Any change with respect to whitespace is ignored. "Minor"
changes are text changes that only affect capitalization and
punctuation. Most other changes are marked as "Major."
Simple schema changes are treated as Minor, such as the change from
AffectedResource to Affected_Resource in Draft 8, or the relationship
name change from "IsRequiredBy" to "RequiredBy" in
Version 1.0. For each mutual relationship between nodes A and B (such
as ParentOf and ChildOf), a relationship change is noted for both A
and B.
The "Version 4.4 Total" lists the total number of relationships
in Version 4.4. The "Shared" value is the total number of
relationships in entries that were in both Version 4.4 and Version 4.3. The
"New" value is the total number of relationships involving
entries that did not exist in Version 4.3. Thus, the total number of
relationships in Version 4.4 would combine stats from Shared entries and
New entries.
A node change is labeled "important" if it is a major field change and
the field is critical to the meaning of the node. The critical fields
are description, name, and relationships.
D | | |
20 |
Improper Input Validation |
| | R |
22 |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
| | R |
59 |
Improper Link Resolution Before File Access ('Link Following') |
| | R |
77 |
Improper Neutralization of Special Elements used in a Command ('Command Injection') |
D | | |
79 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
| | R |
95 |
Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') |
D | | |
111 |
Direct Use of Unsafe JNI |
| | R |
116 |
Improper Encoding or Escaping of Output |
| | R |
129 |
Improper Validation of Array Index |
| | R |
134 |
Use of Externally-Controlled Format String |
| | R |
185 |
Incorrect Regular Expression |
| | R |
189 |
Numeric Errors |
D | | |
217 |
DEPRECATED: Failure to Protect Stored Data from Modification |
| | R |
248 |
Uncaught Exception |
D | | |
249 |
DEPRECATED: Often Misused: Path Manipulation |
| | R |
252 |
Unchecked Return Value |
| | R |
284 |
Improper Access Control |
D | | |
301 |
Reflection Attack in an Authentication Protocol |
D | N | R |
329 |
Not Using an Unpredictable IV with CBC Mode |
| | R |
330 |
Use of Insufficiently Random Values |
| | R |
375 |
Returning a Mutable Object to an Untrusted Caller |
D | | R |
391 |
Unchecked Error Condition |
| | R |
394 |
Unexpected Status Code or Return Value |
| | R |
401 |
Missing Release of Memory after Effective Lifetime |
| | R |
407 |
Inefficient Algorithmic Complexity |
D | | |
427 |
Uncontrolled Search Path Element |
| | R |
456 |
Missing Initialization of a Variable |
| | R |
457 |
Use of Uninitialized Variable |
| | R |
460 |
Improper Cleanup on Thrown Exception |
| | R |
477 |
Use of Obsolete Function |
| | R |
480 |
Use of Incorrect Operator |
| | R |
488 |
Exposure of Data Element to Wrong Session |
| | R |
498 |
Cloneable Class Containing Sensitive Information |
| | R |
499 |
Serializable Class Containing Sensitive Data |
| | R |
561 |
Dead Code |
| | R |
563 |
Assignment to Variable without Use |
D | | R |
597 |
Use of Wrong Operator in String Comparison |
| | R |
603 |
Use of Client-Side Authentication |
| | R |
628 |
Function Call with Incorrectly Specified Arguments |
| | R |
656 |
Reliance on Security Through Obscurity |
| | R |
664 |
Improper Control of a Resource Through its Lifetime |
| | R |
668 |
Exposure of Resource to Wrong Sphere |
| | R |
681 |
Incorrect Conversion between Numeric Types |
| | R |
687 |
Function Call With Incorrectly Specified Argument Value |
| | R |
690 |
Unchecked Return Value to NULL Pointer Dereference |
| | R |
705 |
Incorrect Control Flow Scoping |
D | | |
711 |
Weaknesses in OWASP Top Ten (2004) |
D | | |
734 |
Weaknesses Addressed by the CERT C Secure Coding Standard (2008) |
| | R |
754 |
Improper Check for Unusual or Exceptional Conditions |
| | R |
762 |
Mismatched Memory Management Routines |
