CWE

Common Weakness Enumeration

A community-developed list of SW & HW weaknesses that can become vulnerabilities
New to CWE? click here!
CWE Most Important Hardware Weaknesses
CWE Top 25 Most Dangerous Weaknesses
Home > CWE List > Reports > Differences between Draft 9 and Version 1.0  
ID

Differences between Draft 9 and Version 1.0
Differences between Draft 9 and Version 1.0

Summary
Summary
Total new 39
Total deprecated 3
Total shared 695
Total important changes 692
Total major changes 695
Total minor changes 452
Total minor changes (no major)
Total unchanged 0
Back to top
Field Change Summary
Field Change Summary

Any change with respect to whitespace is ignored. "Minor" changes are text changes that only affect capitalization and punctuation. Most other changes are marked as "Major." Simple schema changes are treated as Minor, such as the change from AffectedResource to Affected_Resource in Draft 8, or the relationship name change from "IsRequiredBy" to "RequiredBy" in Version 1.0. For each mutual relationship between nodes A and B (such as ParentOf and ChildOf), a relationship change is noted for both A and B.

Field Major Minor
Affected_Resources 0 0
Alternate_Terms 19 22
Applicable_Platforms 100 422
Background_Details 15 0
Black_Box_Definitions 0 0
Causal_Nature 2 74
Common_Consequences 133 0
Demonstrative_Examples 258 0
Description 134 2
Detection_Factors 11 0
Enabling_Factors_for_Exploitation 1 0
Functional_Areas 4 3
Likelihood_of_Exploit 6 2
Maintenance_Notes 33 0
Modes_of_Introduction 10 0
Name 26 1
Observed_Examples 43 0
Other_Notes 312 0
Potential_Mitigations 278 0
References 15 0
Related_Attack_Patterns 0 0
Relationship_Notes 58 0
Relationships 686 0
Relevant_Properties 6 0
Research_Gaps 6 0
Taxonomy_Mappings 552 0
Terminology_Notes 3 0
Theoretical_Notes 2 0
Time_of_Introduction 548 0
Type 22 0
View_Audience 2 0
View_Filter 7 0
View_Structure 14 0
Weakness_Ordinalities 103 1
White_Box_Definitions 22 3

Form and Abstraction Changes

From To Total
Unchanged 673
Category Deprecated 1
Weakness/Base Deprecated 2
Weakness/Base Weakness/Class 1
Weakness/Base Weakness/Variant 1
Weakness/Class Category 3
Weakness/Class Weakness/Base 6
Weakness/Class Weakness/Variant 1
Weakness/Variant Weakness/Base 7

Relationship Changes

The "Version 1.0 Total" lists the total number of relationships in Version 1.0. The "Shared" value is the total number of relationships in entries that were in both Version 1.0 and Draft 9. The "New" value is the total number of relationships involving entries that did not exist in Draft 9. Thus, the total number of relationships in Version 1.0 would combine stats from Shared entries and New entries.

Relationship Version 1.0 Total Draft 9 Total Version 1.0 Shared Unchanged Added to Version 1.0 Removed from Version 1.0 Version 1.0 New
ALL 3994 2332 3529 1438 2091 894 465
CanAlsoBe 39 47 38 38 9 1
CanFollow 65 35 64 32 32 3 1
CanPrecede 65 35 64 32 32 3 1
ChildOf 1694 989 1504 558 946 431 190
HasMember 96 0 57 57 39
MemberOf 96 0 57 57 39
ParentOf 1694 989 1504 558 946 431 190
PeerOf 188 181 186 168 18 13 2
RequiredBy 27 28 26 26 2 1
Requires 27 28 26 26 2 1
StartsWith 3 0 3 3

Nodes Removed from Draft 9

CWE-ID CWE Name
None.

