CWE

Common Weakness Enumeration

A community-developed list of SW & HW weaknesses that can become vulnerabilities

New to CWE? click here!
CWE Most Important Hardware Weaknesses
CWE Top 25 Most Dangerous Weaknesses
Home > CWE List > Reports > Differences between Version 1.0 and Version 2.0  
ID

Differences between Version 1.0 and Version 2.0

Summary
Summary
Total (Version 2.0) 870
Total (Version 1.0) 734
Total new 136
Total deprecated 5
Total shared 734
Total important changes 545
Total major changes 684
Total minor changes 96
Total minor changes (no major)
Total unchanged 50

Summary of Entry Types

Type Version 1.0 Version 2.0
Category 86 141
Chain 3 3
Composite 9 6
Deprecated 7 12
View 20 26
Weakness 609 682

Field Change Summary
Field Change Summary

Any change with respect to whitespace is ignored. "Minor" changes are text changes that only affect capitalization and punctuation. Most other changes are marked as "Major." Simple schema changes are treated as Minor, such as the change from AffectedResource to Affected_Resource in Draft 8, or the relationship name change from "IsRequiredBy" to "RequiredBy" in Version 1.0. For each mutual relationship between nodes A and B (such as ParentOf and ChildOf), a relationship change is noted for both A and B.

Field Major Minor
Name 236 4
Description 371 2
Applicable_Platforms 70 17
Time_of_Introduction 22 0
Demonstrative_Examples 231 2
Detection_Factors 42 0
Likelihood_of_Exploit 32 0
Common_Consequences 619 0
Relationships 385 0
References 70 1
Potential_Mitigations 229 70
Observed_Examples 110 1
Terminology_Notes 11 0
Alternate_Terms 22 1
Related_Attack_Patterns 108 0
Relationship_Notes 58 0
Taxonomy_Mappings 230 0
Maintenance_Notes 41 0
Modes_of_Introduction 15 0
Affected_Resources 2 0
Functional_Areas 4 2
Research_Gaps 22 0
Background_Details 22 0
Theoretical_Notes 18 0
Weakness_Ordinalities 19 0
White_Box_Definitions 14 0
Enabling_Factors_for_Exploitation 8 0
Other_Notes 233 2
Relevant_Properties 2 0
View_Type 0 0
View_Structure 1 0
View_Filter 3 0
View_Audience 0 0
Common_Methods_of_Exploitation 0 0
Type 16 0
Causal_Nature 2 0
Source_Taxonomy 0 0
Context_Notes 0 0
Black_Box_Definitions 0 0

Form and Abstraction Changes

From To Total
Unchanged 718
Composite Weakness/Base 3
Weakness/Base Deprecated 4
Weakness/Base Weakness/Class 3
Weakness/Base Weakness/Variant 1
Weakness/Class Category 1
Weakness/Variant Deprecated 1
Weakness/Variant Weakness/Base 3

Status Changes

From To Total
Unchanged 718
Draft Deprecated 1
Draft Usable 4
Incomplete Deprecated 4
Incomplete Draft 7

Relationship Changes

The "Version 2.0 Total" lists the total number of relationships in Version 2.0. The "Shared" value is the total number of relationships in entries that were in both Version 2.0 and Version 1.0. The "New" value is the total number of relationships involving entries that did not exist in Version 1.0. Thus, the total number of relationships in Version 2.0 would combine stats from Shared entries and New entries.

Relationship Version 2.0 Total Version 1.0 Total Version 2.0 Shared Unchanged Added to Version 2.0 Removed from Version 1.0 Version 2.0 New
ALL 5487 3994 4021 3651 370 343 1466
ChildOf 2367 1694 1712 1559 153 135 655
ParentOf 2367 1694 1712 1559 153 135 655
MemberOf 140 96 88 88 8 52
HasMember 140 96 88 88 8 52
CanPrecede 113 65 89 60 29 5 24
CanFollow 113 65 89 60 29 5 24
StartsWith 3 3 3 3
Requires 19 27 19 19 8
RequiredBy 19 27 19 19 8
CanAlsoBe 34 39 34 34 5
PeerOf 172 188 168 162 6 26 4

Nodes Removed from Version 1.0

CWE-ID CWE Name
None.

Nodes Added to Version 2.0

CWE-ID CWE Name
733 Compiler Optimization Removal or Modification of Security-critical Code
734 Weaknesses Addressed by the CERT C Secure Coding Standard
735 CERT C Secure Coding Section 01 - Preprocessor (PRE)
736 CERT C Secure Coding Section 02 - Declarations and Initialization (DCL)
737 CERT C Secure Coding Section 03 - Expressions (EXP)
738 CERT C Secure Coding Section 04 - Integers (INT)
739 CERT C Secure Coding Section 05 - Floating Point (FLP)
740 CERT C Secure Coding Section 06 - Arrays (ARR)
741 CERT C Secure Coding Section 07 - Characters and Strings (STR)
742 CERT C Secure Coding Section 08 - Memory Management (MEM)
743 CERT C Secure Coding Section 09 - Input Output (FIO)
744 CERT C Secure Coding Section 10 - Environment (ENV)
745 CERT C Secure Coding Section 11 - Signals (SIG)
746 CERT C Secure Coding Section 12 - Error Handling (ERR)
747 CERT C Secure Coding Section 49 - Miscellaneous (MSC)
748 CERT C Secure Coding Section 50 - POSIX (POS)
749 Exposed Dangerous Method or Function
750 Weaknesses in the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors
751 2009 Top 25 - Insecure Interaction Between Components
752 2009 Top 25 - Risky Resource Management
753 2009 Top 25 - Porous Defenses
754 Improper Check for Unusual or Exceptional Conditions
755 Improper Handling of Exceptional Conditions
756 Missing Custom Error Page
757 Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')
758 Reliance on Undefined, Unspecified, or Implementation-Defined Behavior
759 Use of a One-Way Hash without a Salt
760 Use of a One-Way Hash with a Predictable Salt
761 Free of Pointer not at Start of Buffer
762 Mismatched Memory Management Routines
763 Release of Invalid Pointer or Reference
764 Multiple Locks of a Critical Resource
765 Multiple Unlocks of a Critical Resource
766 Critical Variable Declared Public
767 Access to Critical Private Variable via Public Method
768 Incorrect Short Circuit Evaluation
769 File Descriptor Exhaustion
770 Allocation of Resources Without Limits or Throttling
771 Missing Reference to Active Allocated Resource
772 Missing Release of Resource after Effective Lifetime
773 Missing Reference to Active File Descriptor or Handle
774 Allocation of File Descriptors or Handles Without Limits or Throttling
775 Missing Release of File Descriptor or Handle after Effective Lifetime
776 Unrestricted Recursive Entity References in DTDs ('XML Bomb')
777 Regular Expression without Anchors
778 Insufficient Logging
779 Logging of Excessive Data
780 Use of RSA Algorithm without OAEP
781 Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code
782 Exposed IOCTL with Insufficient Access Control
783 Operator Precedence Logic Error
784 Reliance on Cookies without Validation and Integrity Checking in a Security Decision
785 Use of Path Manipulation Function without Maximum-sized Buffer
786 Access of Memory Location Before Start of Buffer
787 Out-of-bounds Write
788 Access of Memory Location After End of Buffer
789 Uncontrolled Memory Allocation
790 Improper Filtering of Special Elements
791 Incomplete Filtering of Special Elements
792 Incomplete Filtering of One or More Instances of Special Elements
793 Only Filtering One Instance of a Special Element
794 Incomplete Filtering of Multiple Instances of Special Elements
795 Only Filtering Special Elements at a Specified Location
796 Only Filtering Special Elements Relative to a Marker
797 Only Filtering Special Elements at an Absolute Position
798 Use of Hard-coded Credentials
799 Improper Control of Interaction Frequency
800 Weaknesses in the 2010 CWE/SANS Top 25 Most Dangerous Programming Errors
801 2010 Top 25 - Insecure Interaction Between Components
802 2010 Top 25 - Risky Resource Management
803 2010 Top 25 - Porous Defenses
804 Guessable CAPTCHA
805 Buffer Access with Incorrect Length Value
806 Buffer Access Using Size of Source Buffer
807 Reliance on Untrusted Inputs in a Security Decision
808 2010 Top 25 - Weaknesses On the Cusp
809 Weaknesses in OWASP Top Ten (2010)
810 OWASP Top Ten 2010 Category A1 - Injection
811 OWASP Top Ten 2010 Category A2 - Cross-Site Scripting (XSS)
812 OWASP Top Ten 2010 Category A3 - Broken Authentication and Session Management
813 OWASP Top Ten 2010 Category A4 - Insecure Direct Object References
814 OWASP Top Ten 2010 Category A5 - Cross-Site Request Forgery(CSRF)
815 OWASP Top Ten 2010 Category A6 - Security Misconfiguration
816 OWASP Top Ten 2010 Category A7 - Insecure Cryptographic Storage
817 OWASP Top Ten 2010 Category A8 - Failure to Restrict URL Access
818 OWASP Top Ten 2010 Category A9 - Insufficient Transport Layer Protection
819 OWASP Top Ten 2010 Category A10 - Unvalidated Redirects and Forwards
820 Missing Synchronization
821 Incorrect Synchronization
822 Untrusted Pointer Dereference
823 Use of Out-of-range Pointer Offset
824 Access of Uninitialized Pointer
825 Expired Pointer Dereference
826 Premature Release of Resource During Expected Lifetime
827 Improper Control of Document Type Definition
828 Signal Handler with Functionality that is not Asynchronous-Safe
829 Inclusion of Functionality from Untrusted Control Sphere
830 Inclusion of Web Functionality from an Untrusted Source
831 Signal Handler Function Associated with Multiple Signals
832 Unlock of a Resource that is not Locked
833 Deadlock
834 Excessive Iteration
835 Loop with Unreachable Exit Condition ('Infinite Loop')
836 Use of Password Hash Instead of Password for Authentication
837 Improper Enforcement of a Single, Unique Action
838 Inappropriate Encoding for Output Context
839 Numeric Range Comparison Without Minimum Check
840 Business Logic Errors
841 Improper Enforcement of Behavioral Workflow
842 Placement of User into Incorrect Group
843 Access of Resource Using Incompatible Type ('Type Confusion')
844 Weaknesses Addressed by the CERT Java Secure Coding Standard
845 CERT Java Secure Coding Section 00 - Input Validation and Data Sanitization (IDS)
846 CERT Java Secure Coding Section 01 - Declarations and Initialization (DCL)
847 CERT Java Secure Coding Section 02 - Expressions (EXP)
848 CERT Java Secure Coding Section 03 - Numeric Types and Operations (NUM)
849 CERT Java Secure Coding Section 04 - Object Orientation (OBJ)
850 CERT Java Secure Coding Section 05 - Methods (MET)
851 CERT Java Secure Coding Section 06 - Exceptional Behavior (ERR)
852 CERT Java Secure Coding Section 07 - Visibility and Atomicity (VNA)
853 CERT Java Secure Coding Section 08 - Locking (LCK)
854 CERT Java Secure Coding Section 09 - Thread APIs (THI)
855 CERT Java Secure Coding Section 10 - Thread Pools (TPS)
856 CERT Java Secure Coding Section 11 - Thread-Safety Miscellaneous (TSM)
857 CERT Java Secure Coding Section 12 - Input Output (FIO)
858 CERT Java Secure Coding Section 13 - Serialization (SER)
859 CERT Java Secure Coding Section 14 - Platform Security (SEC)
860 CERT Java Secure Coding Section 15 - Runtime Environment (ENV)
861 CERT Java Secure Coding Section 49 - Miscellaneous (MSC)
862 Missing Authorization
863 Incorrect Authorization
864 2011 Top 25 - Insecure Interaction Between Components
865 2011 Top 25 - Risky Resource Management
866 2011 Top 25 - Porous Defenses
867 2011 Top 25 - Weaknesses On the Cusp
900 Weaknesses in the 2011 CWE/SANS Top 25 Most Dangerous Software Errors

Nodes Deprecated in Version 2.0

CWE-ID CWE Name
92 DEPRECATED: Improper Sanitization of Custom Special Characters
217 DEPRECATED: Failure to Protect Stored Data from Modification
249 DEPRECATED: Often Misused: Path Manipulation
373 DEPRECATED: State Synchronization Error
423 DEPRECATED (Duplicate): Proxied Trusted Channel
Important Changes
Important Changes

A node change is labeled "important" if it is a major field change and the field is critical to the meaning of the node. The critical fields are description, name, and relationships.

