major |
Mapping_Notes |
|
Minor |
None |
956 |
SFP Secondary Cluster: Channel Attack |
|
Major |
Mapping_Notes |
|
Minor |
None |
957 |
SFP Secondary Cluster: Protocol Error |
|
Major |
Mapping_Notes |
|
Minor |
None |
958 |
SFP Secondary Cluster: Broken Cryptography |
|
Major |
Mapping_Notes |
|
Minor |
None |
959 |
SFP Secondary Cluster: Weak Cryptography |
|
Major |
Mapping_Notes |
|
Minor |
None |
960 |
SFP Secondary Cluster: Ambiguous Exception Type |
|
Major |
Mapping_Notes |
|
Minor |
None |
961 |
SFP Secondary Cluster: Incorrect Exception Behavior |
|
Major |
Mapping_Notes |
|
Minor |
None |
962 |
SFP Secondary Cluster: Unchecked Status Condition |
|
Major |
Mapping_Notes |
|
Minor |
None |
963 |
SFP Secondary Cluster: Exposed Data |
|
Major |
Mapping_Notes |
|
Minor |
None |
964 |
SFP Secondary Cluster: Exposure Temporary File |
|
Major |
Mapping_Notes |
|
Minor |
None |
965 |
SFP Secondary Cluster: Insecure Session Management |
|
Major |
Mapping_Notes |
|
Minor |
None |
966 |
SFP Secondary Cluster: Other Exposures |
|
Major |
Mapping_Notes |
|
Minor |
None |
967 |
SFP Secondary Cluster: State Disclosure |
|
Major |
Mapping_Notes |
|
Minor |
None |
968 |
SFP Secondary Cluster: Covert Channel |
|
Major |
Mapping_Notes |
|
Minor |
None |
969 |
SFP Secondary Cluster: Faulty Memory Release |
|
Major |
Mapping_Notes |
|
Minor |
None |
970 |
SFP Secondary Cluster: Faulty Buffer Access |
|
Major |
Mapping_Notes |
|
Minor |
None |
971 |
SFP Secondary Cluster: Faulty Pointer Use |
|
Major |
Mapping_Notes |
|
Minor |
None |
972 |
SFP Secondary Cluster: Faulty String Expansion |
|
Major |
Mapping_Notes |
|
Minor |
None |
973 |
SFP Secondary Cluster: Improper NULL Termination |
|
Major |
Mapping_Notes |
|
Minor |
None |
974 |
SFP Secondary Cluster: Incorrect Buffer Length Computation |
|
Major |
Mapping_Notes |
|
Minor |
None |
975 |
SFP Secondary Cluster: Architecture |
|
Major |
Mapping_Notes |
|
Minor |
None |
976 |
SFP Secondary Cluster: Compiler |
|
Major |
Mapping_Notes |
|
Minor |
None |
977 |
SFP Secondary Cluster: Design |
|
Major |
Mapping_Notes |
|
Minor |
None |
978 |
SFP Secondary Cluster: Implementation |
|
Major |
Mapping_Notes |
|
Minor |
None |
979 |
SFP Secondary Cluster: Failed Chroot Jail |
|
Major |
Mapping_Notes |
|
Minor |
None |
980 |
SFP Secondary Cluster: Link in Resource Name Resolution |
|
Major |
Mapping_Notes |
|
Minor |
None |
981 |
SFP Secondary Cluster: Path Traversal |
|
Major |
Mapping_Notes |
|
Minor |
None |
982 |
SFP Secondary Cluster: Failure to Release Resource |
|
Major |
Mapping_Notes |
|
Minor |
None |
983 |
SFP Secondary Cluster: Faulty Resource Use |
|
Major |
Mapping_Notes |
|
Minor |
None |
984 |
SFP Secondary Cluster: Life Cycle |
|
Major |
Mapping_Notes |
|
Minor |
None |
985 |
SFP Secondary Cluster: Unrestricted Consumption |
|
Major |
Mapping_Notes |
|
Minor |
None |
986 |
SFP Secondary Cluster: Missing Lock |
|
Major |
Mapping_Notes |
|
Minor |
None |
987 |
SFP Secondary Cluster: Multiple Locks/Unlocks |
|
Major |
Mapping_Notes |
|
Minor |
None |
988 |
SFP Secondary Cluster: Race Condition Window |
|
Major |
Mapping_Notes |
|
Minor |
None |
989 |
SFP Secondary Cluster: Unrestricted Lock |
|
Major |
Mapping_Notes |
|
Minor |
None |
990 |
SFP Secondary Cluster: Tainted Input to Command |
|
Major |
Mapping_Notes |
|
Minor |
None |
991 |
SFP Secondary Cluster: Tainted Input to Environment |
|
Major |
Mapping_Notes |
|
Minor |
None |
992 |
SFP Secondary Cluster: Faulty Input Transformation |
|
Major |
Mapping_Notes |
|
Minor |
None |
993 |
SFP Secondary Cluster: Incorrect Input Handling |
|
Major |
Mapping_Notes |
|
Minor |
None |
994 |
SFP Secondary Cluster: Tainted Input to Variable |
|
Major |
Mapping_Notes |
|
Minor |
None |
995 |
SFP Secondary Cluster: Feature |
|
Major |
Mapping_Notes |
|
Minor |
None |
996 |
SFP Secondary Cluster: Security |
|
Major |
Mapping_Notes |
|
Minor |
None |
997 |
SFP Secondary Cluster: Information Loss |
|
Major |
Mapping_Notes |
|
Minor |
None |
998 |
SFP Secondary Cluster: Glitch in Computation |
|
Major |
Mapping_Notes |
|
Minor |
None |
1001 |
SFP Secondary Cluster: Use of an Improper API |
|
Major |
Mapping_Notes |
|
Minor |
None |
1002 |
SFP Secondary Cluster: Unexpected Entry Points |
|
Major |
Mapping_Notes |
|
Minor |
None |
1004 |
Sensitive Cookie Without 'HttpOnly' Flag |
|
Major |
Detection_Factors, References, Relationships, Time_of_Introduction |
|
Minor |
None |
1005 |
7PK - Input Validation and Representation |
|
Major |
Mapping_Notes |
|
Minor |
None |
1006 |
Bad Coding Practices |
|
Major |
Mapping_Notes, Relationships |
|
Minor |
None |
1007 |
Insufficient Visual Distinction of Homoglyphs Presented to User |
|
Major |
Relationships |
|
Minor |
None |
1009 |
Audit |
|
Major |
Mapping_Notes |
|
Minor |
None |
1010 |
Authenticate Actors |
|
Major |
Mapping_Notes |
|
Minor |
None |
1011 |
Authorize Actors |
|
Major |
Mapping_Notes |
|
Minor |
None |
1012 |
Cross Cutting |
|
Major |
Mapping_Notes |
|
Minor |
None |
1013 |
Encrypt Data |
|
Major |
Mapping_Notes |
|
Minor |
None |
1014 |
Identify Actors |
|
Major |
Mapping_Notes |
|
Minor |
None |
1015 |
Limit Access |
|
Major |
Mapping_Notes |
|
Minor |
None |
1016 |
Limit Exposure |
|
Major |
Mapping_Notes |
|
Minor |
None |
1017 |
Lock Computer |
|
Major |
Mapping_Notes |
|
Minor |
None |
1018 |
Manage User Sessions |
|
Major |
Mapping_Notes |
|
Minor |
None |
1019 |
Validate Inputs |
|
Major |
Mapping_Notes |
|
Minor |
None |
1020 |
Verify Message Integrity |
|
Major |
Mapping_Notes |
|
Minor |
None |
1021 |
Improper Restriction of Rendered UI Layers or Frames |