| | R |
767 |
Access to Critical Private Variable via Public Method |
| | R |
783 |
Operator Precedence Logic Error |
| | R |
789 |
Memory Allocation with Excessive Size Value |
D | | |
868 |
Weaknesses Addressed by the SEI CERT C++ Coding Standard (2016 Version) |
| | R |
969 |
SFP Secondary Cluster: Faulty Memory Release |
| | R |
977 |
SFP Secondary Cluster: Design |
| | R |
982 |
SFP Secondary Cluster: Failure to Release Resource |
| | R |
998 |
SFP Secondary Cluster: Glitch in Computation |
D | | |
1000 |
Research Concepts |
D | N | |
1129 |
CISQ Quality Measures (2016) - Reliability |
D | N | |
1130 |
CISQ Quality Measures (2016) - Maintainability |
D | N | |
1131 |
CISQ Quality Measures (2016) - Security |
D | N | |
1132 |
CISQ Quality Measures (2016) - Performance Efficiency |
| | R |
1179 |
SEI CERT Perl Coding Standard - Guidelines 01. Input Validation and Data Sanitization (IDS) |
| | R |
1180 |
SEI CERT Perl Coding Standard - Guidelines 02. Declarations and Initialization (DCL) |
| | R |
1181 |
SEI CERT Perl Coding Standard - Guidelines 03. Expressions (EXP) |
| | R |
1182 |
SEI CERT Perl Coding Standard - Guidelines 04. Integers (INT) |
| | R |
1184 |
SEI CERT Perl Coding Standard - Guidelines 06. Object-Oriented Programming (OOP) |
| | R |
1185 |
SEI CERT Perl Coding Standard - Guidelines 07. File Input and Output (FIO) |
| | R |
1186 |
SEI CERT Perl Coding Standard - Guidelines 50. Miscellaneous (MSC) |
D | | |
1232 |
Improper Lock Behavior After Power State Transition |
D | | |
1236 |
Improper Neutralization of Formula Elements in a CSV File |
D | | |
1243 |
Sensitive Non-Volatile Information Not Protected During Debug |
| | R |
1255 |
Comparison Logic is Vulnerable to Power Side-Channel Attacks |
| N | |
1271 |
Uninitialized Value on Reset for Registers Holding Security Settings |
| | R |
1327 |
Binding to an Unrestricted IP Address |
D | | |
1332 |
Insufficient Protection Against Instruction Skipping Via Fault Injection |
13 |
ASP.NET Misconfiguration: Password in Configuration File |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
20 |
Improper Input Validation |
|
Major |
Description, Potential_Mitigations |
|
Minor |
None |
21 |
DEPRECATED: Pathname Traversal and Equivalence Errors |
|
Major |
Taxonomy_Mappings |
|
Minor |
None |
22 |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
|
Major |
Demonstrative_Examples, Relationships |
|
Minor |
None |
23 |
Relative Path Traversal |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
32 |
Path Traversal: '...' (Triple Dot) |
|
Major |
Potential_Mitigations |
|
Minor |
None |
33 |
Path Traversal: '....' (Multiple Dot) |
|
Major |
Potential_Mitigations |
|
Minor |
None |
34 |
Path Traversal: '....//' |
|
Major |
Potential_Mitigations |
|
Minor |
None |
35 |
Path Traversal: '.../...//' |
|
Major |
Potential_Mitigations |
|
Minor |
None |
36 |
Absolute Path Traversal |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
37 |
Path Traversal: '/absolute/pathname/here' |
|
Major |
Potential_Mitigations |
|
Minor |
None |
38 |
Path Traversal: '\absolute\pathname\here' |
|
Major |
Potential_Mitigations |
|
Minor |
None |
39 |
Path Traversal: 'C:dirname' |
|
Major |
Potential_Mitigations |
|
Minor |
None |
40 |
Path Traversal: '\\UNC\share\name\' (Windows UNC Share) |
|
Major |
Potential_Mitigations |
|
Minor |
None |
59 |
Improper Link Resolution Before File Access ('Link Following') |
|
Major |
Relationships |
|
Minor |
None |
60 |
DEPRECATED: UNIX Path Link Problems |
|
Major |
Taxonomy_Mappings |
|
Minor |
None |
68 |
DEPRECATED: Windows Virtual File Problems |
|
Major |
Taxonomy_Mappings |
|
Minor |
None |
70 |
DEPRECATED: Mac Virtual File Problems |
|
Major |
Taxonomy_Mappings |
|
Minor |
None |
71 |
DEPRECATED: Apple '.DS_Store' |
|
Major |
Taxonomy_Mappings |
|
Minor |
None |
73 |
External Control of File Name or Path |
|
Major |
Maintenance_Notes, Potential_Mitigations |
|