Nodes Added to Version 1.0

CWE-ID CWE Name
694 Use of Multiple Resources with Duplicate Identifier
695 Use of Low-Level Functionality
696 Incorrect Behavior Order
697 Insufficient Comparison
698 Redirect Without Exit
699 Development Concepts
700 Seven Pernicious Kingdoms
701 Weaknesses Introduced During Design
702 Weaknesses Introduced During Implementation
703 Failure to Handle Exceptional Conditions
704 Incorrect Type Conversion or Cast
705 Incorrect Control Flow Scoping
706 Use of Incorrectly-Resolved Name or Reference
707 Failure to Enforce that Messages or Data are Well-Formed
708 Incorrect Ownership Assignment
709 Named Chains
710 Coding Standards Violation
711 Weaknesses in OWASP Top Ten (2004)
712 OWASP Top Ten 2007 Category A1 - Cross Site Scripting (XSS)
713 OWASP Top Ten 2007 Category A2 - Injection Flaws
714 OWASP Top Ten 2007 Category A3 - Malicious File Execution
715 OWASP Top Ten 2007 Category A4 - Insecure Direct Object Reference
716 OWASP Top Ten 2007 Category A5 - Cross Site Request Forgery (CSRF)
717 OWASP Top Ten 2007 Category A6 - Information Leakage and Improper Error Handling
718 OWASP Top Ten 2007 Category A7 - Broken Authentication and Session Management
719 OWASP Top Ten 2007 Category A8 - Insecure Cryptographic Storage
720 OWASP Top Ten 2007 Category A9 - Insecure Communications
721 OWASP Top Ten 2007 Category A10 - Failure to Restrict URL Access
722 OWASP Top Ten 2004 Category A1 - Unvalidated Input
723 OWASP Top Ten 2004 Category A2 - Broken Access Control
724 OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management
725 OWASP Top Ten 2004 Category A4 - Cross-Site Scripting (XSS) Flaws
726 OWASP Top Ten 2004 Category A5 - Buffer Overflows
727 OWASP Top Ten 2004 Category A6 - Injection Flaws
728 OWASP Top Ten 2004 Category A7 - Improper Error Handling
729 OWASP Top Ten 2004 Category A8 - Insecure Storage
730 OWASP Top Ten 2004 Category A9 - Denial of Service
731 OWASP Top Ten 2004 Category A10 - Insecure Configuration Management
732 Insecure Permission Assignment for Resource

Nodes Deprecated in Version 1.0

CWE-ID CWE Name
132 DEPRECATED (Duplicate): Miscalculated Null Termination
139 DEPRECATED: General Special Element Problems
218 DEPRECATED (Duplicate): Failure to provide confidentiality for stored data
Back to top
Important Changes
Important Changes

A node change is labeled "important" if it is a major field change and the field is critical to the meaning of the node. The critical fields are description, name, and relationships.