|
Major |
Detection_Factors, References, Relationships |
|
Minor |
None |
1022 |
Use of Web Link to Untrusted Target with window.opener Access |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
1023 |
Incomplete Comparison with Missing Factors |
|
Major |
Relationships |
|
Minor |
None |
1024 |
Comparison of Incompatible Types |
|
Major |
Relationships |
|
Minor |
None |
1025 |
Comparison Using Wrong Factors |
|
Major |
Relationships |
|
Minor |
None |
1027 |
OWASP Top Ten 2017 Category A1 - Injection |
|
Major |
Mapping_Notes |
|
Minor |
None |
1028 |
OWASP Top Ten 2017 Category A2 - Broken Authentication |
|
Major |
Mapping_Notes |
|
Minor |
None |
1029 |
OWASP Top Ten 2017 Category A3 - Sensitive Data Exposure |
|
Major |
Mapping_Notes |
|
Minor |
None |
1030 |
OWASP Top Ten 2017 Category A4 - XML External Entities (XXE) |
|
Major |
Mapping_Notes |
|
Minor |
None |
1031 |
OWASP Top Ten 2017 Category A5 - Broken Access Control |
|
Major |
Mapping_Notes |
|
Minor |
None |
1032 |
OWASP Top Ten 2017 Category A6 - Security Misconfiguration |
|
Major |
Mapping_Notes |
|
Minor |
None |
1033 |
OWASP Top Ten 2017 Category A7 - Cross-Site Scripting (XSS) |
|
Major |
Mapping_Notes |
|
Minor |
None |
1034 |
OWASP Top Ten 2017 Category A8 - Insecure Deserialization |
|
Major |
Mapping_Notes |
|
Minor |
None |
1035 |
OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities |
|
Major |
Mapping_Notes |
|
Minor |
None |
1036 |
OWASP Top Ten 2017 Category A10 - Insufficient Logging & Monitoring |
|
Major |
Mapping_Notes |
|
Minor |
None |
1037 |
Processor Optimization Removal or Modification of Security-critical Code |
|
Major |
Relationships |
|
Minor |
None |
1038 |
Insecure Automated Optimizations |
|
Major |
Relationships |
|
Minor |
None |
1039 |
Automated Recognition Mechanism with Inadequate Detection or Handling of Adversarial Input Perturbations |
|
Major |
References, Relationships |
|
Minor |
None |
1041 |
Use of Redundant Code |
|
Major |
References, Relationships |
|
Minor |
None |
1042 |
Static Member Data Element outside of a Singleton Class Element |
|
Major |
References, Relationships |
|
Minor |
None |
1043 |
Data Element Aggregating an Excessively Large Number of Non-Primitive Elements |
|
Major |
References, Relationships |
|
Minor |
None |
1044 |
Architecture with Number of Horizontal Layers Outside of Expected Range |
|
Major |
References, Relationships |
|
Minor |
None |
1045 |
Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor |
|
Major |
References, Relationships, Type |
|
Minor |
None |
1046 |
Creation of Immutable Text Using String Concatenation |
|
Major |
References, Relationships |
|
Minor |
None |
1047 |
Modules with Circular Dependencies |
|
Major |
References, Relationships |
|
Minor |
None |
1048 |
Invokable Control Element with Large Number of Outward Calls |
|
Major |
References, Relationships |
|
Minor |
None |
1049 |
Excessive Data Query Operations in a Large Data Table |
|
Major |
References, Relationships |
|
Minor |
None |
1050 |
Excessive Platform Resource Consumption within a Loop |
|
Major |
References, Relationships |
|
Minor |
None |
1051 |
Initialization with Hard-Coded Network Resource Configuration Data |
|
Major |
Relationships |
|
Minor |
None |
1052 |
Excessive Use of Hard-Coded Literals in Initialization |
|
Major |
References, Relationships |
|
Minor |
None |
1053 |
Missing Documentation for Design |
|
Major |
Relationships |
|
Minor |
None |
1054 |
Invocation of a Control Element at an Unnecessarily Deep Horizontal Layer |
|
Major |
References, Relationships |
|
Minor |
None |
1055 |
Multiple Inheritance from Concrete Classes |
|
Major |
References, Relationships |
|
Minor |
None |
1056 |
Invokable Control Element with Variadic Parameters |
|
Major |
Relationships |
|
Minor |
None |
1057 |
Data Access Operations Outside of Expected Data Manager Component |
|
Major |
References, Relationships |
|
Minor |
None |
1058 |
Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element |
|
Major |
Relationships |
|
Minor |
None |
1059 |
Insufficient Technical Documentation |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
1060 |
Excessive Number of Inefficient Server-Side Data Accesses |
|
Major |
References, Relationships |
|
Minor |
None |
1061 |
Insufficient Encapsulation |
|
Major |
Relationships |
|
Minor |
None |
1062 |
Parent Class with References to Child Class |
|
Major |
Relationships |
|
Minor |
None |
1063 |
Creation of Class Instance within a Static Code Block |
|
Major |
References, Relationships |
|
Minor |
None |
1064 |
Invokable Control Element with Signature Containing an Excessive Number of Parameters |
|
Major |
References, Relationships |
|
Minor |
None |
1065 |
Runtime Resource Management Control Element in a Component Built to Run on Application Servers |
|
Major |
Relationships |
|
Minor |
None |
1066 |
Missing Serialization Control Element |
|
Major |
Relationships |
|
Minor |
None |
1067 |
Excessive Execution of Sequential Searches of Data Resource |
|
Major |
References, Relationships |
|
Minor |
None |
1068 |
Inconsistency Between Implementation and Documented Design |
|
Major |
Relationships, Time_of_Introduction |
|
Minor |
None |
1069 |
Empty Exception Block |
|
Major |
Relationships, Type |
|
Minor |
None |
1070 |
Serializable Data Element Containing non-Serializable Item Elements |
|
Major |
Relationships |
|
Minor |
None |
1071 |
Empty Code Block |
|
Major |
Relationships |
|
Minor |
None |
1072 |
Data Resource Access without Use of Connection Pooling |
|
Major |
References, Relationships |
|
Minor |
None |
1073 |