Minor |
None |
77 |
Improper Neutralization of Special Elements used in a Command ('Command Injection') |
|
Major |
Relationships |
|
Minor |
None |
79 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
|
Major |
Demonstrative_Examples, Description |
|
Minor |
None |
87 |
Improper Neutralization of Alternate XSS Syntax |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
94 |
Improper Control of Generation of Code ('Code Injection') |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
95 |
Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') |
|
Major |
Relationships |
|
Minor |
None |
96 |
Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
98 |
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') |
|
Major |
Potential_Mitigations |
|
Minor |
None |
111 |
Direct Use of Unsafe JNI |
|
Major |
Description |
|
Minor |
None |
114 |
Process Control |
|
Major |
Maintenance_Notes |
|
Minor |
None |
116 |
Improper Encoding or Escaping of Output |
|
Major |
Relationships, Terminology_Notes |
|
Minor |
None |
120 |
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
121 |
Stack-based Buffer Overflow |
|
Major |
Demonstrative_Examples, References |
|
Minor |
None |
122 |
Heap-based Buffer Overflow |
|
Major |
References |
|
Minor |
None |
123 |
Write-what-where Condition |
|
Major |
References |
|
Minor |
None |
124 |
Buffer Underwrite ('Buffer Underflow') |
|
Major |
Potential_Mitigations |
|
Minor |
None |
128 |
Wrap-around Error |
|
Major |
Potential_Mitigations, References |
|
Minor |
None |
129 |
Improper Validation of Array Index |
|
Major |
References, Relationships |
|
Minor |
None |
131 |
Incorrect Calculation of Buffer Size |
|
Major |
Demonstrative_Examples, Potential_Mitigations |
|
Minor |
None |
134 |
Use of Externally-Controlled Format String |
|
Major |
Potential_Mitigations, Relationships |
|
Minor |
None |
135 |
Incorrect Calculation of Multi-Byte String Length |
|
Major |
References |
|
Minor |
None |
159 |
Improper Handling of Invalid Use of Special Elements |
|
Major |
Maintenance_Notes |
|
Minor |
None |
171 |
DEPRECATED: Cleansing, Canonicalization, and Comparison Errors |
|
Major |
Taxonomy_Mappings |
|
Minor |
None |
178 |
Improper Handling of Case Sensitivity |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
185 |
Incorrect Regular Expression |
|
Major |
Relationships |
|
Minor |
None |
188 |
Reliance on Data/Memory Layout |
|
Major |
References |
|
Minor |
None |
189 |
Numeric Errors |
|
Major |
Relationships |
|
Minor |
None |
190 |
Integer Overflow or Wraparound |
|
Major |
Potential_Mitigations |
|
Minor |
None |
191 |
Integer Underflow (Wrap or Wraparound) |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
192 |
Integer Coercion Error |
|
Major |
Demonstrative_Examples, Maintenance_Notes, References |
|
Minor |
None |
193 |
Off-by-one Error |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
194 |
Unexpected Sign Extension |
|
Major |
Potential_Mitigations, References |
|
Minor |
None |
195 |
Signed to Unsigned Conversion Error |
|
Major |
Demonstrative_Examples, References |
|
Minor |
None |
196 |
Unsigned to Signed Conversion Error |
|
Major |
References |
|
Minor |
None |
217 |
DEPRECATED: Failure to Protect Stored Data from Modification |
|
Major |
Description |
|
Minor |
None |
228 |
Improper Handling of Syntactically Invalid Structure |
|
Major |
Demonstrative_Examples, Maintenance_Notes, Theoretical_Notes |
|
Minor |
None |
230 |
Improper Handling of Missing Values |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
233 |
Improper Handling of Parameters |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
242 |
Use of Inherently Dangerous Function |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
247 |
DEPRECATED (Duplicate): Reliance on DNS Lookups in a Security Decision |
|
Major |
Taxonomy_Mappings |
|
Minor |
None |
248 |
Uncaught Exception |
|
Major |
Relationships |
|
Minor |
None |