Key
D Description
N Name
R Relationships

R 1 Location
R 2 Environment
R 3 Technology-specific Environment Issues
R 4 J2EE Environment Issues
R 5 J2EE Misconfiguration: Data Transmission Without Encryption
R 6 J2EE Misconfiguration: Insufficient Session-ID Length
R 7 J2EE Misconfiguration: Missing Error Handling
R 8 J2EE Misconfiguration: Entity Bean Declared Remote
R 9 J2EE Misconfiguration: Weak Access Permissions for EJB Methods
R 10 ASP.NET Environment Issues
R 11 ASP.NET Misconfiguration: Creating Debug Binary
R 12 ASP.NET Misconfiguration: Missing Custom Error Handling
R 13 ASP.NET Misconfiguration: Password in Configuration File
R 14 Compiler Removal of Code to Clear Buffers
R 15 External Control of System or Configuration Setting
R 16 Configuration
R 17 Code
R 18 Source Code
R 19 Data Handling
R 20 Insufficient Input Validation
R 21 Pathname Traversal and Equivalence Errors
R 22 Path Traversal
R 23 Relative Path Traversal
R 24 Path Traversal: '../filedir'
R 25 Path Traversal: '/../filedir'
R 26 Path Traversal: '/dir/../filename'
R 27 Path Traversal: 'dir/../../filename'
R 28 Path Traversal: '..\filename'
R 29 Path Traversal: '\..\filename'
R 30 Path Traversal: '\dir\..\filename'
R 31 Path Traversal: 'dir\..\filename'
R 32 Path Traversal: '...' (Triple Dot)
R 33 Path Traversal: '....' (Multiple Dot)
R 34 Path Traversal: '....//'
D R 35 Path Traversal: '.../...//'
R 36 Absolute Path Traversal
R 37 Path Traversal: '/absolute/pathname/here'
R 38 Path Traversal: '\absolute\pathname\here'
R 39 Path Traversal: 'C:dirname'
R 40 Path Traversal: '\\UNC\share\name\' (Windows UNC Share)
R 41 Failure to Resolve Path Equivalence
R 42 Path Equivalence: 'filename.' (Trailing Dot)
R 43 Path Equivalence: 'filename....' (Multiple Trailing Dot)
R 44 Path Equivalence: 'file.name' (Internal Dot)
R 45 Path Equivalence: 'file...name' (Multiple Internal Dot)
R 46 Path Equivalence: 'filename ' (Trailing Space)
R 47 Path Equivalence: ' filename (Leading Space)
R 48 Path Equivalence: 'file name' (Internal Whitespace)
R 49 Path Equivalence: 'filename/' (Trailing Slash)
R 50 Path Equivalence: '//multiple/leading/slash'
R 51 Path Equivalence: '/multiple//internal/slash'
R 52 Path Equivalence: '/multiple/trailing/slash//'
R 53 Path Equivalence: '\multiple\\internal\backslash'
R 54 Path Equivalence: 'filedir\' (Trailing Backslash)
R 55 Path Equivalence: '/./' (Single Dot Directory)
R 56 Path Equivalence: 'filedir*' (Wildcard)
R 57 Path Equivalence: 'dirname/fakechild/../realchild/filename'
R 58 Path Equivalence: Windows 8.3 Filename
R 59 Failure to Resolve Links Before File Access (aka 'Link Following')
R 60 UNIX Path Link Problems
R 61 UNIX Symbolic Link (Symlink) Following
R 62 UNIX Hard Link
R 63 Windows Path Link Problems
R 64 Windows Shortcut Following (.LNK)
R 65 Windows Hard Link
D R 66 Failure to Handle File Names that Identify Virtual Resources
R 67 Failure to Handle Windows Device Names
R 68 Windows Virtual File Problems
D R 69 Failure to Handle Windows ::DATA Alternate Data Stream
R 70 Mac Virtual File Problems
R 71 Apple '.DS_Store'
R 72 Apple HFS+ Alternate Data Stream
R 73 External Control of File Name or Path
D R 74 Failure to Sanitize Data into a Different Plane (aka 'Injection')
R 75 Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)
R 76 Failure to Resolve Equivalent Special Elements into a Different Plane
R 77 Failure to Sanitize Data into a Control Plane (aka 'Command Injection')
R 78 Failure to Sanitize Data into an OS Command (aka 'OS Command Injection')
D R 79 Failure to Sanitize Directives in a Web Page (aka 'Cross-site scripting' (XSS))
R 80 Failure to Sanitize Script-Related HTML Tags in a Web Page (Basic XSS)
D R 81 Failure to Sanitize Directives in an Error Message Web Page
R 82 Failure to Sanitize Script in Attributes of IMG Tags in a Web Page
R 83 Failure to Sanitize Script in Attributes in a Web Page
R 84 Failure to Resolve Encoded URI Schemes in a Web Page
R 85 Doubled Character XSS Manipulations
DNR 86 Failure to Sanitize Invalid Characters in Identifiers in Web Pages
NR 87 Failure to Sanitize Alternate XSS Syntax
R 88 Argument Injection or Modification
NR 89 Failure to Sanitize Data within SQL Queries (aka 'SQL Injection')
R 90 Failure to Sanitize Data into LDAP Queries (aka 'LDAP Injection')
R 91 XML Injection (aka Blind XPath Injection)
R 92 Custom Special Character Injection
R 93 Failure to Sanitize CRLF Sequences (aka 'CRLF Injection')
R 94 Code Injection
D R 95 Insufficient Control of Directives in Dynamically Evaluated Code (aka 'Eval Injection')