Non-SQL Invokable Control Element with Excessive Number of Data Resource Accesses |
|
Major |
References, Relationships |
|
Minor |
None |
1074 |
Class with Excessively Deep Inheritance |
|
Major |
References, Relationships |
|
Minor |
None |
1075 |
Unconditional Control Flow Transfer outside of Switch Block |
|
Major |
References, Relationships |
|
Minor |
None |
1076 |
Insufficient Adherence to Expected Conventions |
|
Major |
Relationships |
|
Minor |
None |
1077 |
Floating Point Comparison with Incorrect Operator |
|
Major |
Relationships |
|
Minor |
None |
1078 |
Inappropriate Source Code Style or Formatting |
|
Major |
Relationships |
|
Minor |
None |
1079 |
Parent Class without Virtual Destructor Method |
|
Major |
Relationships |
|
Minor |
None |
1080 |
Source Code File with Excessive Number of Lines of Code |
|
Major |
References, Relationships |
|
Minor |
None |
1082 |
Class Instance Self Destruction Control Element |
|
Major |
Relationships |
|
Minor |
None |
1083 |
Data Access from Outside Expected Data Manager Component |
|
Major |
Relationships |
|
Minor |
None |
1084 |
Invokable Control Element with Excessive File or Data Access Operations |
|
Major |
References, Relationships |
|
Minor |
None |
1085 |
Invokable Control Element with Excessive Volume of Commented-out Code |
|
Major |
References, Relationships |
|
Minor |
None |
1086 |
Class with Excessive Number of Child Classes |
|
Major |
References, Relationships |
|
Minor |
None |
1087 |
Class with Virtual Method without a Virtual Destructor |
|
Major |
Relationships |
|
Minor |
None |
1088 |
Synchronous Access of Remote Resource without Timeout |
|
Major |
Relationships |
|
Minor |
None |
1089 |
Large Data Table with Excessive Number of Indices |
|
Major |
References, Relationships |
|
Minor |
None |
1090 |
Method Containing Access of a Member Element from Another Class |
|
Major |
References, Relationships |
|
Minor |
None |
1091 |
Use of Object without Invoking Destructor Method |
|
Major |
References, Relationships |
|
Minor |
None |
1092 |
Use of Same Invokable Control Element in Multiple Architectural Layers |
|
Major |
References, Relationships |
|
Minor |
None |
1093 |
Excessively Complex Data Representation |
|
Major |
Relationships |
|
Minor |
None |
1094 |
Excessive Index Range Scan for a Data Resource |
|
Major |
References, Relationships |
|
Minor |
None |
1095 |
Loop Condition Value Update within the Loop |
|
Major |
References, Relationships |
|
Minor |
None |
1096 |
Singleton Class Instance Creation without Proper Locking or Synchronization |
|
Major |
Relationships |
|
Minor |
None |
1097 |
Persistent Storable Data Element without Associated Comparison Control Element |
|
Major |
Relationships |
|
Minor |
None |
1098 |
Data Element containing Pointer Item without Proper Copy Control Element |
|
Major |
Relationships, Type |
|
Minor |
None |
1099 |
Inconsistent Naming Conventions for Identifiers |
|
Major |
Relationships |
|
Minor |
None |
1100 |
Insufficient Isolation of System-Dependent Functions |
|
Major |
Relationships |
|
Minor |
None |
1101 |
Reliance on Runtime Component in Generated Code |
|
Major |
Relationships |
|
Minor |
None |
1102 |
Reliance on Machine-Dependent Data Representation |
|
Major |
Relationships |
|
Minor |
None |
1103 |
Use of Platform-Dependent Third Party Components |
|
Major |
Relationships |
|
Minor |
None |
1104 |
Use of Unmaintained Third Party Components |
|
Major |
Relationships |
|
Minor |
None |
1105 |
Insufficient Encapsulation of Machine-Dependent Functionality |
|
Major |
Relationships |
|
Minor |
None |
1106 |
Insufficient Use of Symbolic Constants |
|
Major |
Relationships |
|
Minor |
None |
1107 |
Insufficient Isolation of Symbolic Constant Definitions |
|
Major |
Relationships |
|
Minor |
None |
1108 |
Excessive Reliance on Global Variables |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
1109 |
Use of Same Variable for Multiple Purposes |
|
Major |
Relationships |
|
Minor |
None |
1110 |
Incomplete Design Documentation |
|
Major |
Relationships |
|
Minor |
None |
1111 |
Incomplete I/O Documentation |
|
Major |
Relationships |
|
Minor |
None |
1112 |
Incomplete Documentation of Program Execution |
|
Major |
Relationships |
|
Minor |
None |
1113 |
Inappropriate Comment Style |
|
Major |
Relationships |
|
Minor |
None |
1114 |
Inappropriate Whitespace Style |
|
Major |
Relationships |
|
Minor |
None |
1115 |
Source Code Element without Standard Prologue |
|
Major |
Relationships |
|
Minor |
None |
1116 |
Inaccurate Comments |
|
Major |
Relationships |
|
Minor |
None |
1117 |
Callable with Insufficient Behavioral Summary |
|
Major |
Relationships |
|
Minor |
None |
1118 |
Insufficient Documentation of Error Handling Techniques |
|
Major |
Relationships |
|
Minor |
None |
1119 |
Excessive Use of Unconditional Branching |
|
Major |
Relationships |
|
Minor |
None |
1120 |
Excessive Code Complexity |
|
Major |
Relationships |
|
Minor |
None |
1121 |
Excessive McCabe Cyclomatic Complexity |
|
Major |
References, Relationships |
|
Minor |
None |
1122 |
Excessive Halstead Complexity |
|
Major |
Relationships |
|
Minor |
None |
1123 |
Excessive Use of Self-Modifying Code |
|
Major |
Relationships |
|
Minor |
None |
1124 |
Excessively Deep Nesting |
|
Major |
Relationships |
|
Minor |
None |
1125 |
Excessive Attack Surface |
|
Major |
Relationships |
|
Minor |
None |
1126 |
Declaration of Variable with Unnecessarily Wide Scope |
|
Major |
Relationships |
|
Minor |
None |
1127 |
Compilation with Insufficient Warnings or Errors |
|
Major |
Relationships |
|
Minor |
None |
1129 |