249 |
DEPRECATED: Often Misused: Path Manipulation |
|
Major |
Description, Maintenance_Notes |
|
Minor |
None |
252 |
Unchecked Return Value |
|
Major |
Demonstrative_Examples, Observed_Examples, Relationships, Weakness_Ordinalities |
|
Minor |
None |
256 |
Unprotected Storage of Credentials |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
257 |
Storing Passwords in a Recoverable Format |
|
Major |
Demonstrative_Examples, Maintenance_Notes |
|
Minor |
None |
259 |
Use of Hard-coded Password |
|
Major |
Demonstrative_Examples, Maintenance_Notes |
|
Minor |
None |
260 |
Password in Configuration File |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
266 |
Incorrect Privilege Assignment |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
267 |
Privilege Defined With Unsafe Actions |
|
Major |
Maintenance_Notes |
|
Minor |
None |
269 |
Improper Privilege Management |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
272 |
Least Privilege Violation |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
274 |
Improper Handling of Insufficient Privileges |
|
Major |
Relationship_Notes, Theoretical_Notes |
|
Minor |
None |
280 |
Improper Handling of Insufficient Permissions or Privileges |
|
Major |
Maintenance_Notes |
|
Minor |
None |
284 |
Improper Access Control |
|
Major |
Maintenance_Notes, Relationships |
|
Minor |
None |
285 |
Improper Authorization |
|
Major |
Alternate_Terms |
|
Minor |
None |
287 |
Improper Authentication |
|
Major |
Alternate_Terms, Demonstrative_Examples |
|
Minor |
None |
290 |
Authentication Bypass by Spoofing |
|
Major |
None |
|
Minor |
Demonstrative_Examples |
292 |
DEPRECATED (Duplicate): Trusting Self-reported DNS Name |
|
Major |
Likelihood_of_Exploit, Taxonomy_Mappings |
|
Minor |
None |
293 |
Using Referer Field for Authentication |
|
Major |
References |
|
Minor |
None |
300 |
Channel Accessible by Non-Endpoint |
|
Major |
Alternate_Terms, Related_Attack_Patterns |
|
Minor |
None |
301 |
Reflection Attack in an Authentication Protocol |
|
Major |
Description, Other_Notes |
|
Minor |
None |
302 |
Authentication Bypass by Assumed-Immutable Data |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
308 |
Use of Single-factor Authentication |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
309 |
Use of Password System for Primary Authentication |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
312 |
Cleartext Storage of Sensitive Information |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
313 |
Cleartext Storage in a File or on Disk |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
324 |
Use of a Key Past its Expiration Date |
|
Major |
References |
|
Minor |
None |
327 |
Use of a Broken or Risky Cryptographic Algorithm |
|
Major |
References |
|
Minor |
None |
328 |
Reversible One-Way Hash |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
329 |
Not Using an Unpredictable IV with CBC Mode |
|
Major |
Background_Details, Common_Consequences, Demonstrative_Examples, Description, Modes_of_Introduction, Name, Observed_Examples, Potential_Mitigations, References, Relationships |
|
Minor |
None |
330 |
Use of Insufficiently Random Values |
|
Major |
Maintenance_Notes, Relationships |
|
Minor |
None |
332 |
Insufficient Entropy in PRNG |
|
Major |
References |
|
Minor |
None |
338 |
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
339 |
Small Seed Space in PRNG |
|
Major |
Maintenance_Notes |
|
Minor |
None |
350 |
Reliance on Reverse DNS Resolution for a Security-Critical Action |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
359 |
Exposure of Private Personal Information to an Unauthorized Actor |
|
Major |
References |
|
Minor |
None |
362 |
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
364 |
Signal Handler Race Condition |
|
Major |
Potential_Mitigations |
|
Minor |
None |
366 |
Race Condition within a Thread |
|
Major |
Potential_Mitigations |
|
Minor |
None |