Key
D Description
N Name
R Relationships

D 6 J2EE Misconfiguration: Insufficient Session-ID Length
DNR 7 J2EE Misconfiguration: Missing Custom Error Page
R 9 J2EE Misconfiguration: Weak Access Permissions for EJB Methods
D 11 ASP.NET Misconfiguration: Creating Debug Binary
NR 12 ASP.NET Misconfiguration: Missing Custom Error Page
D R 14 Compiler Removal of Code to Clear Buffers
D R 15 External Control of System or Configuration Setting
DNR 20 Improper Input Validation
D 21 Pathname Traversal and Equivalence Errors
DNR 22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
D 23 Relative Path Traversal
D 24 Path Traversal: '../filedir'
D 25 Path Traversal: '/../filedir'
D 26 Path Traversal: '/dir/../filename'
D 27 Path Traversal: 'dir/../../filename'
DN 28 Path Traversal: '..\filedir'
D 29 Path Traversal: '\..\filename'
D 30 Path Traversal: '\dir\..\filename'
D 31 Path Traversal: 'dir\..\..\filename'
D 32 Path Traversal: '...' (Triple Dot)
D 33 Path Traversal: '....' (Multiple Dot)
D R 34 Path Traversal: '....//'
D R 35 Path Traversal: '.../...//'
D R 36 Absolute Path Traversal
R 37 Path Traversal: '/absolute/pathname/here'
R 38 Path Traversal: '\absolute\pathname\here'
R 39 Path Traversal: 'C:dirname'
DNR 41 Improper Resolution of Path Equivalence
R 45 Path Equivalence: 'file...name' (Multiple Internal Dot)
DN 57 Path Equivalence: 'fakedir/../realdir/filename'
D 58 Path Equivalence: Windows 8.3 Filename
DNR 59 Improper Link Resolution Before File Access ('Link Following')
D 61 UNIX Symbolic Link (Symlink) Following
D R 62 UNIX Hard Link
D R 64 Windows Shortcut Following (.LNK)
D R 65 Windows Hard Link
DN 66 Improper Handling of File Names that Identify Virtual Resources
DNR 67 Improper Handling of Windows Device Names
DN 69 Improper Handling of Windows ::DATA Alternate Data Stream
DN 72 Improper Handling of Apple HFS+ Alternate Data Stream Path
D R 73 External Control of File Name or Path
DNR 74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
D 75 Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)
DN 76 Improper Neutralization of Equivalent Special Elements
DNR 77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
DNR 78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
DNR 79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
DN 80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
DN 81 Improper Neutralization of Script in an Error Message Web Page
DNR 82 Improper Neutralization of Script in Attributes of IMG Tags in a Web Page
DNR 83 Improper Neutralization of Script in Attributes in a Web Page
DN 84 Improper Neutralization of Encoded URI Schemes in a Web Page
D 85 Doubled Character XSS Manipulations
DN 86 Improper Neutralization of Invalid Characters in Identifiers in Web Pages
DN 87 Improper Neutralization of Alternate XSS Syntax
R 88 Argument Injection or Modification
DNR 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
DNR 90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
D R 91 XML Injection (aka Blind XPath Injection)
DNR 92 DEPRECATED: Improper Sanitization of Custom Special Characters
DN 93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
DNR 94 Improper Control of Generation of Code ('Code Injection')
DN 95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
DN 96 Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
DN 97 Improper Neutralization of Server-Side Includes (SSI) Within a Web Page
DNR 98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')
DN 99 Improper Control of Resource Identifiers ('Resource Injection')
R 100 Technology-Specific Input Validation Problems
D R 102 Struts: Duplicate Validation Forms
D R 103 Struts: Incomplete validate() Method Definition
R 104 Struts: Form Bean Does Not Extend Validation Class
R 106 Struts: Plug-in Framework not in Use
D 108 Struts: Unvalidated Action Form
R 109 Struts: Validator Turned Off
D 110 Struts: Validator Without Form Field
D R 111 Direct Use of Unsafe JNI
D 112 Missing XML Validation
DN 113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
D 114 Process Control
R 115 Misinterpretation of Input
DNR 116 Improper Encoding or Escaping of Output
DNR 117 Improper Output Neutralization for Logs
DNR 118 Improper Access of Indexable Resource ('Range Error')
DNR 119 Improper Restriction of Operations within the Bounds of a Memory Buffer
DNR 120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
R 121 Stack-based Buffer Overflow
R 122 Heap-based Buffer Overflow
R 123 Write-what-where Condition
DNR 124 Buffer Underwrite ('Buffer Underflow')
D R 125 Out-of-bounds Read
D R 126 Buffer Over-read
D R 127 Buffer Under-read
R 128 Wrap-around Error
DNR 129 Improper Validation of Array Index
DNR 130 Improper Handling of Length Parameter Inconsistency
R 131 Incorrect Calculation of Buffer Size
R 132 DEPRECATED (Duplicate): Miscalculated Null Termination
R 134 Uncontrolled Format String
D R 135 Incorrect Calculation of Multi-Byte String Length
DNR 138 Improper Neutralization of Special Elements
D R 139 DEPRECATED: General Special Element Problems
DN 140 Improper Neutralization of Delimiters
DN 141 Improper Neutralization of Parameter/Argument Delimiters
DN 142 Improper Neutralization of Value Delimiters
DN 143 Improper Neutralization of Record Delimiters
DNR 144 Improper Neutralization of Line Delimiters
DN 145 Improper Neutralization of Section Delimiters
DN 146 Improper Neutralization of Expression/Command Delimiters
DN 147 Improper Neutralization of Input Terminators
N 148 Improper Neutralization of Input Leaders
N 149 Improper Neutralization of Quoting Syntax
DNR 150 Improper Neutralization of Escape, Meta, or Control Sequences
DN 151 Improper Neutralization of Comment Delimiters
DN 152 Improper Neutralization of Macro Symbols
DN 153 Improper Neutralization of Substitution Characters
DN 154 Improper Neutralization of Variable Name Delimiters
DN 155 Improper Neutralization of Wildcards or Matching Symbols
DN 156 Improper Neutralization of Whitespace
DN 158 Improper Neutralization of Null Byte or NUL Character
D 159 Failure to Sanitize Special Element
DN 160 Improper Neutralization of Leading Special Elements
DN 161 Improper Neutralization of Multiple Leading Special Elements
DN 162 Improper Neutralization of Trailing Special Elements
DNR 163 Improper Neutralization of Multiple Trailing Special Elements
DN 164 Improper Neutralization of Internal Special Elements
DNR 165 Improper Neutralization of Multiple Internal Special Elements
DNR 166 Improper Handling of Missing Special Element
DNR 167 Improper Handling of Additional Special Element
DNR 168 Improper Handling of Inconsistent Special Elements
D R 170 Improper Null Termination
D R 171 Cleansing, Canonicalization, and Comparison Errors
D 172 Encoding Error
N 173 Improper Handling of Alternate Encoding
N 175 Improper Handling of Mixed Encoding
NR 176 Improper Handling of Unicode Encoding
N 177 Improper Handling of URL Encoding (Hex Encoding)
DN 178 Improper Handling of Case Sensitivity
D R 179 Incorrect Behavior Order: Early Validation
D R 180 Incorrect Behavior Order: Validate Before Canonicalize
D 181 Incorrect Behavior Order: Validate Before Filter
D R 182 Collapse of Data into Unsafe Value
R 183 Permissive Whitelist
D R 184 Incomplete Blacklist
D 185 Incorrect Regular Expression
R 187 Partial Comparison
R 188 Reliance on Data/Memory Layout
R 189 Numeric Errors
DNR 190 Integer Overflow or Wraparound
D 191 Integer Underflow (Wrap or Wraparound)
D R 192 Integer Coercion Error
R 193 Off-by-one Error
DNR 194 Unexpected Sign Extension
D R 195 Signed to Unsigned Conversion Error
D R 197 Numeric Truncation Error
D R 198 Use of Incorrect Byte Ordering
R 199 Information Management Errors
DNR 200 Information Exposure
DN 201 Information Exposure Through Sent Data
N 202 Exposure of Sensitive Data Through Data Queries
DN 203 Information Exposure Through Discrepancy
DN 204 Response Discrepancy Information Exposure
DN 205 Information Exposure Through Behavioral Discrepancy
N 206 Information Exposure of Internal State Through Behavioral Inconsistency
DN 207 Information Exposure Through an External Behavioral Inconsistency
DNR 208 Information Exposure Through Timing Discrepancy
DNR 209 Information Exposure Through an Error Message
NR 210 Information Exposure Through Generated Error Message
DN 211 Information Exposure Through External Error Message
DNR 212 Improper Cross-boundary Removal of Sensitive Data
N 213 Intentional Information Exposure
DN 214 Information Exposure Through Process Environment
DNR 215 Information Exposure Through Debug Information
R 216 Containment Errors (Container Errors)
DNR 217 DEPRECATED: Failure to Protect Stored Data from Modification
R 218 DEPRECATED (Duplicate): Failure to provide confidentiality for stored data
R 219 Sensitive Data Under Web Root
R 223 Omission of Security-relevant Information
R 225 DEPRECATED (Duplicate): General Information Management Problems
D R 226 Sensitive Information Uncleared Before Release
DNR 227 Improper Fulfillment of API Contract ('API Abuse')
DN 228 Improper Handling of Syntactically Invalid Structure
D 229 Improper Handling of Values
DNR 230 Improper Handling of Missing Values
DN 231 Improper Handling of Extra Values
DNR 232 Improper Handling of Undefined Values
DN 235 Improper Handling of Extra Parameters
DN 236 Improper Handling of Undefined Parameters
DN 237 Improper Handling of Structural Elements
DN 238 Improper Handling of Incomplete Structural Elements
D 239 Failure to Handle Incomplete Element
DN 240 Improper Handling of Inconsistent Structural Elements
DNR 241 Improper Handling of Unexpected Data Type
D R 242 Use of Inherently Dangerous Function
DN 243 Creation of chroot Jail Without Changing Working Directory
DNR 244 Improper Clearing of Heap Memory Before Release ('Heap Inspection')
R 247 Reliance on DNS Lookups in a Security Decision
D R 248 Uncaught Exception
DNR 249 DEPRECATED: Often Misused: Path Manipulation
DNR 250 Execution with Unnecessary Privileges
D R 252 Unchecked Return Value
DNR 253 Incorrect Check of Function Return Value
R 254 Security Features
R 255 Credentials Management
R 256 Plaintext Storage of a Password
D R 257 Storing Passwords in a Recoverable Format
DNR 259 Use of Hard-coded Password
D 260 Password in Configuration File
R 261 Weak Cryptography for Passwords
R 262 Not Using Password Aging
D R 263 Password Aging with Long Expiration
R 264 Permissions, Privileges, and Access Controls
D R 265 Privilege / Sandbox Issues
R 266 Incorrect Privilege Assignment
R 267 Privilege Defined With Unsafe Actions
R 268 Privilege Chaining
DNR 269 Improper Privilege Management
D R 271 Privilege Dropping / Lowering Errors
R 272 Least Privilege Violation
DNR 273 Improper Check for Dropped Privileges
DN 274 Improper Handling of Insufficient Privileges
R 275 Permission Issues
DNR 276 Incorrect Default Permissions
DNR 279 Incorrect Execution-Assigned Permissions
DN 280 Improper Handling of Insufficient Permissions or Privileges
DN 281 Improper Preservation of Permissions
R 282 Improper Ownership Management
R 283 Unverified Ownership
DNR 284 Improper Access Control
DNR 285 Improper Authorization
R 286 Incorrect User Management
DNR 287 Improper Authentication
R 288 Authentication Bypass Using an Alternate Path or Channel
R 289 Authentication Bypass by Alternate Name
D 291 Trusting Self-reported IP Address
D 294 Authentication Bypass by Capture-replay
D 295 Certificate Issues
DNR 296 Improper Following of Chain of Trust for Certificate Validation
DNR 297 Improper Validation of Host-specific Certificate Data
DNR 298 Improper Validation of Certificate Expiration
DNR 299 Improper Check for Certificate Revocation
DNR 300 Channel Accessible by Non-Endpoint ('Man-in-the-Middle')
D R 302 Authentication Bypass by Assumed-Immutable Data
DN 303 Incorrect Implementation of Authentication Algorithm
D R 304 Missing Critical Step in Authentication
NR 306 Missing Authentication for Critical Function
NR 307 Improper Restriction of Excessive Authentication Attempts
D 308 Use of Single-factor Authentication
R 310 Cryptographic Issues
DNR 311 Missing Encryption of Sensitive Data
DNR 312 Cleartext Storage of Sensitive Information
DNR 319 Cleartext Transmission of Sensitive Information
R 321 Use of Hard-coded Cryptographic Key
D R 322 Key Exchange without Entity Authentication
DNR 326 Inadequate Encryption Strength
D R 327 Use of a Broken or Risky Cryptographic Algorithm
D R 328 Reversible One-Way Hash
D R 330 Use of Insufficiently Random Values
R 332 Insufficient Entropy in PRNG
DNR 333 Improper Handling of Insufficient Entropy in TRNG
R 336 Same Seed in PRNG
R 337 Predictable Seed in PRNG
D 343 Predictable Value Range from Previous Values
R 344 Use of Invariant Value in Dynamically Changing Context
DNR 347 Improper Verification of Cryptographic Signature
R 349 Acceptance of Extraneous Untrusted Data With Trusted Data
R 350 Improperly Trusted Reverse DNS
R 351 Insufficient Type Distinction
D R 352 Cross-Site Request Forgery (CSRF)
DN 353 Missing Support for Integrity Check
DNR 354 Improper Validation of Integrity Check Value
D 356 Product UI does not Warn User of Unsafe Actions
D 357 Insufficient UI Warning of Dangerous Operations
D R 358 Improperly Implemented Security Check for Standard
R 359 Privacy Violation
D 360 Trust of System Event Data
D R 361 Time and State
DNR 362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
D R 363 Race Condition Enabling Link Following
D R 364 Signal Handler Race Condition
R 365 Race Condition in Switch
R 366 Race Condition within a Thread
DNR 367 Time-of-check Time-of-use (TOCTOU) Race Condition
D 368 Context Switching Race Condition
R 369 Divide By Zero
DNR 370 Missing Check for Certificate Revocation after Initial Check
R 371 State Issues
DNR 373 DEPRECATED: State Synchronization Error
NR 374 Passing Mutable Objects to an Untrusted Method
NR 375 Returning a Mutable Object to an Untrusted Caller
R 377 Insecure Temporary File
DNR 379 Creation of Temporary File in Directory with Incorrect Permissions
R 381 J2EE Time and State Issues
R 382 J2EE Bad Practices: Use of System.exit()
D R 383 J2EE Bad Practices: Direct Use of Threads
D 385 Covert Timing Channel
D R 388 Error Handling
D 389 Error Conditions, Return Values, Status Codes
D R 390 Detection of Error Condition Without Action
R 391 Unchecked Error Condition
DNR 392 Missing Report of Error Condition
D R 393 Return of Wrong Status Code
R 394 Unexpected Status Code or Return Value
R 395 Use of NullPointerException Catch to Detect NULL Pointer Dereference
D R 396 Declaration of Catch for Generic Exception
D R 397 Declaration of Throws for Generic Exception
R 398 Indicator of Poor Code Quality
R 399 Resource Management Errors
DNR 400 Uncontrolled Resource Consumption ('Resource Exhaustion')
DNR 401 Improper Release of Memory Before Removing Last Reference ('Memory Leak')
N 402 Transmission of Private Resources into a New Sphere ('Resource Leak')
NR 403 Exposure of File Descriptor to Unintended Control Sphere
D R 404 Improper Resource Shutdown or Release
D R 405 Asymmetric Resource Consumption (Amplification)
DN 406 Insufficient Control of Network Message Volume (Network Amplification)
D R 408 Incorrect Behavior Order: Early Amplification
DNR 409 Improper Handling of Highly Compressed Data (Data Amplification)
D R 410 Insufficient Resource Pool
DNR 412 Unrestricted Externally Accessible Lock
DNR 413 Improper Resource Locking
R 415 Double Free
D R 416 Use After Free
R 418 Channel Errors
D 421 Race Condition During Access to Alternate Channel
DNR 423 DEPRECATED (Duplicate): Proxied Trusted Channel
N 424 Improper Protection of Alternate Path
D R 425 Direct Request ('Forced Browsing')
D R 426 Untrusted Search Path
D R 427 Uncontrolled Search Path Element
D R 428 Unquoted Search Path or Element
D 430 Deployment of Wrong Handler
D 431 Missing Handler
DNR 432 Dangerous Signal Handler not Disabled During Sensitive Operations
D 433 Unparsed Raw Web Content Delivery
NR 434 Unrestricted Upload of File with Dangerous Type
D R 435 Interaction Error
D R 436 Interpretation Conflict
D 437 Incomplete Model of Endpoint Features
R 438 Behavioral Problems
R 441 Unintended Proxy/Intermediary
R 442 Web Problems
R 443 DEPRECATED (Duplicate): HTTP response splitting
N 444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
D 446 UI Discrepancy for Security Feature
DNR 454 External Initialization of Trusted Variables or Data Stores
R 456 Missing Initialization
R 458 DEPRECATED: Incorrect Initialization
R 459 Incomplete Cleanup
D R 460 Improper Cleanup on Thrown Exception
D R 462 Duplicate Key in Associative List (Alist)
D 463 Deletion of Data Structure Sentinel
D R 464 Addition of Data Structure Sentinel
R 465 Pointer Issues
R 466 Return of Pointer Value Outside of Expected Range
R 467 Use of sizeof() on a Pointer Type
R 468 Incorrect Pointer Scaling
R 469 Use of Pointer Subtraction to Determine Size
DNR 470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
D R 472 External Control of Assumed-Immutable Web Parameter
R 473 PHP External Variable Modification
D R 476 NULL Pointer Dereference
DN 478 Missing Default Case in Switch Statement
DNR 479 Signal Handler Use of a Non-reentrant Function
R 480 Use of Incorrect Operator
D 481 Assigning instead of Comparing
R 482 Comparing instead of Assigning
D 483 Incorrect Block Delimitation
DNR 484 Omitted Break Statement in Switch
R 485 Insufficient Encapsulation
R 486 Comparison of Classes by Name
R 487 Reliance on Package-level Scope
DNR 488 Exposure of Data Element to Wrong Session
NR 491 Public cloneable() Method Without Final ('Object Hijack')
R 492 Use of Inner Class Containing Sensitive Data
D R 493 Critical Public Variable Without Final Modifier
DNR 494 Download of Code Without Integrity Check
DNR 497 Exposure of System Data to an Unauthorized Control Sphere
DNR 498 Cloneable Class Containing Sensitive Information
R 499 Serializable Class Containing Sensitive Data