R 96 Insufficient Control of Directives in Statically Saved Code (Static Code Injection)
R 97 Failure to Sanitize Server-Side Includes (SSI) Within a Web Page
R 98 Insufficient Control of Filename for Include/Require Statement in PHP Program (aka 'PHP File Inclusion')
R 99 Insufficient Control of Resource Identifiers (aka 'Resource Injection')
R 100 Technology-Specific Input Validation Problems
D R 101 Struts Validation Problems
R 102 Struts: Duplicate Validation Forms
R 103 Struts: Incomplete validate() Method Definition
R 104 Struts: Form Bean Does Not Extend Validation Class
R 105 Struts: Form Field Without Validator
R 106 Struts: Plug-in Framework not in Use
D R 107 Struts: Unused Validation Form
R 108 Struts: Unvalidated Action Form
R 109 Struts: Validator Turned Off
R 110 Struts: Validator Without Form Field
R 111 Direct Use of Unsafe JNI
R 112 Missing XML Validation
R 113 Failure to Sanitize CRLF Sequences in HTTP Headers (aka 'HTTP Response Splitting')
R 114 Process Control
R 115 Misinterpretation of Input
NR 116 Insufficient Output Sanitization
R 117 Incorrect Output Sanitization for Logs
DNR 118 Improper Access of Indexable Resource (aka 'Range Error')
D R 119 Failure to Constrain Operations within the Bounds of an Allocated Memory Buffer
R 120 Unbounded Transfer ('Classic Buffer Overflow')
R 121 Stack-based Buffer Overflow
R 122 Heap-based Buffer Overflow
R 123 Write-what-where Condition
D R 124 Boundary Beginning Violation ('Buffer Underwrite')
R 125 Out-of-bounds Read
R 126 Buffer Over-read
R 127 Buffer Under-read
R 128 Wrap-around Error
R 129 Unchecked Array Indexing
DNR 130 Failure to Handle Length Parameter Inconsistency
R 131 Incorrect Calculation of Buffer Size
DNR 132 DEPRECATED (Duplicate): Miscalculated Null Termination
R 133 String Errors
R 134 Uncontrolled Format String
R 135 Incorrect Calculation of Multi-Byte String Length
R 136 Type Errors
R 137 Representation Errors
D R 138 Failure to Sanitize Special Elements
DNR 139 DEPRECATED: General Special Element Problems
R 140 Failure to Sanitize Delimiters
R 141 Failure to Sanitize Parameter/Argument Delimiters
R 142 Failure to Sanitize Value Delimiters
R 143 Failure to Sanitize Record Delimiters
R 144 Failure to Sanitize Line Delimiters
R 145 Failure to Sanitize Section Delimiters
R 146 Failure to Sanitize Expression/Command Delimiters
R 147 Failure to Sanitize Input Terminators
R 148 Failure to Sanitize Input Leaders
R 149 Failure to Sanitize Quoting Syntax
R 150 Failure to Sanitize Escape, Meta, or Control Sequences
R 151 Failure to Sanitize Comment Element
R 152 Failure to Sanitize Macro Symbol
R 153 Failure to Sanitize Substitution Character
R 154 Failure to Sanitize Variable Name Delimiter
R 155 Failure to Sanitize Wildcard or Matching Symbol
D R 156 Failure to Sanitize Whitespace
R 157 Failure to Sanitize Paired Delimiters
R 158 Failure to Sanitize Null Byte or NUL Character
R 159 Failure to Sanitize Special Element
R 160 Failure to Sanitize Leading Special Element
R 161 Failure to Sanitize Multiple Leading Special Elements
R 162 Failure to Sanitize Trailing Special Element
R 163 Failure to Sanitize Multiple Trailing Special Elements
R 164 Failure to Sanitize Internal Special Element
R 165 Failure to Sanitize Multiple Internal Special Elements
R 166 Failure to Handle Missing Special Element
R 167 Failure to Handle Additional Special Element
R 168 Failure to Resolve Inconsistent Special Elements
R 169 Technology-Specific Special Elements
D R 170 Improper Null Termination
R 171 Cleansing, Canonicalization, and Comparison Errors
R 172 Encoding Error
R 173 Failure to Handle Alternate Encoding
R 174 Double Decoding of the Same Data
R 175 Failure to Handle Mixed Encoding
R 176 Failure to Handle Unicode Encoding
R 177 Failure to Handle URL Encoding (Hex Encoding)
D R 178 Failure to Resolve Case Sensitivity
R 179 Incorrect Behavior Order: Early Validation
R 180 Incorrect Behavior Order: Validate Before Canonicalize
R 181 Incorrect Behavior Order: Validate Before Filter
D R 182 Collapse of Data Into Unsafe Value
D R 183 Permissive Whitelist
R 184 Incomplete Blacklist
DNR 185 Incorrect Regular Expression
R 186 Overly Restrictive Regular Expression
D R 187 Partial Comparison
R 188 Reliance on Data/Memory Layout
R 189 Numeric Errors
R 190 Integer Overflow (Wrap or Wraparound)
R 191 Integer Underflow (Wrap or Wraparound)
R 192 Integer Coercion Error
R 193 Off-by-one Error
D R 194 Incorrect Sign Extension
R 195 Signed to Unsigned Conversion Error
R 196 Unsigned to Signed Conversion Error
R 197 Numeric Truncation Error
R 198 Use of Incorrect Byte Ordering
R 199 Information Management Errors