375 |
Returning a Mutable Object to an Untrusted Caller |
|
Major |
Relationships |
|
Minor |
None |
378 |
Creation of Temporary File With Insecure Permissions |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
379 |
Creation of Temporary File in Directory with Insecure Permissions |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
387 |
Signal Errors |
|
Major |
Maintenance_Notes |
|
Minor |
None |
391 |
Unchecked Error Condition |
|
Major |
Description, Relationships |
|
Minor |
None |
393 |
Return of Wrong Status Code |
|
Major |
Maintenance_Notes |
|
Minor |
None |
394 |
Unexpected Status Code or Return Value |
|
Major |
Relationships |
|
Minor |
None |
401 |
Missing Release of Memory after Effective Lifetime |
|
Major |
Relationships |
|
Minor |
None |
404 |
Improper Resource Shutdown or Release |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
407 |
Inefficient Algorithmic Complexity |
|
Major |
References, Relationships |
|
Minor |
None |
413 |
Improper Resource Locking |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
415 |
Double Free |
|
Major |
Maintenance_Notes, Theoretical_Notes |
|
Minor |
None |
426 |
Untrusted Search Path |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
427 |
Uncontrolled Search Path Element |
|
Major |
Alternate_Terms, Description, Maintenance_Notes, References, Theoretical_Notes |
|
Minor |
None |
434 |
Unrestricted Upload of File with Dangerous Type |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
446 |
UI Discrepancy for Security Feature |
|
Major |
Maintenance_Notes, Relationship_Notes, Weakness_Ordinalities |
|
Minor |
None |
451 |
User Interface (UI) Misrepresentation of Critical Information |
|
Major |
Maintenance_Notes, Observed_Examples |
|
Minor |
None |
456 |
Missing Initialization of a Variable |
|
Major |
Demonstrative_Examples, Observed_Examples, Relationships |
|
Minor |
None |
457 |
Use of Uninitialized Variable |
|
Major |
Demonstrative_Examples, Observed_Examples, Relationships |
|
Minor |
None |
460 |
Improper Cleanup on Thrown Exception |
|
Major |
Relationships |
|
Minor |
None |
469 |
Use of Pointer Subtraction to Determine Size |
|
Major |
Potential_Mitigations |
|
Minor |
None |
476 |
NULL Pointer Dereference |
|
Major |
Demonstrative_Examples, Observed_Examples |
|
Minor |
None |
477 |
Use of Obsolete Function |
|
Major |
Relationships |
|
Minor |
None |
480 |
Use of Incorrect Operator |
|
Major |
Demonstrative_Examples, Relationships |
|
Minor |
None |
481 |
Assigning instead of Comparing |
|
Major |
Demonstrative_Examples, Potential_Mitigations |
|
Minor |
None |
488 |
Exposure of Data Element to Wrong Session |
|
Major |
Relationships |
|
Minor |
None |
489 |
Active Debug Code |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
490 |
DEPRECATED: Mobile Code Issues |
|
Major |
Other_Notes |
|
Minor |
None |
494 |
Download of Code Without Integrity Check |
|
Major |
References, Related_Attack_Patterns |
|
Minor |
None |
497 |
Exposure of Sensitive System Information to an Unauthorized Control Sphere |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
498 |
Cloneable Class Containing Sensitive Information |
|
Major |
Relationships |
|
Minor |
None |
499 |
Serializable Class Containing Sensitive Data |
|
Major |
Relationships |
|
Minor |
None |
502 |
Deserialization of Untrusted Data |
|
Major |
None |
|
Minor |
Demonstrative_Examples |
503 |
DEPRECATED: Byte/Object Code |
|
Major |
Taxonomy_Mappings |
|
Minor |
None |
504 |
DEPRECATED: Motivation/Intent |
|
Major |
Taxonomy_Mappings |
|
Minor |
None |
522 |
Insufficiently Protected Credentials |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
541 |
Inclusion of Sensitive Information in an Include File |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
561 |
Dead Code |
|
Major |
Relationships |
|
Minor |
None |
563 |
Assignment to Variable without Use |
|
Major |
Relationships |
|
Minor |
None |