CISQ Quality Measures (2016) - Reliability |
|
Major |
Mapping_Notes |
|
Minor |
None |
1130 |
CISQ Quality Measures (2016) - Maintainability |
|
Major |
Mapping_Notes, References |
|
Minor |
None |
1131 |
CISQ Quality Measures (2016) - Security |
|
Major |
Mapping_Notes |
|
Minor |
None |
1132 |
CISQ Quality Measures (2016) - Performance Efficiency |
|
Major |
Mapping_Notes, References |
|
Minor |
None |
1134 |
SEI CERT Oracle Secure Coding Standard for Java - Guidelines 00. Input Validation and Data Sanitization (IDS) |
|
Major |
Mapping_Notes |
|
Minor |
None |
1135 |
SEI CERT Oracle Secure Coding Standard for Java - Guidelines 01. Declarations and Initialization (DCL) |
|
Major |
Mapping_Notes |
|
Minor |
None |
1136 |
SEI CERT Oracle Secure Coding Standard for Java - Guidelines 02. Expressions (EXP) |
|
Major |
Mapping_Notes |
|
Minor |
None |
1137 |
SEI CERT Oracle Secure Coding Standard for Java - Guidelines 03. Numeric Types and Operations (NUM) |
|
Major |
Mapping_Notes |
|
Minor |
None |
1138 |
SEI CERT Oracle Secure Coding Standard for Java - Guidelines 04. Characters and Strings (STR) |
|
Major |
Mapping_Notes |
|
Minor |
None |
1139 |
SEI CERT Oracle Secure Coding Standard for Java - Guidelines 05. Object Orientation (OBJ) |
|
Major |
Mapping_Notes |
|
Minor |
None |
1140 |
SEI CERT Oracle Secure Coding Standard for Java - Guidelines 06. Methods (MET) |
|
Major |
Mapping_Notes |
|
Minor |
None |
1141 |
SEI CERT Oracle Secure Coding Standard for Java - Guidelines 07. Exceptional Behavior (ERR) |
|
Major |
Mapping_Notes |
|
Minor |
None |
1142 |
SEI CERT Oracle Secure Coding Standard for Java - Guidelines 08. Visibility and Atomicity (VNA) |
|
Major |
Mapping_Notes |
|
Minor |
None |
1143 |
SEI CERT Oracle Secure Coding Standard for Java - Guidelines 09. Locking (LCK) |
|
Major |
Mapping_Notes |
|
Minor |
None |
1144 |
SEI CERT Oracle Secure Coding Standard for Java - Guidelines 10. Thread APIs (THI) |
|
Major |
Mapping_Notes |
|
Minor |
None |
1145 |
SEI CERT Oracle Secure Coding Standard for Java - Guidelines 11. Thread Pools (TPS) |
|
Major |
Mapping_Notes |
|
Minor |
None |
1146 |
SEI CERT Oracle Secure Coding Standard for Java - Guidelines 12. Thread-Safety Miscellaneous (TSM) |
|
Major |
Mapping_Notes |
|
Minor |
None |
1147 |
SEI CERT Oracle Secure Coding Standard for Java - Guidelines 13. Input Output (FIO) |
|
Major |
Mapping_Notes |
|
Minor |
None |
1148 |
SEI CERT Oracle Secure Coding Standard for Java - Guidelines 14. Serialization (SER) |
|
Major |
Mapping_Notes |
|
Minor |
None |
1149 |
SEI CERT Oracle Secure Coding Standard for Java - Guidelines 15. Platform Security (SEC) |
|
Major |
Mapping_Notes |
|
Minor |
None |
1150 |
SEI CERT Oracle Secure Coding Standard for Java - Guidelines 16. Runtime Environment (ENV) |
|
Major |
Mapping_Notes |
|
Minor |
None |
1151 |
SEI CERT Oracle Secure Coding Standard for Java - Guidelines 17. Java Native Interface (JNI) |
|
Major |
Mapping_Notes |
|
Minor |
None |
1152 |
SEI CERT Oracle Secure Coding Standard for Java - Guidelines 49. Miscellaneous (MSC) |
|
Major |
Mapping_Notes |
|
Minor |
None |
1153 |
SEI CERT Oracle Secure Coding Standard for Java - Guidelines 50. Android (DRD) |
|
Major |
Mapping_Notes |
|
Minor |
None |
1155 |
SEI CERT C Coding Standard - Guidelines 01. Preprocessor (PRE) |
|
Major |
Mapping_Notes |
|
Minor |
None |
1156 |
SEI CERT C Coding Standard - Guidelines 02. Declarations and Initialization (DCL) |
|
Major |
Mapping_Notes |
|
Minor |
None |
1157 |
SEI CERT C Coding Standard - Guidelines 03. Expressions (EXP) |
|
Major |
Mapping_Notes |
|
Minor |
None |
1158 |
SEI CERT C Coding Standard - Guidelines 04. Integers (INT) |
|
Major |
Mapping_Notes |
|
Minor |
None |
1159 |
SEI CERT C Coding Standard - Guidelines 05. Floating Point (FLP) |
|
Major |
Mapping_Notes |
|
Minor |
None |
1160 |
SEI CERT C Coding Standard - Guidelines 06. Arrays (ARR) |
|
Major |
Mapping_Notes |
|
Minor |
None |
1161 |
SEI CERT C Coding Standard - Guidelines 07. Characters and Strings (STR) |
|
Major |
Mapping_Notes |
|
Minor |
None |
1162 |
SEI CERT C Coding Standard - Guidelines 08. Memory Management (MEM) |
|
Major |
Mapping_Notes |
|
Minor |
None |
1163 |
SEI CERT C Coding Standard - Guidelines 09. Input Output (FIO) |
|
Major |
Mapping_Notes |
|
Minor |
None |
1164 |
Irrelevant Code |
|
Major |
Relationships |
|
Minor |
None |
1165 |
SEI CERT C Coding Standard - Guidelines 10. Environment (ENV) |
|
Major |
Mapping_Notes |
|
Minor |
None |
1166 |
SEI CERT C Coding Standard - Guidelines 11. Signals (SIG) |
|
Major |
Mapping_Notes |
|
Minor |
None |
1167 |
SEI CERT C Coding Standard - Guidelines 12. Error Handling (ERR) |
|
Major |
Mapping_Notes |
|
Minor |
None |
1168 |
SEI CERT C Coding Standard - Guidelines 13. Application Programming Interfaces (API) |
|
Major |
Mapping_Notes |
|
Minor |
None |
1169 |
SEI CERT C Coding Standard - Guidelines 14. Concurrency (CON) |
|
Major |
Mapping_Notes |
|
Minor |
None |
1170 |
SEI CERT C Coding Standard - Guidelines 48. Miscellaneous (MSC) |
|
Major |
Mapping_Notes |
|
Minor |
None |
1171 |
SEI CERT C Coding Standard - Guidelines 50. POSIX (POS) |
|
Major |
Mapping_Notes |
|
Minor |
None |
1172 |
SEI CERT C Coding Standard - Guidelines 51. Microsoft Windows (WIN) |
|
Major |
Mapping_Notes |
|
Minor |
None |
1173 |
Improper Use of Validation Framework |
|
Major |
Relationships |
|
Minor |
None |
1174 |
ASP.NET Misconfiguration: Improper Model Validation |
|
Major |
Relationships |
|
Minor |
None |
1175 |
SEI CERT Oracle Secure Coding Standard for Java - Guidelines 18. Concurrency (CON) |
|
Major |