DNR 500 Public Static Field Not Marked Final
D R 502 Deserialization of Untrusted Data
D 506 Embedded Malicious Code
D 507 Trojan Horse
D 511 Logic/Time Bomb
D 512 Spyware
R 513 Intentionally Introduced Nonmalicious Weakness
D R 514 Covert Channel
D 515 Covert Storage Channel
R 516 DEPRECATED (Duplicate): Covert Timing Channel
D R 518 Inadvertently Introduced Weakness
R 521 Weak Password Requirements
R 522 Insufficiently Protected Credentials
NR 524 Information Exposure Through Caching
N 525 Information Exposure Through Browser Caching
NR 526 Information Exposure Through Environmental Variables
DNR 527 Exposure of CVS Repository to an Unauthorized Control Sphere
DNR 528 Exposure of Core Dump File to an Unauthorized Control Sphere
DNR 529 Exposure of Access Control List Files to an Unauthorized Control Sphere
DNR 530 Exposure of Backup File to an Unauthorized Control Sphere
NR 531 Information Exposure Through Test Code
DNR 532 Information Exposure Through Log Files
NR 533 Information Exposure Through Server Log Files
NR 534 Information Exposure Through Debug Log Files
N 535 Information Exposure Through Shell Error Message
N 536 Information Exposure Through Servlet Runtime Error Message
N 537 Information Exposure Through Java Runtime Error Message
DNR 538 File and Directory Information Exposure
DNR 539 Information Exposure Through Persistent Cookies
DNR 540 Information Exposure Through Source Code
NR 541 Information Exposure Through Include Source Code
DNR 542 Information Exposure Through Cleanup Log Files
DNR 543 Use of Singleton Pattern Without Synchronization in a Multithreaded Context
DNR 544 Missing Standardized Error Handling Mechanism
D R 547 Use of Hard-coded, Security-relevant Constants
DN 548 Information Exposure Through Directory Listing
D R 549 Missing Password Field Masking
DNR 550 Information Exposure Through Server Error Message
D R 551 Incorrect Behavior Order: Authorization Before Parsing and Canonicalization
R 552 Files or Directories Accessible to External Parties
D 554 ASP.NET Misconfiguration: Not Using Input Validation Framework
D 555 J2EE Misconfiguration: Plaintext Password in Configuration File
D R 556 ASP.NET Misconfiguration: Use of Identity Impersonation
R 561 Dead Code
R 562 Return of Stack Variable Address
R 563 Unused Variable
DNR 565 Reliance on Cookies without Validation and Integrity Checking
DN 566 Authorization Bypass Through User-Controlled SQL Primary Key
DNR 567 Unsynchronized Access to Shared Data in a Multithreaded Context
D R 568 finalize() Method Without super.finalize()
R 569 Expression Issues
R 570 Expression is Always False
R 571 Expression is Always True
D R 572 Call to Thread run() instead of start()
DNR 573 Improper Following of Specification by Caller
D R 574 EJB Bad Practices: Use of Synchronization Primitives
D 575 EJB Bad Practices: Use of AWT Swing
D 576 EJB Bad Practices: Use of Java I/O
D 577 EJB Bad Practices: Use of Sockets
D 578 EJB Bad Practices: Use of Class Loader
D 580 clone() Method Without super.clone()
D R 581 Object Model Violation: Just One of Equals and Hashcode Defined
D R 582 Array Declared Public, Final, and Static
D R 583 finalize() Method Declared Public
R 584 Return Inside Finally Block
D 585 Empty Synchronized Block
D R 586 Explicit Call to Finalize()
D R 587 Assignment of a Fixed Address to a Pointer
R 588 Attempt to Access Child of a Non-structure Pointer
D R 589 Call to Non-ubiquitous API
DNR 590 Free of Memory not on the Heap
D R 591 Sensitive Data Storage in Improperly Locked Memory
D 593 Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created
NR 595 Comparison of Object References Instead of Object Contents
R 596 Incorrect Semantic Object Comparison
D R 597 Use of Wrong Operator in String Comparison
NR 598 Information Exposure Through Query Strings in GET Request
D 599 Trust of OpenSSL Certificate Without Validation
DNR 600 Uncaught Exception in Servlet
NR 601 URL Redirection to Untrusted Site ('Open Redirect')
DNR 602 Client-Side Enforcement of Server-Side Security
NR 604 Deprecated Entries
R 606 Unchecked Input for Loop Condition
R 607 Public Static Final Field References Mutable Object
R 609 Double-Checked Locking
N 611 Information Exposure Through XML External Entity Reference
N 612 Information Exposure Through Indexing of Private Data
R 613 Insufficient Session Expiration
DN 615 Information Exposure Through Comments
D 616 Incomplete Identification of Uploaded File Variables (PHP)
D R 618 Exposed Unsafe ActiveX Method
DNR 619 Dangling Database Cursor ('Cursor Injection')
D 621 Variable Extraction Error
R 622 Unvalidated Function Hook Arguments
D 624 Executable Regular Expression Error
D R 625 Permissive Regular Expression
D 627 Dynamic Variable Evaluation
D R 628 Function Call with Incorrectly Specified Arguments
R 632 Weaknesses that Affect Files or Directories
R 633 Weaknesses that Affect Memory
DNR 636 Not Failing Securely ('Failing Open')
DN 637 Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')
DNR 638 Not Using Complete Mediation
DNR 639 Authorization Bypass Through User-Controlled Key
R 640 Weak Password Recovery Mechanism for Forgotten Password
DN 641 Improper Restriction of Names for Files and Other Resources
DNR 642 External Control of Critical State Data
DN 643 Improper Neutralization of Data within XPath Expressions ('XPath Injection')
DNR 644 Improper Neutralization of HTTP Headers for Scripting Syntax
D 645 Overly Restrictive Account Lockout Mechanism
DNR 646 Reliance on File Name or Extension of Externally-Supplied File
DNR 647 Use of Non-Canonical URL Paths for Authorization Decisions
DN 648 Incorrect Use of Privileged APIs
D 649 Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking
D 650 Trusting HTTP Permission Methods on the Server Side
DN 651 Information Exposure Through WSDL File
DN 652 Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')
N 653 Insufficient Compartmentalization
DNR 654 Reliance on a Single Factor in a Security Decision
DN 655 Insufficient Psychological Acceptability
DN 656 Reliance on Security Through Obscurity
DNR 662 Improper Synchronization
DNR 663 Use of a Non-reentrant Function in a Concurrent Context
DNR 664 Improper Control of a Resource Through its Lifetime
DNR 665 Improper Initialization
R 666 Operation on Resource in Wrong Phase of Lifetime
DNR 667 Improper Locking
D R 668 Exposure of Resource to Wrong Sphere
R 669 Incorrect Resource Transfer Between Spheres
R 670 Always-Incorrect Control Flow Implementation
DNR 671 Lack of Administrator Control over Security
DNR 672 Operation on a Resource after Expiration or Release
R 674 Uncontrolled Recursion
R 675 Duplicate Operations on Resource
R 676 Use of Potentially Dangerous Function
D R 681 Incorrect Conversion between Numeric Types
D R 682 Incorrect Calculation
DNR 684 Incorrect Provision of Specified Functionality
D 685 Function Call With Incorrect Number of Arguments
D R 686 Function Call With Incorrect Argument Type
D R 687 Function Call With Incorrectly Specified Argument Value
D 688 Function Call With Incorrect Variable or Reference as Argument
R 689 Permission Race Condition During Resource Copy
R 690 Unchecked Return Value to NULL Pointer Dereference
R 691 Insufficient Control Flow Management
D R 693 Protection Mechanism Failure
D R 696 Incorrect Behavior Order
D R 697 Insufficient Comparison
NR 703 Improper Check or Handling of Exceptional Conditions
D R 704 Incorrect Type Conversion or Cast
R 705 Incorrect Control Flow Scoping
R 706 Use of Incorrectly-Resolved Name or Reference
DNR 707 Improper Enforcement of Message or Data Structure
D R 708 Incorrect Ownership Assignment
R 710 Coding Standards Violation
R 715 OWASP Top Ten 2007 Category A4 - Insecure Direct Object Reference
R 722 OWASP Top Ten 2004 Category A1 - Unvalidated Input
R 723 OWASP Top Ten 2004 Category A2 - Broken Access Control
R 724 OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management
R 725 OWASP Top Ten 2004 Category A4 - Cross-Site Scripting (XSS) Flaws
R 726 OWASP Top Ten 2004 Category A5 - Buffer Overflows
R 727 OWASP Top Ten 2004 Category A6 - Injection Flaws
R 728 OWASP Top Ten 2004 Category A7 - Improper Error Handling
R 729 OWASP Top Ten 2004 Category A8 - Insecure Storage
R 731 OWASP Top Ten 2004 Category A10 - Insecure Configuration Management
DNR 732 Incorrect Permission Assignment for Critical Resource
R 1000 Research Concepts
Detailed Difference Report
Detailed Difference Report
5 J2EE Misconfiguration: Data Transmission Without Encryption
Major Common_Consequences, Other_Notes
Minor None
6 J2EE Misconfiguration: Insufficient Session-ID Length
Major Background_Details, Common_Consequences, Demonstrative_Examples, Description, Enabling_Factors_for_Exploitation, Other_Notes, Potential_Mitigations, References
Minor None
7 J2EE Misconfiguration: Missing Custom Error Page
Major Common_Consequences, Description, Name, Relationships
Minor None
8 J2EE Misconfiguration: Entity Bean Declared Remote
Major Common_Consequences, Demonstrative_Examples
Minor None
9 J2EE Misconfiguration: Weak Access Permissions for EJB Methods
Major Common_Consequences, Demonstrative_Examples, Relationships
Minor None
11 ASP.NET Misconfiguration: Creating Debug Binary
Major Background_Details, Common_Consequences, Demonstrative_Examples, Description, Other_Notes
Minor None
12 ASP.NET Misconfiguration: Missing Custom Error Page
Major Background_Details, Common_Consequences, Demonstrative_Examples, Name, Other_Notes, Potential_Mitigations, Relationships
Minor None
13 ASP.NET Misconfiguration: Password in Configuration File
Major Common_Consequences, Demonstrative_Examples
Minor Potential_Mitigations
14 Compiler Removal of Code to Clear Buffers
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Detection_Factors, Other_Notes, Potential_Mitigations, References, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
15 External Control of System or Configuration Setting
Major Common_Consequences, Demonstrative_Examples, Description, Modes_of_Introduction, Other_Notes, Related_Attack_Patterns, Relationships, Taxonomy_Mappings
Minor None
16 Configuration
Major Taxonomy_Mappings
Minor None
20 Improper Input Validation
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Detection_Factors, Likelihood_of_Exploit, Maintenance_Notes, Modes_of_Introduction, Name, Observed_Examples, Other_Notes, Potential_Mitigations, References, Related_Attack_Patterns, Relationship_Notes, Relationships, Research_Gaps, Taxonomy_Mappings, Terminology_Notes
Minor None
21 Pathname Traversal and Equivalence Errors
Major Description
Minor None
22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Major Alternate_Terms, Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Detection_Factors, Likelihood_of_Exploit, Name, Observed_Examples, Other_Notes, Potential_Mitigations, References, Related_Attack_Patterns, Relationship_Notes, Relationships, Research_Gaps, Taxonomy_Mappings, Terminology_Notes, Time_of_Introduction, Weakness_Ordinalities
Minor None
23 Relative Path Traversal
Major Common_Consequences, Demonstrative_Examples, Description, Potential_Mitigations
Minor None
24 Path Traversal: '../filedir'
Major Common_Consequences, Description, Potential_Mitigations
Minor None
25 Path Traversal: '/../filedir'
Major Common_Consequences, Description, Potential_Mitigations
Minor None
26 Path Traversal: '/dir/../filename'
Major Common_Consequences, Description, Potential_Mitigations
Minor Applicable_Platforms
27 Path Traversal: 'dir/../../filename'
Major Common_Consequences, Description, Potential_Mitigations
Minor None
28 Path Traversal: '..\filedir'
Major Applicable_Platforms, Common_Consequences, Description, Name, Observed_Examples, Potential_Mitigations
Minor None
29 Path Traversal: '\..\filename'
Major Applicable_Platforms, Common_Consequences, Description, Observed_Examples, Potential_Mitigations
Minor None
30 Path Traversal: '\dir\..\filename'
Major Applicable_Platforms, Common_Consequences, Description, Observed_Examples, Potential_Mitigations
Minor None
31 Path Traversal: 'dir\..\..\filename'
Major Applicable_Platforms, Common_Consequences, Description, Potential_Mitigations
Minor Name
32 Path Traversal: '...' (Triple Dot)
Major Common_Consequences, Description, Maintenance_Notes, Observed_Examples, Potential_Mitigations
Minor None
33 Path Traversal: '....' (Multiple Dot)
Major Common_Consequences, Description, Maintenance_Notes, Potential_Mitigations
Minor None
34 Path Traversal: '....//'
Major Common_Consequences, Description, Potential_Mitigations, Relationships
Minor None
35 Path Traversal: '.../...//'
Major Common_Consequences, Description, Observed_Examples, Potential_Mitigations, Relationships
Minor None
36 Absolute Path Traversal
Major Common_Consequences, Demonstrative_Examples, Description, Relationships, Taxonomy_Mappings
Minor None
37 Path Traversal: '/absolute/pathname/here'
Major Common_Consequences, Observed_Examples, Potential_Mitigations, Relationships, Taxonomy_Mappings
Minor None
38 Path Traversal: '\absolute\pathname\here'
Major Common_Consequences, Observed_Examples, Potential_Mitigations, Relationships, Taxonomy_Mappings
Minor None
39 Path Traversal: 'C:dirname'
Major Common_Consequences, Potential_Mitigations, Relationships, Taxonomy_Mappings
Minor None
40 Path Traversal: '\\UNC\share\name\' (Windows UNC Share)
Major Common_Consequences, Potential_Mitigations
Minor None
41 Improper Resolution of Path Equivalence
Major Common_Consequences, Description, Name, Other_Notes, Potential_Mitigations, Relationship_Notes, Relationships, Taxonomy_Mappings
Minor None
42 Path Equivalence: 'filename.' (Trailing Dot)
Major Common_Consequences
Minor None
43 Path Equivalence: 'filename....' (Multiple Trailing Dot)
Major Common_Consequences
Minor None
44 Path Equivalence: 'file.name' (Internal Dot)
Major Common_Consequences
Minor None
45 Path Equivalence: 'file...name' (Multiple Internal Dot)
Major Common_Consequences, Relationships
Minor None
46 Path Equivalence: 'filename ' (Trailing Space)
Major Common_Consequences
Minor None
47 Path Equivalence: ' filename' (Leading Space)
Major Common_Consequences
Minor Name
48 Path Equivalence: 'file name' (Internal Whitespace)
Major Common_Consequences
Minor None
49 Path Equivalence: 'filename/' (Trailing Slash)
Major Common_Consequences, Observed_Examples
Minor None
50 Path Equivalence: '//multiple/leading/slash'
Major Common_Consequences
Minor None
51 Path Equivalence: '/multiple//internal/slash'
Major Common_Consequences
Minor None
52 Path Equivalence: '/multiple/trailing/slash//'
Major Common_Consequences
Minor None
53 Path Equivalence: '\multiple\\internal\backslash'
Major Common_Consequences
Minor None
54 Path Equivalence: 'filedir\' (Trailing Backslash)
Major Common_Consequences
Minor None
55 Path Equivalence: '/./' (Single Dot Directory)
Major Common_Consequences
Minor None
56 Path Equivalence: 'filedir*' (Wildcard)
Major Common_Consequences
Minor None
57 Path Equivalence: 'fakedir/../realdir/filename'
Major Common_Consequences, Description, Name, Observed_Examples, Other_Notes, Theoretical_Notes
Minor None
58 Path Equivalence: Windows 8.3 Filename
Major Common_Consequences, Description
Minor None
59 Improper Link Resolution Before File Access ('Link Following')
Major Background_Details, Common_Consequences, Description, Name, Other_Notes, Potential_Mitigations, Related_Attack_Patterns, Relationships, Taxonomy_Mappings
Minor Applicable_Platforms
61 UNIX Symbolic Link (Symlink) Following
Major Common_Consequences, Description, Observed_Examples
Minor None
62 UNIX Hard Link
Major Common_Consequences, Description, Relationships, Taxonomy_Mappings
Minor None
64 Windows Shortcut Following (.LNK)
Major Common_Consequences, Description, Relationships, Taxonomy_Mappings
Minor None
65 Windows Hard Link
Major Common_Consequences, Description, Relationships, Taxonomy_Mappings
Minor None
66 Improper Handling of File Names that Identify Virtual Resources
Major Common_Consequences, Description, Name
Minor None
67 Improper Handling of Windows Device Names
Major Background_Details, Common_Consequences, Description, Name, Other_Notes, Relationships, Taxonomy_Mappings
Minor None
69 Improper Handling of Windows ::DATA Alternate Data Stream
Major Common_Consequences, Description, Name, Other_Notes, Related_Attack_Patterns, Theoretical_Notes
Minor None
71 Apple '.DS_Store'
Major Common_Consequences, Maintenance_Notes, Related_Attack_Patterns
Minor Description
72 Improper Handling of Apple HFS+ Alternate Data Stream Path
Major Applicable_Platforms, Background_Details, Common_Consequences, Demonstrative_Examples, Description, Name, Other_Notes, References, Theoretical_Notes
Minor None
73 External Control of File Name or Path
Major Applicable_Platforms, Causal_Nature, Common_Consequences, Demonstrative_Examples, Description, Detection_Factors, Observed_Examples, Other_Notes, Potential_Mitigations, References, Relationship_Notes, Relationships, Taxonomy_Mappings, Weakness_Ordinalities
Minor None
74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Major Common_Consequences, Description, Name, Other_Notes, Related_Attack_Patterns, Relationship_Notes, Relationships
Minor Potential_Mitigations
75 Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)
Major Common_Consequences, Description
Minor Potential_Mitigations
76 Improper Neutralization of Equivalent Special Elements
Major Common_Consequences, Description, Name, Other_Notes
Minor Potential_Mitigations
77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
Major Common_Consequences, Demonstrative_Examples, Description, Name, Other_Notes, Potential_Mitigations, Relationships
Minor None
78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Major Common_Consequences, Demonstrative_Examples, Description, Detection_Factors, Likelihood_of_Exploit, Name, Observed_Examples, Other_Notes, Potential_Mitigations, References, Related_Attack_Patterns, Relationships, Research_Gaps, Taxonomy_Mappings, Terminology_Notes, White_Box_Definitions