587 |
Assignment of a Fixed Address to a Pointer |
|
Major |
Common_Consequences, Weakness_Ordinalities |
|
Minor |
Description |
590 |
Free of Memory not on the Heap |
|
Major |
Maintenance_Notes, Other_Notes |
|
Minor |
None |
595 |
Comparison of Object References Instead of Object Contents |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
597 |
Use of Wrong Operator in String Comparison |
|
Major |
Demonstrative_Examples, Description, Potential_Mitigations, Relationships |
|
Minor |
None |
600 |
Uncaught Exception in Servlet |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
603 |
Use of Client-Side Authentication |
|
Major |
Maintenance_Notes, Relationships |
|
Minor |
None |
625 |
Permissive Regular Expression |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
628 |
Function Call with Incorrectly Specified Arguments |
|
Major |
Detection_Factors, Relationships |
|
Minor |
None |
635 |
Weaknesses Originally Used by NVD from 2008 to 2016 |
|
Major |
Maintenance_Notes |
|
Minor |
None |
639 |
Authorization Bypass Through User-Controlled Key |
|
Major |
Alternate_Terms |
|
Minor |
None |
642 |
External Control of Critical State Data |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
654 |
Reliance on a Single Factor in a Security Decision |
|
Major |
Alternate_Terms, Maintenance_Notes |
|
Minor |
None |
656 |
Reliance on Security Through Obscurity |
|
Major |
Relationships |
|
Minor |
None |
664 |
Improper Control of a Resource Through its Lifetime |
|
Major |
Maintenance_Notes, Relationships |
|
Minor |
None |
665 |
Improper Initialization |
|
Major |
Observed_Examples |
|
Minor |
None |
667 |
Improper Locking |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
668 |
Exposure of Resource to Wrong Sphere |
|
Major |
Relationships |
|
Minor |
None |
674 |
Uncontrolled Recursion |
|
Major |
Potential_Mitigations |
|
Minor |
None |
676 |
Use of Potentially Dangerous Function |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
681 |
Incorrect Conversion between Numeric Types |
|
Major |
Relationships |
|
Minor |
None |
687 |
Function Call With Incorrectly Specified Argument Value |
|
Major |
Relationships |
|
Minor |
None |
690 |
Unchecked Return Value to NULL Pointer Dereference |
|
Major |
Demonstrative_Examples, Relationships |
|
Minor |
None |
691 |
Insufficient Control Flow Management |
|
Major |
Maintenance_Notes |
|
Minor |
None |
693 |
Protection Mechanism Failure |
|
Major |
Maintenance_Notes |
|
Minor |
None |
696 |
Incorrect Behavior Order |
|
Major |
Observed_Examples |
|
Minor |
None |
705 |
Incorrect Control Flow Scoping |
|
Major |
Relationships |
|
Minor |
None |
711 |
Weaknesses in OWASP Top Ten (2004) |
|
Major |
Description, Maintenance_Notes, Relationship_Notes |
|
Minor |
None |
734 |
Weaknesses Addressed by the CERT C Secure Coding Standard (2008) |
|
Major |
Description, Maintenance_Notes |
|
Minor |
None |
754 |
Improper Check for Unusual or Exceptional Conditions |
|
Major |
Demonstrative_Examples, Relationships |
|
Minor |
None |
756 |
Missing Custom Error Page |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
759 |
Use of a One-Way Hash without a Salt |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
761 |
Free of Pointer not at Start of Buffer |
|
Major |
Observed_Examples |
|
Minor |
None |
762 |
Mismatched Memory Management Routines |
|
Major |
Relationships |
|
Minor |
None |
763 |
Release of Invalid Pointer or Reference |
|
Major |
Maintenance_Notes |
|
Minor |
None |
767 |
Access to Critical Private Variable via Public Method |
|
Major |
Relationships |
|
Minor |
None |
772 |
Missing Release of Resource after Effective Lifetime |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
782 |
Exposed IOCTL with Insufficient Access Control |
|
Major |
Observed_Examples |
|
Minor |
None |
783 |
Operator Precedence Logic Error |
|
Major |
Relationships |
|
Minor |
None |
785 |