R 200 Information Leak (Information Disclosure)
R 201 Information Leak Through Sent Data
D R 202 Privacy Leak through Data Queries
R 203 Discrepancy Information Leaks
R 204 Response Discrepancy Information Leak
R 205 Behavioral Discrepancy Information Leak
R 206 Internal Behavioral Inconsistency Information Leak
R 207 External Behavioral Inconsistency Information Leak
R 208 Timing Discrepancy Information Leak
R 209 Error Message Information Leaks
R 210 Product-Generated Error Message Information Leak
R 211 Product-External Error Message Information Leak
R 212 Cross-boundary Cleansing Information Leak
R 213 Intended Information Leak
R 214 Process Environment Information Leak
R 215 Information Leak Through Debug Information
R 216 Containment Errors (Container Errors)
R 217 Failure to Protect Stored Data from Modification
DNR 218 DEPRECATED (Duplicate): Failure to provide confidentiality for stored data
R 219 Sensitive Data Under Web Root
R 220 Sensitive Data Under FTP Root
D R 221 Information Loss or Omission
R 222 Truncation of Security-relevant Information
R 223 Omission of Security-relevant Information
R 224 Obscured Security-relevant Information by Alternate Name
R 225 DEPRECATED (Duplicate): General Information Management Problems
R 226 Sensitive Information Uncleared Before Release
D R 227 Failure to Fulfill API Contract (aka 'API Abuse')
DNR 228 Failure to Handle Syntactically Invalid Structure
R 229 Improper Handling of Values
R 230 Failure to Handle Missing Value
R 231 Failure to Handle Extra Value
R 232 Failure to Handle Undefined Value
R 233 Parameter Problems
R 234 Failure to Handle Missing Parameter
R 235 Failure to Handle Extra Parameter
R 236 Failure to Handle Undefined Parameter
R 237 Element Problems
R 238 Failure to Handle Missing Element
R 239 Failure to Handle Incomplete Element
R 240 Failure to Resolve Inconsistent Elements
R 241 Failure to Handle Wrong Data Type
R 242 Use of Inherently Dangerous Function
D R 243 Failure to Change Working Directory in chroot Jail
NR 244 Failure to Clear Heap Memory Before Release (aka 'Heap Inspection')
R 245 J2EE Bad Practices: Direct Management of Connections
R 246 J2EE Bad Practices: Direct Use of Sockets
R 247 Reliance on DNS Lookups in a Security Decision
R 248 Uncaught Exception
R 249 Often Misused: Path Manipulation
D R 250 Design Principle Violation: Failure to Use Least Privilege
R 251 Often Misused: String Management
R 252 Unchecked Return Value
R 253 Misinterpreted Function Return Value
R 254 Security Features
R 255 Credentials Management
R 256 Plaintext Storage of a Password
R 257 Storing Passwords in a Recoverable Format
R 258 Empty Password in Configuration File
R 259 Hard-Coded Password
R 260 Password in Configuration File
R 261 Weak Cryptography for Passwords
R 262 Not Using Password Aging
R 263 Password Aging with Long Expiration
R 264 Permissions, Privileges, and Access Controls
D R 265 Privilege / Sandbox Issues
D R 266 Incorrect Privilege Assignment
D R 267 Privilege Defined With Unsafe Actions
R 268 Privilege Chaining
DNR 269 Insecure Privilege Management
D R 270 Privilege Context Switching Error
D R 271 Privilege Dropping / Lowering Errors
R 272 Least Privilege Violation
D R 273 Failure to Check Whether Privileges Were Dropped Successfully
D R 274 Failure to Handle Insufficient Privileges
R 275 Permission Issues
R 276 Insecure Default Permissions
R 277 Insecure Inherited Permissions
R 278 Insecure Preserved Inherited Permissions
R 279 Insecure Execution-assigned Permissions
R 280 Failure to Handle Insufficient Permissions or Privileges
R 281 Permission Preservation Failure
R 282 Improper Ownership Management
R 283 Unverified Ownership
DNR 284 Access Control (Authorization) Issues
R 285 Missing or Inconsistent Access Control
DNR 286 Incorrect User Management
R 287 Insufficient Authentication
DNR 288 Authentication Bypass Using an Alternate Path or Channel
D R 289 Authentication Bypass by Alternate Name
D R 290 Authentication Bypass by Spoofing
R 291 Trusting Self-reported IP Address
R 292 Trusting Self-reported DNS Name
R 293 Using Referer Field for Authentication
R 294 Authentication Bypass by Capture-replay
R 295 Certificate Issues
R 296 Failure to Follow Chain of Trust in Certificate Validation
R 297 Failure to Validate Host-specific Certificate Data
R 298 Failure to Validate Certificate Expiration
R 299 Failure to Check for Certificate Revocation
D R 300 Channel Accessible by Non-Endpoint (aka 'Man-in-the-Middle')
D R 301 Reflection Attack in an Authentication Protocol
R 302 Authentication Bypass by Assumed-Immutable Data