Mapping_Notes |
|
Minor |
None |
1176 |
Inefficient CPU Computation |
|
Major |
Relationships |
|
Minor |
None |
1177 |
Use of Prohibited Code |
|
Major |
References, Relationships, Time_of_Introduction |
|
Minor |
None |
1179 |
SEI CERT Perl Coding Standard - Guidelines 01. Input Validation and Data Sanitization (IDS) |
|
Major |
Mapping_Notes |
|
Minor |
None |
1180 |
SEI CERT Perl Coding Standard - Guidelines 02. Declarations and Initialization (DCL) |
|
Major |
Mapping_Notes |
|
Minor |
None |
1181 |
SEI CERT Perl Coding Standard - Guidelines 03. Expressions (EXP) |
|
Major |
Mapping_Notes |
|
Minor |
None |
1182 |
SEI CERT Perl Coding Standard - Guidelines 04. Integers (INT) |
|
Major |
Mapping_Notes |
|
Minor |
None |
1183 |
SEI CERT Perl Coding Standard - Guidelines 05. Strings (STR) |
|
Major |
Mapping_Notes |
|
Minor |
None |
1184 |
SEI CERT Perl Coding Standard - Guidelines 06. Object-Oriented Programming (OOP) |
|
Major |
Mapping_Notes |
|
Minor |
None |
1185 |
SEI CERT Perl Coding Standard - Guidelines 07. File Input and Output (FIO) |
|
Major |
Mapping_Notes |
|
Minor |
None |
1186 |
SEI CERT Perl Coding Standard - Guidelines 50. Miscellaneous (MSC) |
|
Major |
Mapping_Notes |
|
Minor |
None |
1188 |
Insecure Default Initialization of Resource |
|
Major |
Relationships |
|
Minor |
None |
1189 |
Improper Isolation of Shared Resources on System-on-a-Chip (SoC) |
|
Major |
Observed_Examples, Relationships |
|
Minor |
None |
1190 |
DMA Device Enabled Too Early in Boot Phase |
|
Major |
References, Relationships |
|
Minor |
None |
1191 |
On-Chip Debug and Test Interface With Improper Access Control |
|
Major |
References, Relationships |
|
Minor |
None |
1192 |
System-on-Chip (SoC) Using Components without Unique, Immutable Identifiers |
|
Major |
Relationships |
|
Minor |
None |
1193 |
Power-On of Untrusted Execution Core Before Enabling Fabric Access Control |
|
Major |
References, Relationships |
|
Minor |
None |
1195 |
Manufacturing and Life Cycle Management Concerns |
|
Major |
Mapping_Notes |
|
Minor |
None |
1196 |
Security Flow Issues |
|
Major |
Mapping_Notes |
|
Minor |
None |
1197 |
Integration Issues |
|
Major |
Mapping_Notes |
|
Minor |
None |
1198 |
Privilege Separation and Access Control Issues |
|
Major |
Mapping_Notes |
|
Minor |
None |
1199 |
General Circuit and Logic Design Concerns |
|
Major |
Mapping_Notes |
|
Minor |
None |
1201 |
Core and Compute Issues |
|
Major |
Mapping_Notes |
|
Minor |
None |
1202 |
Memory and Storage Issues |
|
Major |
Mapping_Notes |
|
Minor |
None |
1203 |
Peripherals, On-chip Fabric, and Interface/IO Problems |
|
Major |
Mapping_Notes |
|
Minor |
None |
1204 |
Generation of Weak Initialization Vector (IV) |
|
Major |
References, Relationships, Time_of_Introduction |
|
Minor |
None |
1205 |
Security Primitives and Cryptography Issues |
|
Major |
Mapping_Notes |
|
Minor |
None |
1206 |
Power, Clock, Thermal, and Reset Concerns |
|
Major |
Mapping_Notes |
|
Minor |
None |
1207 |
Debug and Test Problems |
|
Major |
Mapping_Notes |
|
Minor |
None |
1208 |
Cross-Cutting Problems |
|
Major |
Mapping_Notes |
|
Minor |
None |
1209 |
Failure to Disable Reserved Bits |
|
Major |
Relationships |
|
Minor |
None |
1210 |
Audit / Logging Errors |
|
Major |
Mapping_Notes, Relationships |
|
Minor |
None |
1211 |
Authentication Errors |
|
Major |
Mapping_Notes, Relationships |
|
Minor |
None |
1212 |
Authorization Errors |
|
Major |
Mapping_Notes, Relationships |
|
Minor |
None |
1213 |
Random Number Issues |
|
Major |
Mapping_Notes, Relationships |
|
Minor |
None |
1214 |
Data Integrity Issues |
|
Major |
Mapping_Notes |
|
Minor |
None |
1215 |
Data Validation Issues |
|
Major |
Mapping_Notes, Relationships |
|
Minor |
None |
1216 |
Lockout Mechanism Errors |
|
Major |
Mapping_Notes |
|
Minor |
None |
1217 |
User Session Errors |
|
Major |
Mapping_Notes |
|
Minor |
None |
1218 |
Memory Buffer Errors |
|
Major |
Mapping_Notes, Relationships |
|
Minor |
None |
1219 |
File Handling Issues |
|
Major |
Mapping_Notes, Relationships |
|
Minor |
None |
1220 |
Insufficient Granularity of Access Control |
|
Major |
Relationships |
|
Minor |
None |
1221 |
Incorrect Register Defaults or Module Parameters |
|
Major |
Relationships |
|
Minor |
None |
1222 |
Insufficient Granularity of Address Regions Protected by Register Locks |
|
Major |
Relationships |
|
Minor |
None |
1223 |
Race Condition for Write-Once Attributes |
|
Major |
Relationships |
|
Minor |
None |
1224 |
Improper Restriction of Write-Once Bit Fields |
|
Major |
Relationships |
|
Minor |
None |
1225 |
Documentation Issues |
|
Major |
Mapping_Notes |
|
Minor |
None |
1226 |
Complexity Issues |
|
Major |
Mapping_Notes, Relationships |
|
Minor |
None |
1227 |
Encapsulation Issues |
|
Major |
Mapping_Notes |
|
Minor |
None |
1228 |
API / Function Errors |
|
Major |
Mapping_Notes |
|
Minor |
None |
1229 |
Creation of Emergent Resource |
|
Major |
Relationships |
|
Minor |
None |
1230 |
Exposure of Sensitive Information Through Metadata |
|
Major |
Relationships, Time_of_Introduction |
|
Minor |
None |
1231 |
Improper Prevention of Lock Bit Modification |
|
Major |
Relationships |
|
Minor |
None |
1232 |
Improper Lock Behavior After Power State Transition |
|
Major |
Relationships |
|
Minor |
None |
1233 |
Security-Sensitive Hardware Controls with Missing Lock Bit Protection |
|
Major |
Relationships |
|
Minor |
None |
1234 |
Hardware Internal or Debug Modes Allow Override of Locks |
|
Major |
Relationships |
|
Minor |
None |
1235 |
Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
1236 |