Minor Alternate_Terms
79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Major Alternate_Terms, Applicable_Platforms, Background_Details, Common_Consequences, Demonstrative_Examples, Description, Detection_Factors, Enabling_Factors_for_Exploitation, Name, Observed_Examples, Other_Notes, Potential_Mitigations, References, Related_Attack_Patterns, Relationships, Taxonomy_Mappings
Minor None
80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
Major Common_Consequences, Demonstrative_Examples, Description, Name, Potential_Mitigations, White_Box_Definitions
Minor None
81 Improper Neutralization of Script in an Error Message Web Page
Major Common_Consequences, Description, Name, Potential_Mitigations, Related_Attack_Patterns
Minor None
82 Improper Neutralization of Script in Attributes of IMG Tags in a Web Page
Major Common_Consequences, Description, Name, Observed_Examples, Potential_Mitigations, Relationships
Minor None
83 Improper Neutralization of Script in Attributes in a Web Page
Major Common_Consequences, Description, Name, Observed_Examples, Potential_Mitigations, Related_Attack_Patterns, Relationships
Minor None
84 Improper Neutralization of Encoded URI Schemes in a Web Page
Major Common_Consequences, Description, Name, Observed_Examples, Potential_Mitigations, Related_Attack_Patterns
Minor None
85 Doubled Character XSS Manipulations
Major Common_Consequences, Description, Observed_Examples, Potential_Mitigations, Related_Attack_Patterns
Minor None
86 Improper Neutralization of Invalid Characters in Identifiers in Web Pages
Major Common_Consequences, Description, Name, Other_Notes, Potential_Mitigations, Related_Attack_Patterns
Minor None
87 Improper Neutralization of Alternate XSS Syntax
Major Common_Consequences, Demonstrative_Examples, Description, Name, Observed_Examples, Potential_Mitigations, Related_Attack_Patterns
Minor None
88 Argument Injection or Modification
Major Common_Consequences, Observed_Examples, Other_Notes, Potential_Mitigations, Related_Attack_Patterns, Relationship_Notes, Relationships, Taxonomy_Mappings
Minor None
89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Major Common_Consequences, Demonstrative_Examples, Description, Detection_Factors, Enabling_Factors_for_Exploitation, Modes_of_Introduction, Name, Observed_Examples, Other_Notes, Potential_Mitigations, References, Related_Attack_Patterns, Relationships, Taxonomy_Mappings, White_Box_Definitions
Minor None
90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
Major Common_Consequences, Demonstrative_Examples, Description, Name, Other_Notes, Potential_Mitigations, Relationship_Notes, Relationships, Taxonomy_Mappings
Minor None
91 XML Injection (aka Blind XPath Injection)
Major Common_Consequences, Description, Maintenance_Notes, Other_Notes, Relationships, Taxonomy_Mappings, Theoretical_Notes
Minor None
92 DEPRECATED: Improper Sanitization of Custom Special Characters
Major Applicable_Platforms, Causal_Nature, Description, Maintenance_Notes, Name, Observed_Examples, Potential_Mitigations, Related_Attack_Patterns, Relationship_Notes, Relationships, Research_Gaps, Taxonomy_Mappings, Time_of_Introduction, Type, Weakness_Ordinalities
Minor None
93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Major Common_Consequences, Description, Likelihood_of_Exploit, Name, Other_Notes, References, Taxonomy_Mappings
Minor None
94 Improper Control of Generation of Code ('Code Injection')
Major Common_Consequences, Demonstrative_Examples, Description, Likelihood_of_Exploit, Name, Potential_Mitigations, Relationships
Minor Applicable_Platforms
95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
Major Alternate_Terms, Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Name, Observed_Examples, Other_Notes, Potential_Mitigations, References, Research_Gaps
Minor None
96 Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
Major Common_Consequences, Description, Name, Potential_Mitigations
Minor None
97 Improper Neutralization of Server-Side Includes (SSI) Within a Web Page
Major Common_Consequences, Description, Name, Other_Notes, Relationship_Notes, Taxonomy_Mappings, Type
Minor Potential_Mitigations
98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')
Major Alternate_Terms, Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Detection_Factors, Likelihood_of_Exploit, Name, Potential_Mitigations, References, Related_Attack_Patterns, Relationships, Taxonomy_Mappings, Time_of_Introduction, Type
Minor None
99 Improper Control of Resource Identifiers ('Resource Injection')
Major Common_Consequences, Demonstrative_Examples, Description, Name, Other_Notes, White_Box_Definitions
Minor None
100 Technology-Specific Input Validation Problems
Major Related_Attack_Patterns, Relationships, Taxonomy_Mappings, Type
Minor None
102 Struts: Duplicate Validation Forms
Major Common_Consequences, Demonstrative_Examples, Description, Other_Notes, Potential_Mitigations, Relationships
Minor None
103 Struts: Incomplete validate() Method Definition
Major Background_Details, Common_Consequences, Demonstrative_Examples, Description, Maintenance_Notes, Other_Notes, Relationship_Notes, Relationships
Minor None
104 Struts: Form Bean Does Not Extend Validation Class
Major Background_Details, Common_Consequences, Demonstrative_Examples, Other_Notes, Relationships
Minor None
105 Struts: Form Field Without Validator
Major Common_Consequences, Demonstrative_Examples
Minor None
106 Struts: Plug-in Framework not in Use
Major Common_Consequences, Demonstrative_Examples, Other_Notes, Relationships
Minor None
107 Struts: Unused Validation Form
Major Common_Consequences, Demonstrative_Examples
Minor None
108 Struts: Unvalidated Action Form
Major Common_Consequences, Description, Other_Notes
Minor None
109 Struts: Validator Turned Off
Major Common_Consequences, Demonstrative_Examples, Other_Notes, Relationships
Minor None
110 Struts: Validator Without Form Field
Major Common_Consequences, Demonstrative_Examples, Description, Other_Notes
Minor None
111 Direct Use of Unsafe JNI
Major Common_Consequences, Demonstrative_Examples, Description, Other_Notes, Relationships, Taxonomy_Mappings
Minor None
112 Missing XML Validation
Major Common_Consequences, Demonstrative_Examples, Description, Other_Notes
Minor None
113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
Major Common_Consequences, Demonstrative_Examples, Description, Name, Other_Notes, Potential_Mitigations, Taxonomy_Mappings, Theoretical_Notes
Minor None
114 Process Control
Major Common_Consequences, Demonstrative_Examples, Description, Other_Notes, Related_Attack_Patterns
Minor None
115 Misinterpretation of Input
Major Common_Consequences, Relationships
Minor None
116 Improper Encoding or Escaping of Output
Major Alternate_Terms, Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Detection_Factors, Likelihood_of_Exploit, Name, Observed_Examples, Potential_Mitigations, References, Related_Attack_Patterns, Relationship_Notes, Relationships, Research_Gaps, Taxonomy_Mappings, Terminology_Notes, Theoretical_Notes
Minor None
117 Improper Output Neutralization for Logs
Major Background_Details, Common_Consequences, Demonstrative_Examples, Description, Name, Other_Notes, Potential_Mitigations, References, Related_Attack_Patterns, Relationships
Minor None
118 Improper Access of Indexable Resource ('Range Error')
Major Common_Consequences, Description, Name, Relationships
Minor None
119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Major Alternate_Terms, Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Detection_Factors, Likelihood_of_Exploit, Name, Observed_Examples, Potential_Mitigations, References, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
Major Alternate_Terms, Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Detection_Factors, Name, Observed_Examples, Other_Notes, Potential_Mitigations, References, Related_Attack_Patterns, Relationship_Notes, Relationships, Taxonomy_Mappings, Terminology_Notes, Time_of_Introduction, Type
Minor None
121 Stack-based Buffer Overflow
Major Common_Consequences, Potential_Mitigations, References, Relationships, White_Box_Definitions
Minor None
122 Heap-based Buffer Overflow
Major Common_Consequences, Other_Notes, References, Relationship_Notes, Relationships
Minor Potential_Mitigations
123 Write-what-where Condition
Major Common_Consequences, Other_Notes, Relationships
Minor Potential_Mitigations
124 Buffer Underwrite ('Buffer Underflow')
Major Common_Consequences, Demonstrative_Examples, Description, Name, Relationships
Minor Potential_Mitigations
125 Out-of-bounds Read
Major Common_Consequences, Description, Relationships
Minor None
126 Buffer Over-read
Major Common_Consequences, Demonstrative_Examples, Description, Relationship_Notes, Relationships
Minor None
127 Buffer Under-read
Major Common_Consequences, Description, Relationships
Minor None
128 Wrap-around Error
Major Background_Details, Common_Consequences, Relationships, Taxonomy_Mappings
Minor Applicable_Platforms, Potential_Mitigations
129 Improper Validation of Array Index
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Detection_Factors, Likelihood_of_Exploit, Name, Observed_Examples, Other_Notes, Potential_Mitigations, References, Related_Attack_Patterns, Relationship_Notes, Relationships, Taxonomy_Mappings, Theoretical_Notes, Weakness_Ordinalities
Minor None
130 Improper Handling of Length Parameter Inconsistency
Major Common_Consequences, Demonstrative_Examples, Description, Name, Observed_Examples, Potential_Mitigations, Relationships
Minor Applicable_Platforms
131 Incorrect Calculation of Buffer Size
Major Common_Consequences, Demonstrative_Examples, Detection_Factors, Likelihood_of_Exploit, Maintenance_Notes, Observed_Examples, Potential_Mitigations, References, Related_Attack_Patterns, Relationships, Taxonomy_Mappings
Minor None
132 DEPRECATED (Duplicate): Miscalculated Null Termination
Major Relationships
Minor None
134 Uncontrolled Format String
Major Common_Consequences, Demonstrative_Examples, Detection_Factors, Modes_of_Introduction, References, Relationships, Taxonomy_Mappings, White_Box_Definitions
Minor Applicable_Platforms, Other_Notes, Potential_Mitigations
135 Incorrect Calculation of Multi-Byte String Length
Major Common_Consequences, Demonstrative_Examples, Description, References, Relationships, Taxonomy_Mappings
Minor None
138 Improper Neutralization of Special Elements
Major Applicable_Platforms, Common_Consequences, Description, Name, Observed_Examples, Other_Notes, Potential_Mitigations, Relationship_Notes, Relationships, Research_Gaps, Taxonomy_Mappings, Weakness_Ordinalities
Minor None
139 DEPRECATED: General Special Element Problems
Major Description, Relationships
Minor None
140 Improper Neutralization of Delimiters
Major Common_Consequences, Description, Name, Potential_Mitigations
Minor None
141 Improper Neutralization of Parameter/Argument Delimiters
Major Common_Consequences, Description, Name, Potential_Mitigations
Minor None
142 Improper Neutralization of Value Delimiters
Major Common_Consequences, Description, Name, Potential_Mitigations
Minor None
143 Improper Neutralization of Record Delimiters
Major Common_Consequences, Description, Name, Potential_Mitigations
Minor None
144 Improper Neutralization of Line Delimiters
Major Common_Consequences, Description, Name, Potential_Mitigations, Relationships, Taxonomy_Mappings
Minor None
145 Improper Neutralization of Section Delimiters
Major Common_Consequences, Description, Name, Potential_Mitigations
Minor None
146 Improper Neutralization of Expression/Command Delimiters
Major Applicable_Platforms, Common_Consequences, Description, Name, Other_Notes, Potential_Mitigations, Relationship_Notes
Minor None
147 Improper Neutralization of Input Terminators
Major Common_Consequences, Description, Name, Potential_Mitigations
Minor None
148 Improper Neutralization of Input Leaders
Major Common_Consequences, Name, Potential_Mitigations
Minor None
149 Improper Neutralization of Quoting Syntax
Major Common_Consequences, Name, Potential_Mitigations
Minor None
150 Improper Neutralization of Escape, Meta, or Control Sequences
Major Common_Consequences, Description, Name, Observed_Examples, Potential_Mitigations, Relationships, Taxonomy_Mappings
Minor None
151 Improper Neutralization of Comment Delimiters
Major Common_Consequences, Description, Name, Observed_Examples, Potential_Mitigations
Minor None
152 Improper Neutralization of Macro Symbols
Major Common_Consequences, Description, Name, Observed_Examples, Potential_Mitigations
Minor None
153 Improper Neutralization of Substitution Characters
Major Common_Consequences, Description, Name, Observed_Examples, Potential_Mitigations
Minor None
154 Improper Neutralization of Variable Name Delimiters
Major Common_Consequences, Description, Name, Observed_Examples, Potential_Mitigations
Minor None
155 Improper Neutralization of Wildcards or Matching Symbols
Major Common_Consequences, Description, Name, Potential_Mitigations
Minor None
156 Improper Neutralization of Whitespace
Major Common_Consequences, Description, Name, Potential_Mitigations
Minor None
157 Failure to Sanitize Paired Delimiters
Major Common_Consequences, Demonstrative_Examples, Observed_Examples, Potential_Mitigations
Minor None
158 Improper Neutralization of Null Byte or NUL Character
Major Common_Consequences, Description, Name, Observed_Examples, Potential_Mitigations, Taxonomy_Mappings
Minor None
159 Failure to Sanitize Special Element
Major Common_Consequences, Description, Maintenance_Notes, Other_Notes, Potential_Mitigations, Terminology_Notes
Minor None
160 Improper Neutralization of Leading Special Elements
Major Common_Consequences, Description, Name, Potential_Mitigations
Minor None
161 Improper Neutralization of Multiple Leading Special Elements
Major Common_Consequences, Description, Name, Potential_Mitigations
Minor None
162 Improper Neutralization of Trailing Special Elements
Major Common_Consequences, Description, Name, Potential_Mitigations
Minor None
163 Improper Neutralization of Multiple Trailing Special Elements
Major Common_Consequences, Description, Name, Potential_Mitigations, Relationships
Minor None
164 Improper Neutralization of Internal Special Elements
Major Common_Consequences, Description, Name, Potential_Mitigations
Minor None
165 Improper Neutralization of Multiple Internal Special Elements
Major Common_Consequences, Description, Name, Potential_Mitigations, Relationships
Minor None
166 Improper Handling of Missing Special Element
Major Common_Consequences, Description, Name, Other_Notes, Potential_Mitigations, Relationships
Minor None
167 Improper Handling of Additional Special Element
Major Common_Consequences, Description, Name, Observed_Examples, Potential_Mitigations, Relationships
Minor None
168 Improper Handling of Inconsistent Special Elements
Major Common_Consequences, Description, Name, Potential_Mitigations, Relationships
Minor None
169 Technology-Specific Special Elements
Major Other_Notes
Minor None
170 Improper Null Termination
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, White_Box_Definitions
Minor None
171 Cleansing, Canonicalization, and Comparison Errors
Major Applicable_Platforms, Description, Relationships, Taxonomy_Mappings
Minor None
172 Encoding Error
Major Common_Consequences, Description, Potential_Mitigations
Minor None
173 Improper Handling of Alternate Encoding
Major Common_Consequences, Name, Potential_Mitigations
Minor None
174 Double Decoding of the Same Data
Major Common_Consequences, Observed_Examples, Potential_Mitigations
Minor None
175 Improper Handling of Mixed Encoding
Major Common_Consequences, Name, Potential_Mitigations
Minor None
176 Improper Handling of Unicode Encoding
Major Common_Consequences, Demonstrative_Examples, Name, Potential_Mitigations, Relationships, Taxonomy_Mappings
Minor None
177 Improper Handling of URL Encoding (Hex Encoding)
Major Common_Consequences, Name, Potential_Mitigations
Minor None
178 Improper Handling of Case Sensitivity
Major Common_Consequences, Demonstrative_Examples, Description, Name, Observed_Examples, Potential_Mitigations
Minor None
179 Incorrect Behavior Order: Early Validation
Major Common_Consequences, Description, Potential_Mitigations, Relationships, Research_Gaps
Minor None
180 Incorrect Behavior Order: Validate Before Canonicalize
Major Common_Consequences, Demonstrative_Examples, Description, Observed_Examples, Other_Notes, Potential_Mitigations, Relationship_Notes, Relationships, Taxonomy_Mappings
Minor None
181 Incorrect Behavior Order: Validate Before Filter
Major Common_Consequences, Demonstrative_Examples, Description, Observed_Examples
Minor Potential_Mitigations
182 Collapse of Data into Unsafe Value
Major Common_Consequences, Description, Observed_Examples, Potential_Mitigations, Relationships, Taxonomy_Mappings
Minor Name
183 Permissive Whitelist
Major Common_Consequences, Potential_Mitigations, Relationships
Minor None
184 Incomplete Blacklist
Major Common_Consequences, Demonstrative_Examples, Description, Observed_Examples, Other_Notes, Related_Attack_Patterns, Relationship_Notes, Relationships, Time_of_Introduction
Minor None
185 Incorrect Regular Expression
Major Common_Consequences, Description, Observed_Examples, Other_Notes, References
Minor None
186 Overly Restrictive Regular Expression
Major Common_Consequences
Minor Potential_Mitigations
187 Partial Comparison
Major Common_Consequences, Demonstrative_Examples, Observed_Examples, Other_Notes, Relationship_Notes, Relationships
Minor None
188 Reliance on Data/Memory Layout
Major Common_Consequences, Demonstrative_Examples, Relationships
Minor Potential_Mitigations
189 Numeric Errors
Major Relationships
Minor None
190 Integer Overflow or Wraparound