Use of Path Manipulation Function without Maximum-sized Buffer |
|
Major |
Maintenance_Notes |
|
Minor |
None |
787 |
Out-of-bounds Write |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
789 |
Memory Allocation with Excessive Size Value |
|
Major |
Demonstrative_Examples, Relationships |
|
Minor |
None |
795 |
Only Filtering Special Elements at a Specified Location |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
798 |
Use of Hard-coded Credentials |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
805 |
Buffer Access with Incorrect Length Value |
|
Major |
None |
|
Minor |
Potential_Mitigations |
825 |
Expired Pointer Dereference |
|
Major |
Observed_Examples |
|
Minor |
None |
828 |
Signal Handler with Functionality that is not Asynchronous-Safe |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
829 |
Inclusion of Functionality from Untrusted Control Sphere |
|
Major |
Potential_Mitigations, Related_Attack_Patterns |
|
Minor |
None |
835 |
Loop with Unreachable Exit Condition ('Infinite Loop') |
|
Major |
Observed_Examples |
|
Minor |
None |
862 |
Missing Authorization |
|
Major |
Alternate_Terms, Observed_Examples |
|
Minor |
None |
863 |
Incorrect Authorization |
|
Major |
Alternate_Terms |
|
Minor |
None |
868 |
Weaknesses Addressed by the SEI CERT C++ Coding Standard (2016 Version) |
|
Major |
Description, Maintenance_Notes |
|
Minor |
None |
908 |
Use of Uninitialized Resource |
|
Major |
Demonstrative_Examples, Observed_Examples |
|
Minor |
None |
909 |
Missing Initialization of Resource |
|
Major |
Demonstrative_Examples, Observed_Examples |
|
Minor |
None |
922 |
Insecure Storage of Sensitive Information |
|
Major |
Maintenance_Notes |
|
Minor |
None |
923 |
Improper Restriction of Communication Channel to Intended Endpoints |
|
Major |
Maintenance_Notes |
|
Minor |
None |
924 |
Improper Enforcement of Message Integrity During Transmission in a Communication Channel |
|
Major |
Maintenance_Notes |
|
Minor |
None |
927 |
Use of Implicit Intent for Sensitive Communication |
|
Major |
Maintenance_Notes |
|
Minor |
None |
939 |
Improper Authorization in Handler for Custom URL Scheme |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
941 |
Incorrectly Specified Destination in a Communication Channel |
|
Major |
Maintenance_Notes |
|
Minor |
None |
943 |
Improper Neutralization of Special Elements in Data Query Logic |
|
Major |
Maintenance_Notes |
|
Minor |
None |
969 |
SFP Secondary Cluster: Faulty Memory Release |
|
Major |
Relationships |
|
Minor |
None |
977 |
SFP Secondary Cluster: Design |
|
Major |
Relationships |
|
Minor |
None |
982 |
SFP Secondary Cluster: Failure to Release Resource |
|
Major |
Relationships |
|
Minor |
None |
998 |
SFP Secondary Cluster: Glitch in Computation |
|
Major |
Relationships |
|
Minor |
None |
1000 |
Research Concepts |
|
Major |
Description, Other_Notes |
|
Minor |
None |
1003 |
Weaknesses for Simplified Mapping of Published Vulnerabilities |
|
Major |
Maintenance_Notes |
|
Minor |
None |
1023 |
Incomplete Comparison with Missing Factors |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
1025 |
Comparison Using Wrong Factors |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
1037 |
Processor Optimization Removal or Modification of Security-critical Code |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
1129 |
CISQ Quality Measures (2016) - Reliability |
|
Major |
Description, Name |
|
Minor |
None |
1130 |
CISQ Quality Measures (2016) - Maintainability |
|
Major |
Description, Name |
|
Minor |
None |
1131 |
CISQ Quality Measures (2016) - Security |
|
Major |
Description, Name |
|
Minor |
None |
1132 |
CISQ Quality Measures (2016) - Performance Efficiency |
|
Major |
Description, Name |
|
Minor |
None |
1179 |
SEI CERT Perl Coding Standard - Guidelines 01. Input Validation and Data Sanitization (IDS) |
|
Major |
Relationships |
|
Minor |
None |
1180 |