Improper Neutralization of Formula Elements in a CSV File |
|
Major |
References, Relationships |
|
Minor |
None |
1237 |
SFP Primary Cluster: Faulty Resource Release |
|
Major |
Mapping_Notes |
|
Minor |
None |
1238 |
SFP Primary Cluster: Failure to Release Memory |
|
Major |
Mapping_Notes |
|
Minor |
None |
1239 |
Improper Zeroization of Hardware Register |
|
Major |
References, Relationships |
|
Minor |
None |
1240 |
Use of a Cryptographic Primitive with a Risky Implementation |
|
Major |
References, Relationships |
|
Minor |
None |
1241 |
Use of Predictable Algorithm in Random Number Generator |
|
Major |
Relationships |
|
Minor |
None |
1242 |
Inclusion of Undocumented Features or Chicken Bits |
|
Major |
Relationships, Taxonomy_Mappings |
|
Minor |
None |
1243 |
Sensitive Non-Volatile Information Not Protected During Debug |
|
Major |
Relationships |
|
Minor |
None |
1244 |
Internal Asset Exposed to Unsafe Debug Access Level or State |
|
Major |
References, Relationships |
|
Minor |
None |
1245 |
Improper Finite State Machines (FSMs) in Hardware Logic |
|
Major |
Relationships |
|
Minor |
None |
1246 |
Improper Write Handling in Limited-write Non-Volatile Memories |
|
Major |
References, Relationships, Taxonomy_Mappings |
|
Minor |
None |
1247 |
Improper Protection Against Voltage and Clock Glitches |
|
Major |
References, Relationships |
|
Minor |
None |
1248 |
Semiconductor Defects in Hardware Logic with Security-Sensitive Implications |
|
Major |
Description, References, Relationships |
|
Minor |
None |
1249 |
Application-Level Admin Tool with Inconsistent View of Underlying Operating System |
|
Major |
References, Relationships |
|
Minor |
None |
1250 |
Improper Preservation of Consistency Between Independent Representations of Shared State |
|
Major |
Relationships |
|
Minor |
None |
1251 |
Mirrored Regions with Different Values |
|
Major |
Relationships |
|
Minor |
None |
1252 |
CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations |
|
Major |
References, Relationships |
|
Minor |
None |
1253 |
Incorrect Selection of Fuse Values |
|
Major |
Relationships |
|
Minor |
None |
1254 |
Incorrect Comparison Logic Granularity |
|
Major |
Observed_Examples, Relationships |
|
Minor |
None |
1255 |
Comparison Logic is Vulnerable to Power Side-Channel Attacks |
|
Major |
Relationships |
|
Minor |
None |
1256 |
Improper Restriction of Software Interfaces to Hardware Features |
|
Major |
Relationships |
|
Minor |
None |
1257 |
Improper Access Control Applied to Mirrored or Aliased Memory Regions |
|
Major |
Relationships |
|
Minor |
None |
1258 |
Exposure of Sensitive System Information Due to Uncleared Debug Information |
|
Major |
Relationships |
|
Minor |
None |
1259 |
Improper Restriction of Security Token Assignment |
|
Major |
Relationships |
|
Minor |
None |
1260 |
Improper Handling of Overlap Between Protected Memory Ranges |
|
Major |
Relationships |
|
Minor |
None |
1261 |
Improper Handling of Single Event Upsets |
|
Major |
References, Relationships |
|
Minor |
None |
1262 |
Improper Access Control for Register Interface |
|
Major |
Relationships |
|
Minor |
None |
1263 |
Improper Physical Access Control |
|
Major |
Relationships |
|
Minor |
None |
1264 |
Hardware Logic with Insecure De-Synchronization between Control and Data Channels |
|
Major |
Relationships |
|
Minor |
None |
1265 |
Unintended Reentrant Invocation of Non-reentrant Code Via Nested Calls |
|
Major |
References, Relationships |
|
Minor |
None |
1266 |
Improper Scrubbing of Sensitive Data from Decommissioned Device |
|
Major |
Relationships |
|
Minor |
None |
1267 |
Policy Uses Obsolete Encoding |
|
Major |
References, Relationships |
|
Minor |
None |
1268 |
Policy Privileges are not Assigned Consistently Between Control and Data Agents |
|
Major |
Relationships |
|
Minor |
None |
1269 |
Product Released in Non-Release Configuration |
|
Major |
Relationships |
|
Minor |
None |
1270 |
Generation of Incorrect Security Tokens |
|
Major |
Relationships |
|
Minor |
None |
1271 |
Uninitialized Value on Reset for Registers Holding Security Settings |
|
Major |
Relationships |
|
Minor |
None |
1272 |
Sensitive Information Uncleared Before Debug/Power State Transition |
|
Major |
Relationships |
|
Minor |
None |
1273 |
Device Unlock Credential Sharing |
|
Major |
Relationships |
|
Minor |
None |
1274 |
Improper Access Control for Volatile Memory Containing Boot Code |
|
Major |
Relationships |
|
Minor |
None |
1275 |
Sensitive Cookie with Improper SameSite Attribute |
|
Major |
Detection_Factors, References, Relationships |
|
Minor |
None |
1276 |
Hardware Child Block Incorrectly Connected to Parent System |
|
Major |
Relationships |
|
Minor |
None |
1277 |
Firmware Not Updateable |
|
Major |
Relationships |
|
Minor |
None |
1278 |
Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques |
|
Major |
References, Relationships |
|
Minor |
None |
1279 |
Cryptographic Operations are run Before Supporting Units are Ready |
|
Major |
Relationships |
|
Minor |
None |
1280 |
Access Control Check Implemented After Asset is Accessed |
|
Major |
Relationships |
|
Minor |
None |
1281 |
Sequence of Processor Instructions Leads to Unexpected Behavior |
|
Major |
Demonstrative_Examples, Description, References, Relationships |
|
Minor |
None |
1282 |
Assumed-Immutable Data is Stored in Writable Memory |
|
Major |
Relationships |
|
Minor |
None |
1283 |
Mutable Attestation or Measurement Reporting Data |
|
Major |
Relationships |
|
Minor |
None |
1284 |
Improper Validation of Specified Quantity in Input |
|
Major |
Relationships |
|
Minor |
None |
1285 |