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Detection_Factors, Functional_Areas, Name, Observed_Examples, Potential_Mitigations, References, Relationships, Taxonomy_Mappings, Terminology_Notes
Minor None
191 Integer Underflow (Wrap or Wraparound)
Major Common_Consequences, Demonstrative_Examples, Description
Minor None
192 Integer Coercion Error
Major Common_Consequences, Demonstrative_Examples, Description, Other_Notes, Relationships, Taxonomy_Mappings
Minor Potential_Mitigations
193 Off-by-one Error
Major Common_Consequences, Demonstrative_Examples, Potential_Mitigations, Relationships, Taxonomy_Mappings
Minor None
194 Unexpected Sign Extension
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Maintenance_Notes, Name, Observed_Examples, Potential_Mitigations, References, Relationship_Notes, Relationships
Minor None
195 Signed to Unsigned Conversion Error
Major Common_Consequences, Demonstrative_Examples, Description, Other_Notes, Relationships
Minor None
196 Unsigned to Signed Conversion Error
Major Common_Consequences, Demonstrative_Examples, Other_Notes
Minor Potential_Mitigations
197 Numeric Truncation Error
Major Common_Consequences, Demonstrative_Examples, Description, Observed_Examples, Other_Notes, Relationships, Research_Gaps, Taxonomy_Mappings
Minor Potential_Mitigations
198 Use of Incorrect Byte Ordering
Major Common_Consequences, Description, Relationships, Taxonomy_Mappings
Minor None
199 Information Management Errors
Major Relationships
Minor None
200 Information Exposure
Major Alternate_Terms, Common_Consequences, Description, Name, Related_Attack_Patterns, Relationships, Taxonomy_Mappings
Minor None
201 Information Exposure Through Sent Data
Major Common_Consequences, Description, Name, Other_Notes, Potential_Mitigations
Minor None
202 Exposure of Sensitive Data Through Data Queries
Major Common_Consequences, Name
Minor None
203 Information Exposure Through Discrepancy
Major Common_Consequences, Description, Name
Minor None
204 Response Discrepancy Information Exposure
Major Common_Consequences, Demonstrative_Examples, Description, Name, Observed_Examples, Potential_Mitigations
Minor None
205 Information Exposure Through Behavioral Discrepancy
Major Common_Consequences, Description, Name, Taxonomy_Mappings
Minor None
206 Information Exposure of Internal State Through Behavioral Inconsistency
Major Common_Consequences, Name
Minor None
207 Information Exposure Through an External Behavioral Inconsistency
Major Common_Consequences, Description, Name
Minor None
208 Information Exposure Through Timing Discrepancy
Major Common_Consequences, Description, Name, Relationships
Minor None
209 Information Exposure Through an Error Message
Major Common_Consequences, Demonstrative_Examples, Description, Detection_Factors, Name, Observed_Examples, Other_Notes, Potential_Mitigations, References, Related_Attack_Patterns, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
210 Information Exposure Through Generated Error Message
Major Common_Consequences, Demonstrative_Examples, Name, Potential_Mitigations, Relationships
Minor None
211 Information Exposure Through External Error Message
Major Common_Consequences, Description, Enabling_Factors_for_Exploitation, Functional_Areas, Name, Observed_Examples, Other_Notes, Potential_Mitigations, Relationship_Notes, Weakness_Ordinalities
Minor Applicable_Platforms
212 Improper Cross-boundary Removal of Sensitive Data
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Name, Observed_Examples, Other_Notes, Potential_Mitigations, Related_Attack_Patterns, Relationship_Notes, Relationships, Terminology_Notes
Minor None
213 Intentional Information Exposure
Major Common_Consequences, Demonstrative_Examples, Name
Minor None
214 Information Exposure Through Process Environment
Major Common_Consequences, Description, Name
Minor None
215 Information Exposure Through Debug Information
Major Common_Consequences, Demonstrative_Examples, Description, Name, Observed_Examples, Relationships, Taxonomy_Mappings
Minor Potential_Mitigations
216 Containment Errors (Container Errors)
Major Common_Consequences, Relationships
Minor None
217 DEPRECATED: Failure to Protect Stored Data from Modification
Major Alternate_Terms, Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Likelihood_of_Exploit, Name, Other_Notes, Potential_Mitigations, Related_Attack_Patterns, Relationships, Taxonomy_Mappings, Time_of_Introduction, Type
Minor None
218 DEPRECATED (Duplicate): Failure to provide confidentiality for stored data
Major Relationships
Minor None
219 Sensitive Data Under Web Root
Major Common_Consequences, Relationships
Minor None
220 Sensitive Data Under FTP Root
Major Common_Consequences
Minor None
221 Information Loss or Omission
Major Common_Consequences
Minor None
222 Truncation of Security-relevant Information
Major Common_Consequences
Minor None
223 Omission of Security-relevant Information
Major Common_Consequences, Demonstrative_Examples, Relationships
Minor None
224 Obscured Security-relevant Information by Alternate Name
Major Common_Consequences, Demonstrative_Examples
Minor None
225 DEPRECATED (Duplicate): General Information Management Problems
Major Relationships
Minor None
226 Sensitive Information Uncleared Before Release
Major Applicable_Platforms, Common_Consequences, Description, Maintenance_Notes, Other_Notes, Relationship_Notes, Relationships, Taxonomy_Mappings
Minor None
227 Improper Fulfillment of API Contract ('API Abuse')
Major Common_Consequences, Description, Name, Relationships, Taxonomy_Mappings
Minor None
228 Improper Handling of Syntactically Invalid Structure
Major Common_Consequences, Description, Name
Minor None
229 Improper Handling of Values
Major Common_Consequences, Description
Minor None
230 Improper Handling of Missing Values
Major Common_Consequences, Description, Name, Other_Notes, Relationships, Research_Gaps, Taxonomy_Mappings
Minor None
231 Improper Handling of Extra Values
Major Common_Consequences, Description, Name
Minor None
232 Improper Handling of Undefined Values
Major Common_Consequences, Description, Name, Relationships, Taxonomy_Mappings
Minor None
233 Parameter Problems
Major Common_Consequences
Minor None
234 Failure to Handle Missing Parameter
Major Common_Consequences, Demonstrative_Examples, Maintenance_Notes, Observed_Examples, Other_Notes, Potential_Mitigations
Minor None
235 Improper Handling of Extra Parameters
Major Common_Consequences, Description, Name
Minor None
236 Improper Handling of Undefined Parameters
Major Common_Consequences, Description, Name
Minor None
237 Improper Handling of Structural Elements
Major Common_Consequences, Description, Name
Minor None
238 Improper Handling of Incomplete Structural Elements
Major Common_Consequences, Description, Name
Minor None
239 Failure to Handle Incomplete Element
Major Common_Consequences, Description
Minor None
240 Improper Handling of Inconsistent Structural Elements
Major Common_Consequences, Description, Name
Minor None
241 Improper Handling of Unexpected Data Type
Major Common_Consequences, Description, Name, Potential_Mitigations, Relationships, Taxonomy_Mappings
Minor None
242 Use of Inherently Dangerous Function
Major Common_Consequences, Demonstrative_Examples, Description, Other_Notes, References, Relationships, Taxonomy_Mappings
Minor None
243 Creation of chroot Jail Without Changing Working Directory
Major Common_Consequences, Demonstrative_Examples, Description, Name
Minor None
244 Improper Clearing of Heap Memory Before Release ('Heap Inspection')
Major Common_Consequences, Demonstrative_Examples, Description, Name, Other_Notes, Relationships, Taxonomy_Mappings
Minor None
245 J2EE Bad Practices: Direct Management of Connections
Major Common_Consequences, Demonstrative_Examples
Minor None
246 J2EE Bad Practices: Direct Use of Sockets
Major Common_Consequences
Minor None
247 Reliance on DNS Lookups in a Security Decision
Major Common_Consequences, Demonstrative_Examples, Potential_Mitigations, Related_Attack_Patterns, Relationships, Taxonomy_Mappings
Minor None
248 Uncaught Exception
Major Applicable_Platforms, Common_Consequences, Description, Relationships, Taxonomy_Mappings
Minor None
249 DEPRECATED: Often Misused: Path Manipulation
Major Affected_Resources, Applicable_Platforms, Demonstrative_Examples, Description, Maintenance_Notes, Name, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction, Type, White_Box_Definitions
Minor None
250 Execution with Unnecessary Privileges
Major Common_Consequences, Demonstrative_Examples, Description, Detection_Factors, Likelihood_of_Exploit, Maintenance_Notes, Name, Observed_Examples, Other_Notes, Potential_Mitigations, References, Related_Attack_Patterns, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
252 Unchecked Return Value
Major Background_Details, Common_Consequences, Demonstrative_Examples, Description, Observed_Examples, Other_Notes, Potential_Mitigations, References, Relationships, Taxonomy_Mappings
Minor None
253 Incorrect Check of Function Return Value
Major Common_Consequences, Demonstrative_Examples, Description, Name, Relationships
Minor Potential_Mitigations
254 Security Features
Major Relationships
Minor None
255 Credentials Management
Major Relationships
Minor None
256 Plaintext Storage of a Password
Major Common_Consequences, Demonstrative_Examples, Relationships, Taxonomy_Mappings
Minor None
257 Storing Passwords in a Recoverable Format
Major Common_Consequences, Demonstrative_Examples, Description, Maintenance_Notes, Potential_Mitigations, Relationships
Minor None
258 Empty Password in Configuration File
Major Common_Consequences, Demonstrative_Examples, Other_Notes, Potential_Mitigations
Minor None
259 Use of Hard-coded Password
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Detection_Factors, Maintenance_Notes, Name, Other_Notes, Potential_Mitigations, Related_Attack_Patterns, Relationships, Taxonomy_Mappings, White_Box_Definitions
Minor None
260 Password in Configuration File
Major Common_Consequences, Description
Minor None
261 Weak Cryptography for Passwords
Major Common_Consequences, Demonstrative_Examples, Relationships
Minor None
262 Not Using Password Aging
Major Common_Consequences, Relationships
Minor Potential_Mitigations
263 Password Aging with Long Expiration
Major Common_Consequences, Description, Other_Notes, Relationships
Minor Potential_Mitigations
264 Permissions, Privileges, and Access Controls
Major References, Relationships
Minor None
265 Privilege / Sandbox Issues
Major Description, Potential_Mitigations, Relationships, Research_Gaps, Theoretical_Notes
Minor None
266 Incorrect Privilege Assignment
Major Common_Consequences, Potential_Mitigations, Relationships, Taxonomy_Mappings
Minor Demonstrative_Examples
267 Privilege Defined With Unsafe Actions
Major Common_Consequences, Potential_Mitigations, Relationships
Minor None
268 Privilege Chaining
Major Common_Consequences, Other_Notes, Potential_Mitigations, Relationships, Research_Gaps
Minor None
269 Improper Privilege Management
Major Common_Consequences, Description, Name, Potential_Mitigations, Relationships
Minor None
270 Privilege Context Switching Error
Major Common_Consequences, Potential_Mitigations, References
Minor None
271 Privilege Dropping / Lowering Errors
Major Common_Consequences, Description, Maintenance_Notes, Potential_Mitigations, Relationships
Minor None
272 Least Privilege Violation
Major Common_Consequences, Demonstrative_Examples, Maintenance_Notes, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings
Minor None
273 Improper Check for Dropped Privileges
Major Common_Consequences, Description, Name, Relationships, Taxonomy_Mappings
Minor Potential_Mitigations
274 Improper Handling of Insufficient Privileges
Major Common_Consequences, Description, Maintenance_Notes, Name, Theoretical_Notes
Minor None
275 Permission Issues
Major Relationships
Minor None
276 Incorrect Default Permissions
Major Common_Consequences, Description, Name, Relationships, Taxonomy_Mappings
Minor Potential_Mitigations
277 Insecure Inherited Permissions
Major Common_Consequences
Minor Potential_Mitigations
278 Insecure Preserved Inherited Permissions
Major Common_Consequences
Minor Potential_Mitigations
279 Incorrect Execution-Assigned Permissions
Major Common_Consequences, Description, Name, Relationships, Taxonomy_Mappings
Minor Potential_Mitigations
280 Improper Handling of Insufficient Permissions or Privileges
Major Common_Consequences, Description, Name, Taxonomy_Mappings, Theoretical_Notes
Minor Potential_Mitigations
281 Improper Preservation of Permissions
Major Common_Consequences, Description, Name
Minor None
282 Improper Ownership Management
Major Common_Consequences, Potential_Mitigations, Relationships
Minor None
283 Unverified Ownership
Major Common_Consequences, Potential_Mitigations, Relationships
Minor None
284 Improper Access Control
Major Alternate_Terms, Background_Details, Common_Consequences, Description, Maintenance_Notes, Name, Potential_Mitigations, References, Relationships, Taxonomy_Mappings
Minor None
285 Improper Authorization
Major Alternate_Terms, Applicable_Platforms, Background_Details, Common_Consequences, Demonstrative_Examples, Description, Detection_Factors, Likelihood_of_Exploit, Modes_of_Introduction, Name, Observed_Examples, Other_Notes, Potential_Mitigations, References, Related_Attack_Patterns, Relationships, Type
Minor None
286 Incorrect User Management
Major Applicable_Platforms, Common_Consequences, Maintenance_Notes, Relationships
Minor None
287 Improper Authentication
Major Alternate_Terms, Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Detection_Factors, Likelihood_of_Exploit, Name, Observed_Examples, Potential_Mitigations, References, Related_Attack_Patterns, Relationships, Taxonomy_Mappings
Minor None
288 Authentication Bypass Using an Alternate Path or Channel
Major Common_Consequences, Observed_Examples, Relationships
Minor None
289 Authentication Bypass by Alternate Name
Major Common_Consequences, Observed_Examples, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Theoretical_Notes
Minor None
290 Authentication Bypass by Spoofing
Major Common_Consequences, Demonstrative_Examples, Relationship_Notes
Minor None
291 Trusting Self-reported IP Address
Major Common_Consequences, Demonstrative_Examples, Description, Other_Notes
Minor Potential_Mitigations
292 Trusting Self-reported DNS Name
Major Common_Consequences, Demonstrative_Examples, Observed_Examples, Potential_Mitigations
Minor None
293 Using Referer Field for Authentication
Major Common_Consequences, Demonstrative_Examples
Minor Potential_Mitigations
294 Authentication Bypass by Capture-replay
Major Common_Consequences, Demonstrative_Examples, Description, Observed_Examples, Other_Notes, Potential_Mitigations, Related_Attack_Patterns
Minor None
295 Certificate Issues
Major Background_Details, Description
Minor None
296 Improper Following of Chain of Trust for Certificate Validation
Major Common_Consequences, Demonstrative_Examples, Description, Name, Other_Notes, Relationships
Minor Potential_Mitigations
297 Improper Validation of Host-specific Certificate Data
Major Common_Consequences, Demonstrative_Examples, Description, Name, Other_Notes, Relationships
Minor Potential_Mitigations
298 Improper Validation of Certificate Expiration
Major Common_Consequences, Demonstrative_Examples, Description, Name, Other_Notes, Relationships
Minor Potential_Mitigations
299 Improper Check for Certificate Revocation
Major Common_Consequences, Description, Name, Other_Notes, Relationships
Minor Potential_Mitigations
300 Channel Accessible by Non-Endpoint ('Man-in-the-Middle')
Major Common_Consequences, Description, Name, Relationships, Taxonomy_Mappings
Minor None
301 Reflection Attack in an Authentication Protocol
Major Common_Consequences, Demonstrative_Examples
Minor Potential_Mitigations
302 Authentication Bypass by Assumed-Immutable Data
Major Common_Consequences, Demonstrative_Examples, Description, Potential_Mitigations, Related_Attack_Patterns, Relationships, Taxonomy_Mappings
Minor None
303 Incorrect Implementation of Authentication Algorithm
Major Common_Consequences, Description, Name
Minor None
304 Missing Critical Step in Authentication
Major Common_Consequences, Description, Relationships
Minor None
305 Authentication Bypass by Primary Weakness
Major Common_Consequences, Observed_Examples
Minor None
306 Missing Authentication for Critical Function
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Detection_Factors, Likelihood_of_Exploit, Name, Observed_Examples, Potential_Mitigations, References, Related_Attack_Patterns, Relationships
Minor None
307 Improper Restriction of Excessive Authentication Attempts
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Name, Observed_Examples, Potential_Mitigations, Related_Attack_Patterns, Relationships, Taxonomy_Mappings
Minor None
308 Use of Single-factor Authentication
Major Common_Consequences, Description, Other_Notes
Minor Potential_Mitigations
309 Use of Password System for Primary Authentication
Major Common_Consequences
Minor Potential_Mitigations
310 Cryptographic Issues
Major Maintenance_Notes, References, Relationship_Notes, Relationships
Minor None
311 Missing Encryption of Sensitive Data
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Detection_Factors, Likelihood_of_Exploit, Name, Observed_Examples, Other_Notes, Potential_Mitigations, References, Related_Attack_Patterns, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
312 Cleartext Storage of Sensitive Information
Major Common_Consequences, Description, Name, References, Relationships
Minor None
313 Plaintext Storage in a File or on Disk
Major Common_Consequences, Demonstrative_Examples
Minor None
314 Plaintext Storage in the Registry
Major Common_Consequences
Minor None
315 Plaintext Storage in a Cookie
Major Common_Consequences