R 303 Improper Implementation of Authentication Algorithm
R 304 Missing Critical Step in Authentication
R 305 Authentication Bypass by Primary Weakness
R 306 No Authentication for Critical Function
R 307 Failure to Restrict Excessive Authentication Attempts
R 308 Use of Single-factor Authentication
R 309 Use of Password System for Primary Authentication
R 310 Cryptographic Issues
R 311 Failure to Encrypt Sensitive Data
R 312 Plaintext Storage of Sensitive Information
R 313 Plaintext Storage in a File or on Disk
R 314 Plaintext Storage in the Registry
R 315 Plaintext Storage in a Cookie
D R 316 Plaintext Storage in Memory
D R 317 Plaintext Storage in GUI
R 318 Plaintext Storage in Executable
R 319 Plaintext Transmission of Sensitive Information
R 320 Key Management Errors
R 321 Use of Hard-coded Cryptographic Key
R 322 Key Exchange without Entity Authentication
R 323 Reusing a Nonce, Key Pair in Encryption
R 324 Use of a Key Past its Expiration Date
D R 325 Missing Required Cryptographic Step
R 326 Weak Encryption
D R 327 Use of a Broken or Risky Cryptographic Algorithm
R 328 Reversible One-Way Hash
R 329 Not Using a Random IV with CBC Mode
R 330 Use of Insufficiently Random Values
R 331 Insufficient Entropy
R 332 Insufficient Entropy in PRNG
R 333 Failure to Handle Insufficient Entropy in TRNG
R 334 Small Space of Random Values
R 335 PRNG Seed Error
R 336 Same Seed in PRNG
R 337 Predictable Seed in PRNG
R 338 Use of Cryptographically Weak PRNG
R 339 Small Seed Space in PRNG
R 340 Predictability Problems
R 341 Predictable from Observable State
R 342 Predictable Exact Value from Previous Values
R 343 Predictable Value Range from Previous Values
R 344 Use of Invariant Value in Dynamically Changing Context
R 345 Insufficient Verification of Data Authenticity
R 346 Origin Validation Error
R 347 Improperly Verified Signature
R 348 Use of Less Trusted Source
R 349 Acceptance of Extraneous Untrusted Data With Trusted Data
R 350 Improperly Trusted Reverse DNS
R 351 Insufficient Type Distinction
D R 352 Cross-Site Request Forgery (CSRF)
R 353 Failure to Add Integrity Check Value
R 354 Failure to Check Integrity Check Value
R 355 User Interface Security Issues
R 356 Product UI does not Warn User of Unsafe Actions
R 357 Insufficient UI Warning of Dangerous Operations
R 358 Improperly Implemented Security Check for Standard
R 359 Privacy Violation
R 360 Trust of System Event Data
R 361 Time and State
R 362 Race Condition
R 363 Race Condition Enabling Link Following
R 364 Signal Handler Race Condition
R 365 Race Condition in Switch
R 366 Race Condition within a Thread
R 367 Time-of-check Time-of-use Race Condition
R 368 Context Switching Race Condition
D R 369 Divide By Zero
R 370 Race Condition in Checking for Certificate Revocation
R 371 State Issues
R 372 Incomplete Internal State Distinction
R 373 State Synchronization Error
R 374 Mutable Objects Passed by Reference
R 375 Passing Mutable Objects to an Untrusted Method
R 376 Temporary File Issues
R 377 Insecure Temporary File
R 378 Creation of Temporary File With Insecure Permissions
R 379 Creation of Temporary File in Directory with Insecure Permissions
R 380 Technology-Specific Time and State Issues
R 381 J2EE Time and State Issues
R 382 J2EE Bad Practices: Use of System.exit()
R 383 J2EE Bad Practices: Direct Use of Threads
D R 384 Session Fixation
R 385 Covert Timing Channel
R 386 Symbolic Name not Mapping to Correct Object
D R 387 Signal Errors
D R 388 Error Handling
R 389 Error Conditions, Return Values, Status Codes
R 390 Detection of Error Condition Without Action
R 391 Unchecked Error Condition
R 392 Failure to Report Error in Status Code
R 393 Return of Wrong Status Code
R 394 Unexpected Status Code or Return Value
R 395 Use of NullPointerException Catch to Detect NULL Pointer Dereference
R 396 Declaration of Catch for Generic Exception
R 397 Declaration of Throws for Generic Exception
D R 398 Indicator of Poor Code Quality
R 399 Resource Management Errors
R 400 Resource Exhaustion
R 401 Failure to Release Memory Before Removing Last Reference (aka 'Memory Leak')
R 402 Transmission of Private Resources into a New Sphere (aka 'Resource Leak')
R 403 UNIX File Descriptor Leak
D R 404 Improper Resource Shutdown or Release
R 405 Asymmetric Resource Consumption (Amplification)
R 406 Network Amplification
R 407 Algorithmic Complexity
R 408 Incorrect Behavior Order: Early Amplification
R 409 Failure to Handle Highly Compressed Data (Data Amplification)
R 410 Insufficient Resource Pool
R 411 Resource Locking Problems
D R 412 Unrestricted Lock on Critical Resource