Improper Validation of Specified Index, Position, or Offset in Input |
|
Major |
Relationships |
|
Minor |
None |
1286 |
Improper Validation of Syntactic Correctness of Input |
|
Major |
Relationships |
|
Minor |
None |
1287 |
Improper Validation of Specified Type of Input |
|
Major |
Relationships |
|
Minor |
None |
1288 |
Improper Validation of Consistency within Input |
|
Major |
Relationships |
|
Minor |
None |
1289 |
Improper Validation of Unsafe Equivalence in Input |
|
Major |
Relationships |
|
Minor |
None |
1290 |
Incorrect Decoding of Security Identifiers |
|
Major |
Relationships |
|
Minor |
None |
1291 |
Public Key Re-Use for Signing both Debug and Production Code |
|
Major |
Relationships |
|
Minor |
None |
1292 |
Incorrect Conversion of Security Identifiers |
|
Major |
Relationships |
|
Minor |
None |
1293 |
Missing Source Correlation of Multiple Independent Data |
|
Major |
Relationships |
|
Minor |
None |
1294 |
Insecure Security Identifier Mechanism |
|
Major |
Relationships |
|
Minor |
None |
1295 |
Debug Messages Revealing Unnecessary Information |
|
Major |
Observed_Examples, References, Relationships |
|
Minor |
None |
1296 |
Incorrect Chaining or Granularity of Debug Components |
|
Major |
Relationships |
|
Minor |
None |
1297 |
Unprotected Confidential Information on Device is Accessible by OSAT Vendors |
|
Major |
References, Relationships |
|
Minor |
None |
1298 |
Hardware Logic Contains Race Conditions |
|
Major |
Relationships |
|
Minor |
None |
1299 |
Missing Protection Mechanism for Alternate Hardware Interface |
|
Major |
Relationships |
|
Minor |
None |
1300 |
Improper Protection of Physical Side Channels |
|
Major |
References, Relationships |
|
Minor |
None |
1301 |
Insufficient or Incomplete Data Removal within Hardware Component |
|
Major |
References, Relationships |
|
Minor |
None |
1302 |
Missing Security Identifier |
|
Major |
Relationships |
|
Minor |
None |
1303 |
Non-Transparent Sharing of Microarchitectural Resources |
|
Major |
Relationships |
|
Minor |
None |
1304 |
Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation |
|
Major |
Relationships |
|
Minor |
None |
1306 |
CISQ Quality Measures - Reliability |
|
Major |
Mapping_Notes |
|
Minor |
None |
1307 |
CISQ Quality Measures - Maintainability |
|
Major |
Mapping_Notes |
|
Minor |
None |
1308 |
CISQ Quality Measures - Security |
|
Major |
Mapping_Notes |
|
Minor |
None |
1309 |
CISQ Quality Measures - Efficiency |
|
Major |
Mapping_Notes |
|
Minor |
None |
1310 |
Missing Ability to Patch ROM Code |
|
Major |
Relationships |
|
Minor |
None |
1311 |
Improper Translation of Security Attributes by Fabric Bridge |
|
Major |
Relationships |
|
Minor |
None |
1312 |
Missing Protection for Mirrored Regions in On-Chip Fabric Firewall |
|
Major |
Relationships |
|
Minor |
None |
1313 |
Hardware Allows Activation of Test or Debug Logic at Runtime |
|
Major |
Relationships |
|
Minor |
None |
1314 |
Missing Write Protection for Parametric Data Values |
|
Major |
Relationships |
|
Minor |
None |
1315 |
Improper Setting of Bus Controlling Capability in Fabric End-point |
|
Major |
Relationships |
|
Minor |
None |
1316 |
Fabric-Address Map Allows Programming of Unwarranted Overlaps of Protected and Unprotected Ranges |
|
Major |
Relationships |
|
Minor |
None |
1317 |
Improper Access Control in Fabric Bridge |
|
Major |
Relationships |
|
Minor |
None |
1318 |
Missing Support for Security Features in On-chip Fabrics or Buses |
|
Major |
Relationships |
|
Minor |
None |
1319 |
Improper Protection against Electromagnetic Fault Injection (EM-FI) |
|
Major |
References, Relationships |
|
Minor |
None |
1320 |
Improper Protection for Outbound Error Messages and Alert Signals |
|
Major |
Relationships |
|
Minor |
None |
1321 |
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') |
|
Major |
Relationships |
|
Minor |
None |
1322 |
Use of Blocking Code in Single-threaded, Non-blocking Context |
|
Major |
Relationships |
|
Minor |
None |
1323 |
Improper Management of Sensitive Trace Data |
|
Major |
Relationships |
|
Minor |
None |
1324 |
DEPRECATED: Sensitive Information Accessible by Physical Probing of JTAG Interface |
|
Major |
Mapping_Notes |
|
Minor |
None |
1325 |
Improperly Controlled Sequential Memory Allocation |
|
Major |
Relationships |
|
Minor |
None |
1326 |
Missing Immutable Root of Trust in Hardware |
|
Major |
Relationships |
|
Minor |
None |
1327 |
Binding to an Unrestricted IP Address |
|
Major |
Relationships |
|
Minor |
None |
1328 |
Security Version Number Mutable to Older Versions |
|
Major |
Relationships |
|
Minor |
None |
1329 |
Reliance on Component That is Not Updateable |
|
Major |
Relationships |
|
Minor |
None |
1330 |
Remanent Data Readable after Memory Erase |
|
Major |
Relationships |
|
Minor |
None |
1331 |
Improper Isolation of Shared Resources in Network On Chip (NoC) |
|
Major |
Relationships |
|
Minor |
None |
1332 |
Improper Handling of Faults that Lead to Instruction Skips |
|
Major |
References, Relationships |
|
Minor |
None |
1333 |
Inefficient Regular Expression Complexity |
|
Major |
References, Relationships |
|
Minor |
None |
1334 |
Unauthorized Error Injection Can Degrade Hardware Redundancy |
|
Major |
Relationships |
|
Minor |
None |
1335 |
Incorrect Bitwise Shift of Integer |
|
Major |
Relationships |
|
Minor |
None |
1336 |
Improper Neutralization of Special Elements Used in a Template Engine |
|
Major |
Relationships |
|
Minor |
None |
1338 |
Improper Protections Against Hardware Overheating |
|
Major |
Relationships |
|
Minor |
None |
1339 |
Insufficient Precision or Accuracy of a Real Number |