Minor None
316 Plaintext Storage in Memory
Major Common_Consequences
Minor None
317 Plaintext Storage in GUI
Major Common_Consequences
Minor Applicable_Platforms
318 Plaintext Storage in Executable
Major Common_Consequences
Minor None
319 Cleartext Transmission of Sensitive Information
Major Applicable_Platforms, Common_Consequences, Description, Detection_Factors, Likelihood_of_Exploit, Name, Observed_Examples, Potential_Mitigations, References, Related_Attack_Patterns, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
320 Key Management Errors
Major Observed_Examples
Minor None
321 Use of Hard-coded Cryptographic Key
Major Common_Consequences, Demonstrative_Examples, Relationships
Minor Potential_Mitigations
322 Key Exchange without Entity Authentication
Major Common_Consequences, Description, Other_Notes, Relationships
Minor Potential_Mitigations
323 Reusing a Nonce, Key Pair in Encryption
Major Common_Consequences, Demonstrative_Examples
Minor Potential_Mitigations
324 Use of a Key Past its Expiration Date
Major Common_Consequences, Demonstrative_Examples
Minor Potential_Mitigations
325 Missing Required Cryptographic Step
Major Common_Consequences
Minor None
326 Inadequate Encryption Strength
Major Common_Consequences, Description, Maintenance_Notes, Name, References, Related_Attack_Patterns, Relationships
Minor Potential_Mitigations
327 Use of a Broken or Risky Cryptographic Algorithm
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Detection_Factors, Maintenance_Notes, Observed_Examples, Potential_Mitigations, References, Related_Attack_Patterns, Relationships, Taxonomy_Mappings
Minor None
328 Reversible One-Way Hash
Major Common_Consequences, Description, References, Relationships
Minor None
329 Not Using a Random IV with CBC Mode
Major Common_Consequences, Demonstrative_Examples
Minor None
330 Use of Insufficiently Random Values
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Detection_Factors, Likelihood_of_Exploit, Observed_Examples, Other_Notes, Potential_Mitigations, References, Related_Attack_Patterns, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Functional_Areas
331 Insufficient Entropy
Major Common_Consequences, Taxonomy_Mappings
Minor None
332 Insufficient Entropy in PRNG
Major Common_Consequences, Demonstrative_Examples, Potential_Mitigations, Relationships, Taxonomy_Mappings
Minor None
333 Improper Handling of Insufficient Entropy in TRNG
Major Common_Consequences, Description, Name, Other_Notes, Relationships, Taxonomy_Mappings
Minor Potential_Mitigations
334 Small Space of Random Values
Major Common_Consequences, Potential_Mitigations
Minor None
335 PRNG Seed Error
Major Common_Consequences
Minor None
336 Same Seed in PRNG
Major Common_Consequences, Potential_Mitigations, Relationships, Taxonomy_Mappings
Minor None
337 Predictable Seed in PRNG
Major Common_Consequences, Potential_Mitigations, Relationships, Taxonomy_Mappings
Minor None
338 Use of Cryptographically Weak PRNG
Major Common_Consequences
Minor None
339 Small Seed Space in PRNG
Major Common_Consequences, Observed_Examples, Potential_Mitigations
Minor None
340 Predictability Problems
Major Common_Consequences, Taxonomy_Mappings
Minor None
341 Predictable from Observable State
Major Common_Consequences, Potential_Mitigations
Minor None
342 Predictable Exact Value from Previous Values
Major Common_Consequences, Potential_Mitigations
Minor None
343 Predictable Value Range from Previous Values
Major Common_Consequences, Description, Potential_Mitigations
Minor None
344 Use of Invariant Value in Dynamically Changing Context
Major Common_Consequences, Potential_Mitigations, Relationships
Minor None
345 Insufficient Verification of Data Authenticity
Major Common_Consequences, Related_Attack_Patterns, Taxonomy_Mappings
Minor None
346 Origin Validation Error
Major Common_Consequences, Related_Attack_Patterns
Minor None
347 Improper Verification of Cryptographic Signature
Major Common_Consequences, Description, Name, Relationships, Taxonomy_Mappings
Minor None
348 Use of Less Trusted Source
Major Common_Consequences
Minor None
349 Acceptance of Extraneous Untrusted Data With Trusted Data
Major Common_Consequences, Relationships, Taxonomy_Mappings
Minor None
350 Improperly Trusted Reverse DNS
Major Common_Consequences, Demonstrative_Examples, Potential_Mitigations, Relationships
Minor None
351 Insufficient Type Distinction
Major Common_Consequences, Relationships
Minor None
352 Cross-Site Request Forgery (CSRF)
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Detection_Factors, Likelihood_of_Exploit, Observed_Examples, Other_Notes, Potential_Mitigations, References, Related_Attack_Patterns, Relationship_Notes, Relationships, Research_Gaps, Taxonomy_Mappings, Theoretical_Notes, Time_of_Introduction
Minor None
353 Missing Support for Integrity Check
Major Common_Consequences, Demonstrative_Examples, Description, Name, Other_Notes
Minor Potential_Mitigations
354 Improper Validation of Integrity Check Value
Major Common_Consequences, Demonstrative_Examples, Description, Name, Other_Notes, Relationships
Minor Potential_Mitigations
356 Product UI does not Warn User of Unsafe Actions
Major Common_Consequences, Description
Minor None
357 Insufficient UI Warning of Dangerous Operations
Major Common_Consequences, Description, Related_Attack_Patterns
Minor None
358 Improperly Implemented Security Check for Standard
Major Common_Consequences, Description, Modes_of_Introduction, Observed_Examples, Other_Notes, Relationship_Notes, Relationships, Taxonomy_Mappings
Minor None
359 Privacy Violation
Major Common_Consequences, Demonstrative_Examples, Other_Notes, References, Relationships, Taxonomy_Mappings
Minor None
360 Trust of System Event Data
Major Common_Consequences, Description, Other_Notes
Minor None
361 Time and State
Major Description, Relationships
Minor None
362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Detection_Factors, Likelihood_of_Exploit, Maintenance_Notes, Name, Observed_Examples, Potential_Mitigations, References, Relationships, Research_Gaps, Taxonomy_Mappings
Minor None
363 Race Condition Enabling Link Following
Major Common_Consequences, Demonstrative_Examples, Description, Other_Notes, Relationship_Notes, Relationships, Taxonomy_Mappings
Minor None
364 Signal Handler Race Condition
Major Common_Consequences, Demonstrative_Examples, Description, Observed_Examples, Other_Notes, Potential_Mitigations, References, Relationships
Minor Applicable_Platforms
365 Race Condition in Switch
Major Common_Consequences, Demonstrative_Examples, Relationships, Taxonomy_Mappings
Minor Potential_Mitigations
366 Race Condition within a Thread
Major Common_Consequences, Demonstrative_Examples, Potential_Mitigations, Relationships, Taxonomy_Mappings
Minor None
367 Time-of-check Time-of-use (TOCTOU) Race Condition
Major Alternate_Terms, Common_Consequences, Demonstrative_Examples, Description, Name, Observed_Examples, Other_Notes, References, Relationship_Notes, Relationships, Research_Gaps, Taxonomy_Mappings, White_Box_Definitions
Minor Potential_Mitigations
368 Context Switching Race Condition
Major Common_Consequences, Description, Observed_Examples, Other_Notes, Relationship_Notes, Weakness_Ordinalities
Minor None
369 Divide By Zero
Major Common_Consequences, Demonstrative_Examples, Other_Notes, Relationships, Taxonomy_Mappings
Minor None
370 Missing Check for Certificate Revocation after Initial Check
Major Common_Consequences, Description, Name, Other_Notes, Potential_Mitigations, Relationships
Minor None
371 State Issues
Major Relationships
Minor None
372 Incomplete Internal State Distinction
Major Common_Consequences, Maintenance_Notes
Minor None
373 DEPRECATED: State Synchronization Error
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Likelihood_of_Exploit, Name, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction, Type
Minor None
374 Passing Mutable Objects to an Untrusted Method
Major Common_Consequences, Demonstrative_Examples, Name, Relationships, Taxonomy_Mappings
Minor Potential_Mitigations
375 Returning a Mutable Object to an Untrusted Caller
Major Common_Consequences, Name, Relationships, Taxonomy_Mappings
Minor Demonstrative_Examples, Potential_Mitigations
377 Insecure Temporary File
Major Common_Consequences, Demonstrative_Examples, References, Relationships, Taxonomy_Mappings
Minor None
378 Creation of Temporary File With Insecure Permissions
Major Common_Consequences, Other_Notes
Minor Potential_Mitigations
379 Creation of Temporary File in Directory with Incorrect Permissions
Major Common_Consequences, Description, Name, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings
Minor None
381 J2EE Time and State Issues
Major Relationships
Minor None
382 J2EE Bad Practices: Use of System.exit()
Major Common_Consequences, Relationships, Taxonomy_Mappings
Minor None
383 J2EE Bad Practices: Direct Use of Threads
Major Common_Consequences, Description, Other_Notes, Relationships
Minor None
384 Session Fixation
Major Common_Consequences, Demonstrative_Examples, Related_Attack_Patterns, Taxonomy_Mappings
Minor None
385 Covert Timing Channel
Major Common_Consequences, Demonstrative_Examples, Description, Other_Notes, Potential_Mitigations
Minor None
386 Symbolic Name not Mapping to Correct Object
Major Common_Consequences
Minor None
387 Signal Errors
Major Observed_Examples, Other_Notes
Minor None
388 Error Handling
Major Common_Consequences, Description, Related_Attack_Patterns, Relationships
Minor None
389 Error Conditions, Return Values, Status Codes
Major Description, Other_Notes, Weakness_Ordinalities
Minor None
390 Detection of Error Condition Without Action
Major Common_Consequences, Demonstrative_Examples, Description, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings
Minor None
391 Unchecked Error Condition
Major Common_Consequences, Demonstrative_Examples, Relationships, Taxonomy_Mappings, White_Box_Definitions
Minor Potential_Mitigations
392 Missing Report of Error Condition
Major Common_Consequences, Description, Name, Other_Notes, Relationships, Taxonomy_Mappings, Weakness_Ordinalities
Minor None
393 Return of Wrong Status Code
Major Common_Consequences, Description, Other_Notes, Relationship_Notes, Relationships
Minor None
394 Unexpected Status Code or Return Value
Major Common_Consequences, Other_Notes, Relationship_Notes, Relationships
Minor None
395 Use of NullPointerException Catch to Detect NULL Pointer Dereference
Major Common_Consequences, Demonstrative_Examples, Other_Notes, Relationships, Taxonomy_Mappings
Minor None
396 Declaration of Catch for Generic Exception
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Other_Notes, Relationships
Minor None
397 Declaration of Throws for Generic Exception
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Other_Notes, Relationships, Taxonomy_Mappings
Minor None
398 Indicator of Poor Code Quality
Major Common_Consequences, Relationships
Minor None
399 Resource Management Errors
Major Relationships
Minor None
400 Uncontrolled Resource Consumption ('Resource Exhaustion')
Major Common_Consequences, Demonstrative_Examples, Description, Detection_Factors, Likelihood_of_Exploit, Name, Observed_Examples, Other_Notes, Potential_Mitigations, References, Related_Attack_Patterns, Relationships, Taxonomy_Mappings
Minor None
401 Improper Release of Memory Before Removing Last Reference ('Memory Leak')
Major Alternate_Terms, Common_Consequences, Demonstrative_Examples, Description, Modes_of_Introduction, Name, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, White_Box_Definitions
Minor None
402 Transmission of Private Resources into a New Sphere ('Resource Leak')
Major Alternate_Terms, Common_Consequences, Name
Minor None
403 Exposure of File Descriptor to Unintended Control Sphere
Major Affected_Resources, Common_Consequences, Name, Observed_Examples, Relationships, Taxonomy_Mappings
Minor None
404 Improper Resource Shutdown or Release
Major Common_Consequences, Demonstrative_Examples, Description, Detection_Factors, Likelihood_of_Exploit, Other_Notes, Potential_Mitigations, Related_Attack_Patterns, Relationship_Notes, Relationships, Taxonomy_Mappings, Weakness_Ordinalities
Minor None
405 Asymmetric Resource Consumption (Amplification)
Major Common_Consequences, Description, Other_Notes, Relationships, Taxonomy_Mappings
Minor None
406 Insufficient Control of Network Message Volume (Network Amplification)
Major Common_Consequences, Demonstrative_Examples, Description, Enabling_Factors_for_Exploitation, Name, Other_Notes, Relationship_Notes, Theoretical_Notes
Minor None
407 Algorithmic Complexity
Major Applicable_Platforms, Common_Consequences, Functional_Areas, Likelihood_of_Exploit, Other_Notes
Minor None
408 Incorrect Behavior Order: Early Amplification
Major Common_Consequences, Demonstrative_Examples, Description, Observed_Examples, Other_Notes, Relationship_Notes, Relationships
Minor None
409 Improper Handling of Highly Compressed Data (Data Amplification)
Major Common_Consequences, Description, Name, Relationships, Taxonomy_Mappings
Minor None
410 Insufficient Resource Pool
Major Common_Consequences, Demonstrative_Examples, Description, References, Relationships, Taxonomy_Mappings
Minor Other_Notes
412 Unrestricted Externally Accessible Lock
Major Common_Consequences, Demonstrative_Examples, Description, Name, Potential_Mitigations, Relationships, Taxonomy_Mappings, White_Box_Definitions
Minor None
413 Improper Resource Locking
Major Common_Consequences, Demonstrative_Examples, Description, Name, Relationships, Taxonomy_Mappings
Minor None
414 Missing Lock Check
Major Common_Consequences
Minor None
415 Double Free
Major Common_Consequences, Demonstrative_Examples, Observed_Examples, Other_Notes, Relationships, Taxonomy_Mappings
Minor Potential_Mitigations
416 Use After Free
Major Alternate_Terms, Common_Consequences, Demonstrative_Examples, Description, Observed_Examples, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings
Minor None
417 Channel and Path Errors
Major Other_Notes, Relationship_Notes
Minor None
418 Channel Errors
Major Relationships
Minor None
419 Unprotected Primary Channel
Major Common_Consequences, Related_Attack_Patterns
Minor None
420 Unprotected Alternate Channel
Major Common_Consequences
Minor Potential_Mitigations
421 Race Condition During Access to Alternate Channel
Major Common_Consequences, Description, References
Minor None
422 Unprotected Windows Messaging Channel ('Shatter')
Major Common_Consequences, Other_Notes, Relationship_Notes, Research_Gaps
Minor None
423 DEPRECATED (Duplicate): Proxied Trusted Channel
Major Applicable_Platforms, Description, Name, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction, Type
Minor None
424 Improper Protection of Alternate Path
Major Common_Consequences, Name, Other_Notes
Minor None
425 Direct Request ('Forced Browsing')
Major Applicable_Platforms, Common_Consequences, Description, Relationships, Taxonomy_Mappings
Minor None
426 Untrusted Search Path
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Detection_Factors, Observed_Examples, Potential_Mitigations, References, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Functional_Areas
427 Uncontrolled Search Path Element
Major Alternate_Terms, Applicable_Platforms, Common_Consequences, Description, Maintenance_Notes, Observed_Examples, Other_Notes, Potential_Mitigations, References, Relationship_Notes, Relationships
Minor None
428 Unquoted Search Path or Element
Major Applicable_Platforms, Common_Consequences, Description, Maintenance_Notes, Other_Notes, Potential_Mitigations, Relationships
Minor None
429 Handler Errors
Major Other_Notes
Minor None
430 Deployment of Wrong Handler
Major Common_Consequences, Description, Other_Notes, Weakness_Ordinalities
Minor Potential_Mitigations
431 Missing Handler
Major Common_Consequences, Demonstrative_Examples, Description, Other_Notes
Minor None
432 Dangerous Signal Handler not Disabled During Sensitive Operations
Major Applicable_Platforms, Common_Consequences, Description, Name, Potential_Mitigations, Relationships, Taxonomy_Mappings
Minor None
433 Unparsed Raw Web Content Delivery
Major Common_Consequences, Description, Other_Notes, Potential_Mitigations, Relationship_Notes
Minor None
434 Unrestricted Upload of File with Dangerous Type
Major Alternate_Terms, Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Functional_Areas, Likelihood_of_Exploit, Name, Other_Notes, Potential_Mitigations, References, Related_Attack_Patterns, Relationship_Notes, Relationships, Time_of_Introduction, Type, Weakness_Ordinalities
Minor None
435 Interaction Error
Major Common_Consequences, Description, Relationships
Minor None
436 Interpretation Conflict
Major Common_Consequences, Description, Observed_Examples, Related_Attack_Patterns, Relationships, Taxonomy_Mappings
Minor None
437 Incomplete Model of Endpoint Features
Major Common_Consequences, Description, Other_Notes, Relationship_Notes
Minor None
438 Behavioral Problems
Major Relationships
Minor None
439 Behavioral Change in New Version or Environment
Major Common_Consequences, Observed_Examples
Minor None
440 Expected Behavior Violation
Major Common_Consequences, Other_Notes, Relevant_Properties, Theoretical_Notes
Minor None
441 Unintended Proxy/Intermediary
Major Common_Consequences, Maintenance_Notes, Other_Notes, Related_Attack_Patterns, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
442 Web Problems
Major Relationships
Minor None
443 DEPRECATED (Duplicate): HTTP response splitting
Major Relationships
Minor None
444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
Major Common_Consequences, Name, Related_Attack_Patterns, Taxonomy_Mappings
Minor None
446 UI Discrepancy for Security Feature
Major Common_Consequences, Description, Maintenance_Notes, Other_Notes, Relationship_Notes
Minor None
447 Unimplemented or Unsupported Feature in UI