SEI CERT Perl Coding Standard - Guidelines 02. Declarations and Initialization (DCL) |
|
Major |
Relationships |
|
Minor |
None |
1181 |
SEI CERT Perl Coding Standard - Guidelines 03. Expressions (EXP) |
|
Major |
Relationships |
|
Minor |
None |
1182 |
SEI CERT Perl Coding Standard - Guidelines 04. Integers (INT) |
|
Major |
Relationships |
|
Minor |
None |
1184 |
SEI CERT Perl Coding Standard - Guidelines 06. Object-Oriented Programming (OOP) |
|
Major |
Relationships |
|
Minor |
None |
1185 |
SEI CERT Perl Coding Standard - Guidelines 07. File Input and Output (FIO) |
|
Major |
Relationships |
|
Minor |
None |
1186 |
SEI CERT Perl Coding Standard - Guidelines 50. Miscellaneous (MSC) |
|
Major |
Relationships |
|
Minor |
None |
1191 |
Exposed Chip Debug and Test Interface With Insufficient or Missing Authorization |
|
Major |
Maintenance_Notes |
|
Minor |
None |
1232 |
Improper Lock Behavior After Power State Transition |
|
Major |
Description |
|
Minor |
None |
1233 |
Improper Hardware Lock Protection for Security Sensitive Controls |
|
Major |
Maintenance_Notes |
|
Minor |
None |
1235 |
Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
1236 |
Improper Neutralization of Formula Elements in a CSV File |
|
Major |
Description, Potential_Mitigations |
|
Minor |
None |
1241 |
Use of Predictable Algorithm in Random Number Generator |
|
Major |
Maintenance_Notes, Research_Gaps |
|
Minor |
None |
1243 |
Sensitive Non-Volatile Information Not Protected During Debug |
|
Major |
Description |
|
Minor |
None |
1244 |
Improper Access to Sensitive Information Using Debug and Test Interfaces |
|
Major |
Maintenance_Notes |
|
Minor |
None |
1247 |
Missing or Improperly Implemented Protection Against Voltage and Clock Glitches |
|
Major |
Functional_Areas |
|
Minor |
None |
1251 |
Mirrored Regions with Different Values |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
1255 |
Comparison Logic is Vulnerable to Power Side-Channel Attacks |
|
Major |
Functional_Areas, Maintenance_Notes, Relationships |
|
Minor |
None |
1256 |
Hardware Features Enable Physical Attacks from Software |
|
Major |
Demonstrative_Examples, Functional_Areas, Maintenance_Notes |
|
Minor |
None |
1259 |
Improper Restriction of Security Token Assignment |
|
Major |
Maintenance_Notes |
|
Minor |
None |
1271 |
Uninitialized Value on Reset for Registers Holding Security Settings |
|
Major |
Name, Type |
|
Minor |
None |
1272 |
Sensitive Information Uncleared Before Debug/Power State Transition |
|
Major |
Functional_Areas |
|
Minor |
None |
1277 |
Firmware Not Updateable |
|
Major |
Maintenance_Notes |
|
Minor |
None |
1278 |
Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques |
|
Major |
Maintenance_Notes |
|
Minor |
None |
1279 |
Cryptographic Operations are run Before Supporting Units are Ready |
|
Major |
Maintenance_Notes |
|
Minor |
None |
1281 |
Sequence of Processor Instructions Leads to Unexpected Behavior (Halt and Catch Fire) |
|
Major |
Potential_Mitigations |
|
Minor |
None |
1282 |
Assumed-Immutable Data is Stored in Writable Memory |
|
Major |
Maintenance_Notes |
|
Minor |
None |
1285 |
Improper Validation of Specified Index, Position, or Offset in Input |
|
Major |
Demonstrative_Examples |
|
Minor |
None |
1300 |
Improper Protection Against Physical Side Channels |
|
Major |
Functional_Areas, Maintenance_Notes |
|
Minor |
None |
1303 |
Non-Transparent Sharing of Microarchitectural Resources |
|
Major |
Related_Attack_Patterns |
|
Minor |
None |
1304 |
Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation |
|
Major |
Functional_Areas |
|
Minor |
None |
1310 |
Missing Ability to Patch ROM Code |
|
Major |
Maintenance_Notes |
|
Minor |
None |
1327 |
Binding to an Unrestricted IP Address |
|
Major |
Relationships |
|
Minor |
None |
1332 |
Insufficient Protection Against Instruction Skipping Via Fault Injection |
|
Major |
Description, Functional_Areas, Potential_Mitigations, References |
|
Minor |
None |