|
Major |
References, Relationships |
|
Minor |
None |
1341 |
Multiple Releases of Same Resource or Handle |
|
Major |
Relationships |
|
Minor |
None |
1342 |
Information Exposure through Microarchitectural State after Transient Execution |
|
Major |
Relationships |
|
Minor |
None |
1345 |
OWASP Top Ten 2021 Category A01:2021 - Broken Access Control |
|
Major |
Mapping_Notes |
|
Minor |
None |
1346 |
OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures |
|
Major |
Mapping_Notes |
|
Minor |
None |
1347 |
OWASP Top Ten 2021 Category A03:2021 - Injection |
|
Major |
Mapping_Notes |
|
Minor |
None |
1348 |
OWASP Top Ten 2021 Category A04:2021 - Insecure Design |
|
Major |
Mapping_Notes |
|
Minor |
None |
1349 |
OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration |
|
Major |
Mapping_Notes |
|
Minor |
None |
1351 |
Improper Handling of Hardware Behavior in Exceptionally Cold Environments |
|
Major |
Relationships |
|
Minor |
None |
1352 |
OWASP Top Ten 2021 Category A06:2021 - Vulnerable and Outdated Components |
|
Major |
Mapping_Notes |
|
Minor |
None |
1353 |
OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures |
|
Major |
Mapping_Notes |
|
Minor |
None |
1354 |
OWASP Top Ten 2021 Category A08:2021 - Software and Data Integrity Failures |
|
Major |
Mapping_Notes |
|
Minor |
None |
1355 |
OWASP Top Ten 2021 Category A09:2021 - Security Logging and Monitoring Failures |
|
Major |
Mapping_Notes |
|
Minor |
None |
1356 |
OWASP Top Ten 2021 Category A10:2021 - Server-Side Request Forgery (SSRF) |
|
Major |
Mapping_Notes |
|
Minor |
None |
1357 |
Reliance on Insufficiently Trustworthy Component |
|
Major |
References, Relationships |
|
Minor |
None |
1359 |
ICS Communications |
|
Major |
Mapping_Notes |
|
Minor |
None |
1360 |
ICS Dependencies (& Architecture) |
|
Major |
Mapping_Notes |
|
Minor |
None |
1361 |
ICS Supply Chain |
|
Major |
Mapping_Notes |
|
Minor |
None |
1362 |
ICS Engineering (Constructions/Deployment) |
|
Major |
Mapping_Notes |
|
Minor |
None |
1363 |
ICS Operations (& Maintenance) |
|
Major |
Mapping_Notes |
|
Minor |
None |
1364 |
ICS Communications: Zone Boundary Failures |
|
Major |
Mapping_Notes, Relationships |
|
Minor |
None |
1365 |
ICS Communications: Unreliability |
|
Major |
Mapping_Notes, Relationships |
|
Minor |
None |
1366 |
ICS Communications: Frail Security in Protocols |
|
Major |
Mapping_Notes, Relationships |
|
Minor |
None |
1367 |
ICS Dependencies (& Architecture): External Physical Systems |
|
Major |
Mapping_Notes |
|
Minor |
None |
1368 |
ICS Dependencies (& Architecture): External Digital Systems |
|
Major |
Mapping_Notes |
|
Minor |
None |
1369 |
ICS Supply Chain: IT/OT Convergence/Expansion |
|
Major |
Mapping_Notes |
|
Minor |
None |
1370 |
ICS Supply Chain: Common Mode Frailties |
|
Major |
Mapping_Notes, Relationships |
|
Minor |
None |
1371 |
ICS Supply Chain: Poorly Documented or Undocumented Features |
|
Major |
Mapping_Notes |
|
Minor |
None |
1372 |
ICS Supply Chain: OT Counterfeit and Malicious Corruption |
|
Major |
Mapping_Notes, Relationships |
|
Minor |
None |
1373 |
ICS Engineering (Construction/Deployment): Trust Model Problems |
|
Major |
Mapping_Notes |
|
Minor |
None |
1374 |
ICS Engineering (Construction/Deployment): Maker Breaker Blindness |
|
Major |
Mapping_Notes |
|
Minor |
None |
1375 |
ICS Engineering (Construction/Deployment): Gaps in Details/Data |
|
Major |
Mapping_Notes, Relationships |
|
Minor |
None |
1376 |
ICS Engineering (Construction/Deployment): Security Gaps in Commissioning |
|
Major |
Mapping_Notes |
|
Minor |
None |
1377 |
ICS Engineering (Construction/Deployment): Inherent Predictability in Design |
|
Major |
Mapping_Notes |
|
Minor |
None |
1378 |
ICS Operations (& Maintenance): Gaps in obligations and training |
|
Major |
Maintenance_Notes, Mapping_Notes |
|
Minor |
None |
1379 |
ICS Operations (& Maintenance): Human factors in ICS environments |
|
Major |
Maintenance_Notes, Mapping_Notes |
|
Minor |
None |
1380 |
ICS Operations (& Maintenance): Post-analysis changes |
|
Major |
Maintenance_Notes, Mapping_Notes |
|
Minor |
None |
1381 |
ICS Operations (& Maintenance): Exploitable Standard Operational Procedures |
|
Major |
Maintenance_Notes, Mapping_Notes |
|
Minor |
None |
1382 |
ICS Operations (& Maintenance): Emerging Energy Technologies |
|
Major |
Maintenance_Notes, Mapping_Notes |
|
Minor |
None |
1383 |
ICS Operations (& Maintenance): Compliance/Conformance with Regulatory Requirements |
|
Major |
Maintenance_Notes, Mapping_Notes |
|
Minor |
None |
1384 |
Improper Handling of Physical or Environmental Conditions |
|
Major |
Relationships |
|
Minor |
None |
1385 |
Missing Origin Validation in WebSockets |
|
Major |
References, Relationships |
|
Minor |
None |
1386 |
Insecure Operation on Windows Junction / Mount Point |
|
Major |
Relationships |
|
Minor |
None |
1388 |
Physical Access Issues and Concerns |
|
Major |
Mapping_Notes |
|
Minor |
None |
1389 |
Incorrect Parsing of Numbers with Different Radices |
|
Major |
Relationships, Time_of_Introduction |
|
Minor |
None |
1390 |
Weak Authentication |
|
Major |
Relationships |
|
Minor |
None |
1391 |
Use of Weak Credentials |
|
Major |
References, Relationships |
|
Minor |
None |
1392 |
Use of Default Credentials |
|
Major |
Relationships |
|
Minor |
None |
1393 |
Use of Default Password |
|
Major |
Relationships |
|
Minor |
None |
1394 |
Use of Default Cryptographic Key |
|
Major |
Relationships |
|
Minor |
None |
1395 |
Dependency on Vulnerable Third-Party Component |
|
Major |
References, Relationships |
|
Minor |
None |