Major Common_Consequences, Other_Notes, Potential_Mitigations, Research_Gaps
Minor None
448 Obsolete Feature in UI
Major Common_Consequences
Minor None
449 The UI Performs the Wrong Action
Major Common_Consequences
Minor None
450 Multiple Interpretations of UI Input
Major Common_Consequences, Potential_Mitigations
Minor None
451 UI Misrepresentation of Critical Information
Major Common_Consequences
Minor None
453 Insecure Default Variable Initialization
Major Common_Consequences, Maintenance_Notes, Other_Notes
Minor Applicable_Platforms
454 External Initialization of Trusted Variables or Data Stores
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Name, Other_Notes, Relationship_Notes, Relationships, Taxonomy_Mappings
Minor Potential_Mitigations
455 Non-exit on Failed Initialization
Major Common_Consequences
Minor None
456 Missing Initialization
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Other_Notes, Relationship_Notes, Relationships
Minor None
457 Use of Uninitialized Variable
Major Common_Consequences, Demonstrative_Examples, Potential_Mitigations
Minor Applicable_Platforms
458 DEPRECATED: Incorrect Initialization
Major Relationships
Minor None
459 Incomplete Cleanup
Major Common_Consequences, Relationship_Notes, Relationships, Taxonomy_Mappings
Minor None
460 Improper Cleanup on Thrown Exception
Major Common_Consequences, Description, Relationships, Taxonomy_Mappings
Minor Potential_Mitigations
462 Duplicate Key in Associative List (Alist)
Major Common_Consequences, Demonstrative_Examples, Description, Other_Notes, Relationships, Taxonomy_Mappings
Minor Potential_Mitigations
463 Deletion of Data Structure Sentinel
Major Common_Consequences, Demonstrative_Examples, Description, Other_Notes, Potential_Mitigations
Minor None
464 Addition of Data Structure Sentinel
Major Common_Consequences, Demonstrative_Examples, Description, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings
Minor None
465 Pointer Issues
Major Relationships
Minor None
466 Return of Pointer Value Outside of Expected Range
Major Common_Consequences, Maintenance_Notes, Relationships, Taxonomy_Mappings
Minor None
467 Use of sizeof() on a Pointer Type
Major Common_Consequences, Demonstrative_Examples, Relationships, Taxonomy_Mappings
Minor Potential_Mitigations
468 Incorrect Pointer Scaling
Major Common_Consequences, Demonstrative_Examples, Relationships, Taxonomy_Mappings, White_Box_Definitions
Minor Potential_Mitigations
469 Use of Pointer Subtraction to Determine Size
Major Common_Consequences, Relationships, Taxonomy_Mappings
Minor Potential_Mitigations
470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
Major Alternate_Terms, Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Name, Observed_Examples, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings
Minor None
471 Modification of Assumed-Immutable Data (MAID)
Major Common_Consequences, Other_Notes, Potential_Mitigations, Related_Attack_Patterns
Minor None
472 External Control of Assumed-Immutable Web Parameter
Major Common_Consequences, Demonstrative_Examples, Description, Other_Notes, Potential_Mitigations, Related_Attack_Patterns, Relationship_Notes, Relationships, Theoretical_Notes
Minor None
473 PHP External Variable Modification
Major Common_Consequences, Other_Notes, Relationship_Notes, Relationships
Minor None
474 Use of Function with Inconsistent Implementations
Major Common_Consequences, Other_Notes
Minor Applicable_Platforms
475 Undefined Behavior for Input to API
Major Common_Consequences
Minor None
476 NULL Pointer Dereference
Major Common_Consequences, Demonstrative_Examples, Description, Detection_Factors, Observed_Examples, Other_Notes, Potential_Mitigations, Related_Attack_Patterns, Relationships, Taxonomy_Mappings, Weakness_Ordinalities
Minor None
477 Use of Obsolete Functions
Major Common_Consequences, Demonstrative_Examples, Other_Notes
Minor None
478 Missing Default Case in Switch Statement
Major Common_Consequences, Demonstrative_Examples, Description, Name
Minor Potential_Mitigations
479 Signal Handler Use of a Non-reentrant Function
Major Common_Consequences, Demonstrative_Examples, Description, Name, Observed_Examples, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings
Minor None
480 Use of Incorrect Operator
Major Common_Consequences, Relationships, Taxonomy_Mappings
Minor Applicable_Platforms, Potential_Mitigations
481 Assigning instead of Comparing
Major Common_Consequences, Demonstrative_Examples, Description, Other_Notes
Minor Potential_Mitigations
482 Comparing instead of Assigning
Major Common_Consequences, Modes_of_Introduction, Other_Notes, Relationships, Taxonomy_Mappings
Minor None
483 Incorrect Block Delimitation
Major Common_Consequences, Demonstrative_Examples, Description, Other_Notes
Minor Applicable_Platforms, Potential_Mitigations
484 Omitted Break Statement in Switch
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Detection_Factors, Name, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Weakness_Ordinalities
Minor None
485 Insufficient Encapsulation
Major Common_Consequences, Relationships
Minor None
486 Comparison of Classes by Name
Major Common_Consequences, Demonstrative_Examples, Other_Notes, Relationships, Taxonomy_Mappings
Minor Potential_Mitigations
487 Reliance on Package-level Scope
Major Common_Consequences, Relationships, Taxonomy_Mappings
Minor None
488 Exposure of Data Element to Wrong Session
Major Common_Consequences, Demonstrative_Examples, Description, Name, Other_Notes, Potential_Mitigations, Relationships
Minor None
489 Leftover Debug Code
Major Common_Consequences, Demonstrative_Examples
Minor None
491 Public cloneable() Method Without Final ('Object Hijack')
Major Common_Consequences, Demonstrative_Examples, Name, Relationships, Taxonomy_Mappings
Minor None
492 Use of Inner Class Containing Sensitive Data
Major Common_Consequences, Demonstrative_Examples, Potential_Mitigations, Relationships, Taxonomy_Mappings
Minor None
493 Critical Public Variable Without Final Modifier
Major Background_Details, Common_Consequences, Demonstrative_Examples, Description, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings
Minor None
494 Download of Code Without Integrity Check
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Detection_Factors, Name, Observed_Examples, Other_Notes, Potential_Mitigations, References, Related_Attack_Patterns, Relationships, Research_Gaps, Taxonomy_Mappings, Type
Minor None
495 Private Array-Typed Field Returned From A Public Method
Major Common_Consequences
Minor None
496 Public Data Assigned to Private Array-Typed Field
Major Common_Consequences
Minor None
497 Exposure of System Data to an Unauthorized Control Sphere
Major Common_Consequences, Demonstrative_Examples, Description, Name, Other_Notes, Relationships, Taxonomy_Mappings
Minor None
498 Cloneable Class Containing Sensitive Information
Major Common_Consequences, Description, Name, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings
Minor None
499 Serializable Class Containing Sensitive Data
Major Common_Consequences, Demonstrative_Examples, Relationships, Taxonomy_Mappings
Minor Potential_Mitigations
500 Public Static Field Not Marked Final
Major Background_Details, Common_Consequences, Demonstrative_Examples, Description, Name, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings
Minor None
501 Trust Boundary Violation
Major Common_Consequences
Minor None
502 Deserialization of Untrusted Data
Major Common_Consequences, Description, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings
Minor None
506 Embedded Malicious Code
Major Common_Consequences, Description, Other_Notes, Terminology_Notes
Minor None
507 Trojan Horse
Major Common_Consequences, Description, References, Terminology_Notes
Minor None
508 Non-Replicating Malicious Code
Major Common_Consequences
Minor None
509 Replicating Malicious Code (Virus or Worm)
Major Common_Consequences
Minor None
510 Trapdoor
Major Common_Consequences
Minor None
511 Logic/Time Bomb
Major Common_Consequences, Description
Minor Potential_Mitigations
512 Spyware
Major Common_Consequences, Description, Potential_Mitigations
Minor None
513 Intentionally Introduced Nonmalicious Weakness
Major Relationships
Minor None
514 Covert Channel
Major Common_Consequences, Description, Other_Notes, Related_Attack_Patterns, Relationships, Theoretical_Notes
Minor None
515 Covert Storage Channel
Major Common_Consequences, Description, Other_Notes
Minor Potential_Mitigations
516 DEPRECATED (Duplicate): Covert Timing Channel
Major Relationships
Minor None
518 Inadvertently Introduced Weakness
Major Description, Relationships
Minor None
520 .NET Misconfiguration: Use of Impersonation
Major Common_Consequences
Minor None
521 Weak Password Requirements
Major Common_Consequences, Potential_Mitigations, Related_Attack_Patterns, Relationships
Minor None
522 Insufficiently Protected Credentials
Major Common_Consequences, Related_Attack_Patterns, Relationships
Minor None
523 Unprotected Transport of Credentials
Major Common_Consequences, Related_Attack_Patterns
Minor None
524 Information Exposure Through Caching
Major Common_Consequences, Name, Relationships, Taxonomy_Mappings
Minor None
525 Information Exposure Through Browser Caching
Major Common_Consequences, Name, Other_Notes, Potential_Mitigations
Minor None
526 Information Exposure Through Environmental Variables
Major Common_Consequences, Name, Relationships, Taxonomy_Mappings
Minor None
527 Exposure of CVS Repository to an Unauthorized Control Sphere
Major Common_Consequences, Description, Name, Relationships
Minor None
528 Exposure of Core Dump File to an Unauthorized Control Sphere
Major Common_Consequences, Description, Name, Relationships, Taxonomy_Mappings
Minor None
529 Exposure of Access Control List Files to an Unauthorized Control Sphere
Major Common_Consequences, Description, Name, Relationships
Minor None
530 Exposure of Backup File to an Unauthorized Control Sphere
Major Common_Consequences, Description, Name, Relationships
Minor None
531 Information Exposure Through Test Code
Major Common_Consequences, Name, Relationships
Minor None
532 Information Exposure Through Log Files
Major Common_Consequences, Description, Likelihood_of_Exploit, Name, Potential_Mitigations, Relationships, Taxonomy_Mappings
Minor None
533 Information Exposure Through Server Log Files
Major Common_Consequences, Name, Relationships, Taxonomy_Mappings
Minor None
534 Information Exposure Through Debug Log Files
Major Common_Consequences, Name, Relationships, Taxonomy_Mappings
Minor None
535 Information Exposure Through Shell Error Message
Major Common_Consequences, Name
Minor None
536 Information Exposure Through Servlet Runtime Error Message
Major Common_Consequences, Demonstrative_Examples, Name, Other_Notes
Minor None
537 Information Exposure Through Java Runtime Error Message
Major Common_Consequences, Demonstrative_Examples, Name, Potential_Mitigations
Minor None
538 File and Directory Information Exposure
Major Common_Consequences, Description, Maintenance_Notes, Name, Relationships
Minor None
539 Information Exposure Through Persistent Cookies
Major Common_Consequences, Description, Name, Other_Notes, Relationships, Taxonomy_Mappings
Minor None
540 Information Exposure Through Source Code
Major Common_Consequences, Description, Name, Relationships
Minor None
541 Information Exposure Through Include Source Code
Major Common_Consequences, Name, Relationships
Minor None
542 Information Exposure Through Cleanup Log Files
Major Common_Consequences, Description, Name, Relationships, Taxonomy_Mappings
Minor None
543 Use of Singleton Pattern Without Synchronization in a Multithreaded Context
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Name, Potential_Mitigations, References, Relationships, Taxonomy_Mappings
Minor None
544 Missing Standardized Error Handling Mechanism
Major Common_Consequences, Description, Name, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
545 Use of Dynamic Class Loading
Major Common_Consequences
Minor None
546 Suspicious Comment
Major Common_Consequences, Demonstrative_Examples
Minor None
547 Use of Hard-coded, Security-relevant Constants
Major Common_Consequences, Description, Potential_Mitigations, Relationships, Taxonomy_Mappings
Minor None
548 Information Exposure Through Directory Listing
Major Common_Consequences, Description, Name, Other_Notes, Taxonomy_Mappings
Minor None
549 Missing Password Field Masking
Major Common_Consequences, Description, Relationships
Minor None
550 Information Exposure Through Server Error Message
Major Common_Consequences, Description, Name, Relationships
Minor None
551 Incorrect Behavior Order: Authorization Before Parsing and Canonicalization
Major Common_Consequences, Demonstrative_Examples, Description, Relationships
Minor None
552 Files or Directories Accessible to External Parties
Major Common_Consequences, Relationships, Taxonomy_Mappings
Minor None
553 Command Shell in Externally Accessible Directory
Major Common_Consequences
Minor None
554 ASP.NET Misconfiguration: Not Using Input Validation Framework
Major Common_Consequences, Description, Other_Notes, Potential_Mitigations
Minor None
555 J2EE Misconfiguration: Plaintext Password in Configuration File
Major Common_Consequences, Description
Minor None
556 ASP.NET Misconfiguration: Use of Identity Impersonation
Major Common_Consequences, Description, Relationships
Minor None
558 Use of getlogin() in Multithreaded Application
Major Common_Consequences, Demonstrative_Examples, Taxonomy_Mappings
Minor None
559 Often Misused: Arguments and Parameters
Major Other_Notes, Related_Attack_Patterns, Relationship_Notes
Minor None
560 Use of umask() with chmod-style Argument
Major Common_Consequences
Minor None
561 Dead Code
Major Common_Consequences, Demonstrative_Examples, Other_Notes, Relationships, Taxonomy_Mappings
Minor None
562 Return of Stack Variable Address
Major Common_Consequences, Demonstrative_Examples, Relationships, Taxonomy_Mappings
Minor None
563 Unused Variable
Major Common_Consequences, Demonstrative_Examples, Relationships, Taxonomy_Mappings
Minor None
564 SQL Injection: Hibernate
Major Common_Consequences, Potential_Mitigations, Related_Attack_Patterns
Minor None
565 Reliance on Cookies without Validation and Integrity Checking
Major Common_Consequences, Demonstrative_Examples, Description, Name, Other_Notes, Potential_Mitigations, Relationship_Notes, Relationships, Taxonomy_Mappings
Minor None
566 Authorization Bypass Through User-Controlled SQL Primary Key
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Name, Other_Notes, Potential_Mitigations, Taxonomy_Mappings
Minor None
567 Unsynchronized Access to Shared Data in a Multithreaded Context
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Name, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings
Minor None
568 finalize() Method Without super.finalize()
Major Common_Consequences, Description, Other_Notes, Relationships, Taxonomy_Mappings
Minor None
569 Expression Issues
Major Relationships
Minor None
570 Expression is Always False
Major Common_Consequences, Demonstrative_Examples, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings
Minor None
571 Expression is Always True
Major Common_Consequences, Demonstrative_Examples, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings
Minor None
572 Call to Thread run() instead of start()
Major Common_Consequences, Demonstrative_Examples, Description, Other_Notes, Relationships, Taxonomy_Mappings
Minor None
573 Improper Following of Specification by Caller
Major Common_Consequences, Description, Name, Relationships, Taxonomy_Mappings
Minor None
574 EJB Bad Practices: Use of Synchronization Primitives
Major Common_Consequences, Demonstrative_Examples, Description, Other_Notes, Relationships
Minor None
575 EJB Bad Practices: Use of AWT Swing
Major Common_Consequences, Demonstrative_Examples, Description, Other_Notes, Potential_Mitigations
Minor None
576 EJB Bad Practices: Use of Java I/O
Major Common_Consequences, Demonstrative_Examples, Description, Other_Notes
Minor None
577 EJB Bad Practices: Use of Sockets
Major Common_Consequences, Demonstrative_Examples, Description, Other_Notes, Potential_Mitigations
Minor None
578 EJB Bad Practices: Use of Class Loader
Major Common_Consequences, Demonstrative_Examples, Description, Other_Notes, Potential_Mitigations
Minor None
579 J2EE Bad Practices: Non-serializable Object Stored in Session
Major Common_Consequences, Demonstrative_Examples
Minor None
580 clone() Method Without super.clone()
Major Common_Consequences, Demonstrative_Examples, Description, Other_Notes, Potential_Mitigations
Minor None
581 Object Model Violation: Just One of Equals and Hashcode Defined
Major Common_Consequences, Description, Other_Notes, Relationships, Taxonomy_Mappings
Minor None
582 Array Declared Public, Final, and Static
Major Background_Details, Common_Consequences, Demonstrative_Examples, Description, Other_Notes, Relationships, Taxonomy_Mappings
Minor None
583 finalize() Method Declared Public
Major Common_Consequences, Demonstrative_Examples, Description, Other_Notes, Relationships, Taxonomy_Mappings
Minor None
584 Return Inside Finally Block
Major Common_Consequences, Demonstrative_Examples, Relationships, Taxonomy_Mappings
Minor None
585 Empty Synchronized Block
Major Common_Consequences, Demonstrative_Examples, Description, Other_Notes, Potential_Mitigations, References
Minor None
586 Explicit Call to Finalize()
Major Common_Consequences, Demonstrative_Examples, Description, Other_Notes, Relationships, Taxonomy_Mappings
Minor None
587 Assignment of a Fixed Address to a Pointer
Major Common_Consequences, Description, Other_Notes, Relationships, Taxonomy_Mappings
Minor Potential_Mitigations
588 Attempt to Access Child of a Non-structure Pointer
Major Common_Consequences, Demonstrative_Examples, Other_Notes, Relationships