R 413 Insufficient Resource Locking
R 414 Missing Lock Check
D R 415 Double Free
R 416 Use After Free
R 417 Channel and Path Errors
R 418 Channel Errors
R 419 Unprotected Primary Channel
R 420 Unprotected Alternate Channel
R 421 Race Condition During Access to Alternate Channel
R 422 Unprotected Windows Messaging Channel ('Shatter')
R 423 Proxied Trusted Channel
R 424 Failure to Protect Alternate Path
R 425 Direct Request ('Forced Browsing')
R 426 Untrusted Search Path
R 427 Uncontrolled Search Path Element
R 428 Unquoted Search Path or Element
R 429 Handler Errors
R 430 Deployment of Wrong Handler
R 431 Missing Handler
R 432 Dangerous Handler not Disabled During Sensitive Operations
R 433 Unparsed Raw Web Content Delivery
R 434 Unrestricted File Upload
R 435 Interaction Error
R 436 Interpretation Conflict
R 437 Incomplete Model of Endpoint Features
R 438 Behavioral Problems
R 439 Behavioral Change in New Version or Environment
R 440 Expected Behavior Violation
R 441 Unintended Proxy/Intermediary
D R 442 Web Problems
R 443 DEPRECATED (Duplicate): HTTP response splitting
NR 444 Inconsistent Interpretation of HTTP Requests (aka 'HTTP Request Smuggling')
R 445 User Interface Errors
R 446 UI Discrepancy for Security Feature
R 447 Unimplemented or Unsupported Feature in UI
R 448 Obsolete Feature in UI
R 449 The UI Performs the Wrong Action
R 450 Multiple Interpretations of UI Input
R 451 UI Misrepresentation of Critical Information
R 452 Initialization and Cleanup Errors
R 453 Insecure Default Variable Initialization
D R 454 External Initialization of Trusted Variables
R 455 Non-exit on Failed Initialization
R 456 Missing Initialization
D R 457 Use of Uninitialized Variable
R 458 DEPRECATED: Incorrect Initialization
R 459 Incomplete Cleanup
R 460 Improper Cleanup on Thrown Exception
R 461 Data Structure Issues
R 462 Duplicate Key in Associative List (Alist)
R 463 Deletion of Data Structure Sentinel
R 464 Addition of Data Structure Sentinel
R 465 Pointer Issues
R 466 Return of Pointer Value Outside of Expected Range
R 467 Use of sizeof() on a Pointer Type
R 468 Incorrect Pointer Scaling
R 469 Use of Pointer Subtraction to Determine Size
D R 470 Use of Externally-Controlled Input to Select Classes or Code (aka 'Unsafe Reflection')
R 471 Modification of Assumed-Immutable Data (MAID)
D R 472 External Control of Assumed-Immutable Web Parameter
R 473 PHP External Variable Modification
R 474 Use of Function with Inconsistent Implementations
R 475 Undefined Behavior for Input to API
R 476 NULL Pointer Dereference
R 477 Use of Obsolete Functions
D R 478 Failure to Use Default Case in Switch
D R 479 Unsafe Function Call from a Signal Handler
R 480 Use of Incorrect Operator
D R 481 Assigning instead of Comparing
D R 482 Comparing instead of Assigning
D R 483 Incorrect Block Delimitation
D R 484 Omitted Break Statement
D R 485 Insufficient Encapsulation
D R 486 Comparison of Classes by Name
R 487 Reliance on Package-level Scope
D R 488 Data Leak Between Sessions
R 489 Leftover Debug Code
R 490 Mobile Code Issues
R 491 Public cloneable() Method Without Final (aka 'Object Hijack')
R 492 Use of Inner Class Containing Sensitive Data
D R 493 Critical Public Variable Without Final Modifier
R 494 Download of Untrusted Mobile Code Without Integrity Check
R 495 Private Array-Typed Field Returned From A Public Method
R 496 Public Data Assigned to Private Array-Typed Field
R 497 Information Leak of System Data
D R 498 Information Leak through Class Cloning
D R 499 Serializable Class Containing Sensitive Data
R 500 Static Field Not Marked Final
D R 501 Trust Boundary Violation
D R 502 Deserialization of Untrusted Data
R 503 Byte/Object Code
R 504 Motivation/Intent
D R 505 Intentionally Introduced Weakness
D R 506 Embedded Malicious Code
R 507 Trojan Horse
R 508 Non-Replicating Malicious Code
R 509 Replicating Malicious Code (Virus or Worm)
R 510 Trapdoor
R 511 Logic/Time Bomb
R 512 Spyware
R 513 Intentionally Introduced Nonmalicious Weakness
R 514 Covert Channel
R 515 Covert Storage Channel
R 516 DEPRECATED (Duplicate): Covert Timing Channel
R 517 Other Intentional, Nonmalicious Weakness
R 518 Inadvertently Introduced Weakness
R 519 .NET Environment Issues
R 520 .NET Misconfiguration: Use of Impersonation
D R 521 Weak Password Requirements
R 522 Insufficiently Protected Credentials
R 523 Unprotected Transport of Credentials
R 524 Information Leak Through Caching
R 525 Information Leak Through Browser Caching
R 526 Information Leak Through Environmental Variables
R 527 Information Leak Through CVS Repository
R 528 Information Leak Through Core Dump Files