Minor Potential_Mitigations
589 Call to Non-ubiquitous API
Major Common_Consequences, Description, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings
Minor None
590 Free of Memory not on the Heap
Major Common_Consequences, Demonstrative_Examples, Description, Maintenance_Notes, Name, Other_Notes, Potential_Mitigations, References, Relationships, Taxonomy_Mappings
Minor None
591 Sensitive Data Storage in Improperly Locked Memory
Major Common_Consequences, Description, Other_Notes, Relationships, Taxonomy_Mappings
Minor Potential_Mitigations
592 Authentication Bypass Issues
Major Common_Consequences, Related_Attack_Patterns
Minor None
593 Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created
Major Common_Consequences, Description, Other_Notes, Potential_Mitigations
Minor None
594 J2EE Framework: Saving Unserializable Objects to Disk
Major Common_Consequences, Demonstrative_Examples
Minor None
595 Comparison of Object References Instead of Object Contents
Major Common_Consequences, Demonstrative_Examples, Name, Relationships, Taxonomy_Mappings
Minor None
596 Incorrect Semantic Object Comparison
Major Common_Consequences, Demonstrative_Examples, Detection_Factors, Relationships
Minor None
597 Use of Wrong Operator in String Comparison
Major Common_Consequences, Demonstrative_Examples, Description, Potential_Mitigations, Relationships, Taxonomy_Mappings
Minor None
598 Information Exposure Through Query Strings in GET Request
Major Common_Consequences, Name, Other_Notes, Relationships
Minor None
599 Trust of OpenSSL Certificate Without Validation
Major Common_Consequences, Description, Other_Notes
Minor Potential_Mitigations
600 Uncaught Exception in Servlet
Major Alternate_Terms, Common_Consequences, Demonstrative_Examples, Description, Maintenance_Notes, Name, Other_Notes, Relationships, Taxonomy_Mappings
Minor None
601 URL Redirection to Untrusted Site ('Open Redirect')
Major Alternate_Terms, Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Detection_Factors, Likelihood_of_Exploit, Name, Observed_Examples, Potential_Mitigations, References, Related_Attack_Patterns, Relationships, Taxonomy_Mappings
Minor None
602 Client-Side Enforcement of Server-Side Security
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Likelihood_of_Exploit, Name, Observed_Examples, Other_Notes, Potential_Mitigations, References, Related_Attack_Patterns, Relationships, Research_Gaps, Time_of_Introduction
Minor None
603 Use of Client-Side Authentication
Major Common_Consequences, Maintenance_Notes, Other_Notes
Minor None
604 Deprecated Entries
Major Name, Relationships, View_Filter, View_Structure
Minor None
605 Multiple Binds to the Same Port
Major Common_Consequences, Demonstrative_Examples
Minor None
606 Unchecked Input for Loop Condition
Major Common_Consequences, Demonstrative_Examples, Relationships, Taxonomy_Mappings
Minor None
607 Public Static Final Field References Mutable Object
Major Common_Consequences, Relationships, Taxonomy_Mappings
Minor Description
608 Struts: Non-private Field in ActionForm Class
Major Common_Consequences, Demonstrative_Examples
Minor None
609 Double-Checked Locking
Major Common_Consequences, Demonstrative_Examples, Relationships, Taxonomy_Mappings
Minor References
610 Externally Controlled Reference to a Resource in Another Sphere
Major Common_Consequences, Other_Notes, Related_Attack_Patterns, Relationship_Notes
Minor None
611 Information Exposure Through XML External Entity Reference
Major Background_Details, Common_Consequences, Name, Other_Notes, Taxonomy_Mappings
Minor None
612 Information Exposure Through Indexing of Private Data
Major Common_Consequences, Name, Other_Notes, Research_Gaps, Taxonomy_Mappings
Minor None
613 Insufficient Session Expiration
Major Common_Consequences, Demonstrative_Examples, Relationships, Taxonomy_Mappings
Minor None
614 Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
Major Common_Consequences, Observed_Examples, Related_Attack_Patterns
Minor Name
615 Information Exposure Through Comments
Major Common_Consequences, Demonstrative_Examples, Description, Name, Observed_Examples, Taxonomy_Mappings
Minor None
616 Incomplete Identification of Uploaded File Variables (PHP)
Major Common_Consequences, Description, Other_Notes, Potential_Mitigations
Minor None
617 Reachable Assertion
Major Common_Consequences
Minor None
618 Exposed Unsafe ActiveX Method
Major Common_Consequences, Description, Other_Notes, Relationships, Type
Minor None
619 Dangling Database Cursor ('Cursor Injection')
Major Background_Details, Common_Consequences, Description, Modes_of_Introduction, Name, Other_Notes, Relationships, Weakness_Ordinalities
Minor None
620 Unverified Password Change
Major Common_Consequences, Demonstrative_Examples, Observed_Examples, Other_Notes, Weakness_Ordinalities
Minor None
621 Variable Extraction Error
Major Common_Consequences, Description
Minor None
622 Unvalidated Function Hook Arguments
Major Common_Consequences, Other_Notes, Relationships, Weakness_Ordinalities
Minor None
623 Unsafe ActiveX Control Marked Safe For Scripting
Major Common_Consequences, References
Minor None
624 Executable Regular Expression Error
Major Common_Consequences, Description
Minor None
625 Permissive Regular Expression
Major Common_Consequences, Demonstrative_Examples, Description, Relationships, Taxonomy_Mappings
Minor None
626 Null Byte Interaction Error (Poison Null Byte)
Major Common_Consequences, Other_Notes
Minor None
627 Dynamic Variable Evaluation
Major Background_Details, Common_Consequences, Description
Minor None
628 Function Call with Incorrectly Specified Arguments
Major Common_Consequences, Description, Detection_Factors, Other_Notes, Relationships, Taxonomy_Mappings, Weakness_Ordinalities
Minor None
632 Weaknesses that Affect Files or Directories
Major Relationships
Minor None
633 Weaknesses that Affect Memory
Major Relationships
Minor None
636 Not Failing Securely ('Failing Open')
Major Common_Consequences, Description, Name, Relationships, Research_Gaps
Minor None
637 Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')
Major Common_Consequences, Description, Name, Research_Gaps
Minor None
638 Not Using Complete Mediation
Major Common_Consequences, Description, Name, Related_Attack_Patterns, Relationships
Minor None
639 Authorization Bypass Through User-Controlled Key
Major Alternate_Terms, Applicable_Platforms, Common_Consequences, Description, Name, Potential_Mitigations, Relationships
Minor None
640 Weak Password Recovery Mechanism for Forgotten Password
Major Common_Consequences, Related_Attack_Patterns, Relationships, Taxonomy_Mappings
Minor None
641 Improper Restriction of Names for Files and Other Resources
Major Common_Consequences, Description, Name, Type
Minor None
642 External Control of Critical State Data
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Name, Observed_Examples, Potential_Mitigations, References, Related_Attack_Patterns, Relationships, Relevant_Properties, Type
Minor None
643 Improper Neutralization of Data within XPath Expressions ('XPath Injection')
Major Common_Consequences, Demonstrative_Examples, Description, Enabling_Factors_for_Exploitation, Name, References, Relationship_Notes, Taxonomy_Mappings
Minor None
644 Improper Neutralization of HTTP Headers for Scripting Syntax
Major Common_Consequences, Demonstrative_Examples, Description, Name, Observed_Examples, Relationships
Minor None
645 Overly Restrictive Account Lockout Mechanism
Major Common_Consequences, Description
Minor None
646 Reliance on File Name or Extension of Externally-Supplied File
Major Applicable_Platforms, Common_Consequences, Description, Name, Observed_Examples, Related_Attack_Patterns, Relationships
Minor None
647 Use of Non-Canonical URL Paths for Authorization Decisions
Major Applicable_Platforms, Common_Consequences, Description, Name, Potential_Mitigations, Relationships, Taxonomy_Mappings
Minor Observed_Examples
648 Incorrect Use of Privileged APIs
Major Common_Consequences, Description, Name, Potential_Mitigations, Related_Attack_Patterns
Minor None
649 Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking
Major Common_Consequences, Description, Enabling_Factors_for_Exploitation, Observed_Examples
Minor None
650 Trusting HTTP Permission Methods on the Server Side
Major Common_Consequences, Description, Enabling_Factors_for_Exploitation
Minor None
651 Information Exposure Through WSDL File
Major Common_Consequences, Description, Name
Minor Applicable_Platforms
652 Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')
Major Common_Consequences, Description, Name, Relationship_Notes, Taxonomy_Mappings
Minor None
653 Insufficient Compartmentalization
Major Common_Consequences, Name, Other_Notes, Relationship_Notes, Terminology_Notes
Minor None
654 Reliance on a Single Factor in a Security Decision
Major Common_Consequences, Description, Maintenance_Notes, Name, Other_Notes, Related_Attack_Patterns, Relationships
Minor None
655 Insufficient Psychological Acceptability
Major Common_Consequences, Description, Name
Minor None
656 Reliance on Security Through Obscurity
Major Common_Consequences, Description, Name, Related_Attack_Patterns
Minor None
657 Violation of Secure Design Principles
Major Common_Consequences
Minor None
662 Improper Synchronization
Major Common_Consequences, Description, Name, Related_Attack_Patterns, Relationships, Taxonomy_Mappings
Minor None
663 Use of a Non-reentrant Function in a Concurrent Context
Major Common_Consequences, Description, Name, Observed_Examples, Potential_Mitigations, References, Related_Attack_Patterns, Relationships
Minor None
664 Improper Control of a Resource Through its Lifetime
Major Common_Consequences, Description, Name, Related_Attack_Patterns, Relationships
Minor None
665 Improper Initialization
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Detection_Factors, Likelihood_of_Exploit, Modes_of_Introduction, Name, Observed_Examples, Potential_Mitigations, References, Related_Attack_Patterns, Relationships, Taxonomy_Mappings, Weakness_Ordinalities
Minor None
666 Operation on Resource in Wrong Phase of Lifetime
Major Common_Consequences, Relationships
Minor None
667 Improper Locking
Major Common_Consequences, Description, Name, Related_Attack_Patterns, Relationships, Taxonomy_Mappings
Minor None
668 Exposure of Resource to Wrong Sphere
Major Common_Consequences, Description, Other_Notes, Relationships, Theoretical_Notes
Minor None
669 Incorrect Resource Transfer Between Spheres
Major Background_Details, Common_Consequences, Other_Notes, Relationships
Minor None
670 Always-Incorrect Control Flow Implementation
Major Common_Consequences, Maintenance_Notes, Modes_of_Introduction, Other_Notes, Relationships, Taxonomy_Mappings
Minor None
671 Lack of Administrator Control over Security
Major Common_Consequences, Description, Name, Relationships
Minor None
672 Operation on a Resource after Expiration or Release
Major Common_Consequences, Demonstrative_Examples, Description, Name, Observed_Examples, Relationships
Minor None
673 External Influence of Sphere Definition
Major Common_Consequences, Other_Notes, Theoretical_Notes
Minor None
674 Uncontrolled Recursion
Major Common_Consequences, Related_Attack_Patterns, Relationships
Minor None
675 Duplicate Operations on Resource
Major Common_Consequences, Other_Notes, Relationship_Notes, Relationships, Taxonomy_Mappings
Minor None
676 Use of Potentially Dangerous Function
Major Common_Consequences, Demonstrative_Examples, Observed_Examples, Other_Notes, Potential_Mitigations, References, Relationship_Notes, Relationships, Taxonomy_Mappings
Minor None
680 Integer Overflow to Buffer Overflow
Major Common_Consequences, Related_Attack_Patterns
Minor None
681 Incorrect Conversion between Numeric Types
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Likelihood_of_Exploit, Observed_Examples, Potential_Mitigations, Relationships, Taxonomy_Mappings
Minor None
682 Incorrect Calculation
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Detection_Factors, Likelihood_of_Exploit, Potential_Mitigations, References, Related_Attack_Patterns, Relationships, Taxonomy_Mappings, Type
Minor None
683 Function Call With Incorrect Order of Arguments
Major Common_Consequences, Demonstrative_Examples, Modes_of_Introduction, Other_Notes, Potential_Mitigations
Minor None
684 Incorrect Provision of Specified Functionality
Major Common_Consequences, Description, Name, Potential_Mitigations, Relationships, Taxonomy_Mappings
Minor None
685 Function Call With Incorrect Number of Arguments
Major Common_Consequences, Description, Detection_Factors, Modes_of_Introduction, Other_Notes, Potential_Mitigations
Minor None
686 Function Call With Incorrect Argument Type
Major Common_Consequences, Description, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings
Minor None
687 Function Call With Incorrectly Specified Argument Value
Major Common_Consequences, Demonstrative_Examples, Description, Detection_Factors, Other_Notes, Relationship_Notes, Relationships, Taxonomy_Mappings
Minor None
688 Function Call With Incorrect Variable or Reference as Argument
Major Common_Consequences, Description, Detection_Factors, Modes_of_Introduction, Other_Notes, Potential_Mitigations
Minor None
689 Permission Race Condition During Resource Copy
Major Common_Consequences, Related_Attack_Patterns, Relationships
Minor None
690 Unchecked Return Value to NULL Pointer Dereference
Major Common_Consequences, Demonstrative_Examples, Observed_Examples, Relationships, Taxonomy_Mappings
Minor None
691 Insufficient Control Flow Management
Major Common_Consequences, Maintenance_Notes, Other_Notes, Related_Attack_Patterns, Relationships, Taxonomy_Mappings
Minor None
692 Incomplete Blacklist to Cross-Site Scripting
Major Applicable_Platforms, Common_Consequences, Observed_Examples, Related_Attack_Patterns
Minor None
693 Protection Mechanism Failure
Major Common_Consequences, Description, Maintenance_Notes, Other_Notes, Related_Attack_Patterns, Relationships
Minor None
694 Use of Multiple Resources with Duplicate Identifier
Major Common_Consequences
Minor None
695 Use of Low-Level Functionality
Major Common_Consequences, Related_Attack_Patterns
Minor None
696 Incorrect Behavior Order
Major Common_Consequences, Description, Relationships, Taxonomy_Mappings
Minor None
697 Insufficient Comparison
Major Common_Consequences, Description, Related_Attack_Patterns, Relationships, Taxonomy_Mappings
Minor None
698 Redirect Without Exit
Major Common_Consequences
Minor None
701 Weaknesses Introduced During Design
Major View_Filter
Minor None
702 Weaknesses Introduced During Implementation
Major View_Filter
Minor None
703 Improper Check or Handling of Exceptional Conditions
Major Common_Consequences, Name, Other_Notes, Relationship_Notes, Relationships, Taxonomy_Mappings
Minor None
704 Incorrect Type Conversion or Cast
Major Common_Consequences, Description, Relationships, Taxonomy_Mappings
Minor Applicable_Platforms
705 Incorrect Control Flow Scoping
Major Common_Consequences, Relationships, Taxonomy_Mappings
Minor None
706 Use of Incorrectly-Resolved Name or Reference
Major Common_Consequences, Related_Attack_Patterns, Relationships
Minor None
707 Improper Enforcement of Message or Data Structure
Major Common_Consequences, Description, Name, Related_Attack_Patterns, Relationships
Minor None
708 Incorrect Ownership Assignment
Major Common_Consequences, Description, Maintenance_Notes, Other_Notes, Relationships
Minor None
710 Coding Standards Violation
Major Common_Consequences, Relationships
Minor None
712 OWASP Top Ten 2007 Category A1 - Cross Site Scripting (XSS)
Major Related_Attack_Patterns
Minor None
713 OWASP Top Ten 2007 Category A2 - Injection Flaws
Major Related_Attack_Patterns
Minor None
714 OWASP Top Ten 2007 Category A3 - Malicious File Execution
Major Related_Attack_Patterns
Minor None
715 OWASP Top Ten 2007 Category A4 - Insecure Direct Object Reference
Major Related_Attack_Patterns, Relationships
Minor None
716 OWASP Top Ten 2007 Category A5 - Cross Site Request Forgery (CSRF)
Major Related_Attack_Patterns
Minor None
717 OWASP Top Ten 2007 Category A6 - Information Leakage and Improper Error Handling
Major Related_Attack_Patterns
Minor None
718 OWASP Top Ten 2007 Category A7 - Broken Authentication and Session Management
Major Related_Attack_Patterns
Minor None
719 OWASP Top Ten 2007 Category A8 - Insecure Cryptographic Storage
Major Related_Attack_Patterns
Minor None
721 OWASP Top Ten 2007 Category A10 - Failure to Restrict URL Access
Major Related_Attack_Patterns
Minor None
722 OWASP Top Ten 2004 Category A1 - Unvalidated Input
Major Relationships
Minor None
723 OWASP Top Ten 2004 Category A2 - Broken Access Control
Major Relationships
Minor None
724 OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management
Major Related_Attack_Patterns, Relationships
Minor None
725 OWASP Top Ten 2004 Category A4 - Cross-Site Scripting (XSS) Flaws
Major Relationships
Minor None
726 OWASP Top Ten 2004 Category A5 - Buffer Overflows
Major Relationships
Minor None
727 OWASP Top Ten 2004 Category A6 - Injection Flaws
Major Relationships
Minor None
728 OWASP Top Ten 2004 Category A7 - Improper Error Handling
Major Related_Attack_Patterns, Relationships
Minor None
729 OWASP Top Ten 2004 Category A8 - Insecure Storage
Major Relationships
Minor None
731 OWASP Top Ten 2004 Category A10 - Insecure Configuration Management
Major Relationships
Minor None
732 Incorrect Permission Assignment for Critical Resource
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Detection_Factors, Likelihood_of_Exploit, Modes_of_Introduction, Name, Observed_Examples, Potential_Mitigations, References, Related_Attack_Patterns, Relationships, Taxonomy_Mappings
Minor None
1000 Research Concepts
Major Relationships
Minor None
Page Last Updated: January 05, 2017