R 529 Information Leak Through Access Control List Files
R 530 Information Leak Through Backup (.~bk) Files
R 531 Information Leak Through Test Code
R 532 Information Leak Through Log Files
R 533 Information Leak Through Server Log Files
R 534 Information Leak Through Debug Log Files
R 535 Information Leak Through Shell Error Message
R 536 Information Leak Through Servlet Runtime Error Message
R 537 Information Leak Through Java Runtime Error Message
R 538 File and Directory Information Leaks
R 539 Information Leak Through Persistent Cookies
R 540 Information Leak Through Source Code
R 541 Information Leak Through Include Source Code
R 542 Information Leak Through Cleanup Log Files
R 543 Use of Singleton Pattern in a Non-thread-safe Manner
D R 544 Missing Error Handling Mechanism
R 545 Use of Dynamic Class Loading
D R 546 Suspicious Comment
D R 547 Use of Hard-coded, Security-relevant Constants
R 548 Information Leak Through Directory Listing
R 549 Missing Password Field Masking
R 550 Information Leak Through Server Error Message
R 551 Incorrect Behavior Order: Authorization Before Parsing and Canonicalization
R 552 Files or Directories Accessible to External Parties
R 553 Command Shell in Externally Accessible Directory
D R 554 ASP.NET Misconfiguration: Not Using Input Validation Framework
D R 555 J2EE Misconfiguration: Plaintext Password in Configuration File
R 556 ASP.NET Misconfiguration: Use of Identity Impersonation
R 557 Concurrency Issues
D R 558 Use of getlogin() in Multithreaded Application
R 559 Often Misused: Arguments and Parameters
R 560 Use of umask() with chmod-style Argument
D R 561 Dead Code
R 562 Return of Stack Variable Address
D R 563 Unused Variable
R 564 SQL Injection: Hibernate
R 565 Use of Cookies in Security Decision
R 566 Access Control Bypass Through User-Controlled SQL Primary Key
R 567 Unsynchronized Access to Shared Data
R 568 finalize() Method Without super.finalize()
R 569 Expression Issues
R 570 Expression is Always False
R 571 Expression is Always True
R 572 Call to Thread run() instead of start()
D R 573 Failure to Follow Specification
R 574 EJB Bad Practices: Use of Synchronization Primitives
R 575 EJB Bad Practices: Use of AWT Swing
R 576 EJB Bad Practices: Use of Java I/O
R 577 EJB Bad Practices: Use of Sockets
R 578 EJB Bad Practices: Use of Class Loader
R 579 J2EE Bad Practices: Non-serializable Object Stored in Session
R 580 clone() Method Without super.clone()
R 581 Object Model Violation: Just One of Equals and Hashcode Defined
D R 582 Array Declared Public, Final, and Static
R 583 finalize() Method Declared Public
R 584 Return Inside Finally Block
R 585 Empty Synchronized Block
R 586 Explicit Call to Finalize()
D R 587 Assignment of a Fixed Address to a Pointer
R 588 Attempt to Access Child of a Non-structure Pointer
R 589 Call to Non-ubiquitous API
D R 590 Free of Invalid Pointer Not on the Heap
R 591 Sensitive Data Storage in Improperly Locked Memory
R 592 Authentication Bypass Issues
R 593 Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created
R 594 J2EE Framework: Saving Unserializable Objects to Disk
D R 595 Incorrect Syntactic Object Comparison
D R 596 Incorrect Semantic Object Comparison
D R 597 Use of Wrong Operator in String Comparison
R 598 Information Leak Through Query Strings in GET Request
R 599 Trust of OpenSSL Certificate Without Validation
R 600 Failure to Catch All Exceptions (Missing Catch Block)
DNR 601 URL Redirection to Untrusted Site (aka 'Open Redirect')
R 602 Design Principle Violation: Client-Side Enforcement of Server-Side Security
D R 603 Use of Client-Side Authentication
R 604 Deprecated
R 605 Multiple Binds to the Same Port
R 606 Unchecked Input for Loop Condition
R 607 Public Static Final Field References Mutable Object
R 608 Struts: Non-private Field in ActionForm Class
D R 609 Double-Checked Locking
R 610 Externally Controlled Reference to a Resource in Another Sphere
D R 611 Information Leak Through XML External Entity File Disclosure
D R 612 Information Leak Through Indexing of Private Data
R 613 Insufficient Session Expiration
R 614 Sensitive Cookie in HTTPS Session Without "Secure" Attribute
R 615 Information Leak Through Comments
R 616 Incomplete Identification of Uploaded File Variables (PHP)
D R 617 Reachable Assertion
R 618 Exposed Unsafe ActiveX Method
R 619 Dangling Database Cursor (aka 'Cursor Injection')
D R 620 Unverified Password Change
D R 621 Variable Extraction Error
D R 622 Unvalidated Function Hook Arguments
D R 623 Unsafe ActiveX Control Marked Safe For Scripting
R 624 Executable Regular Expression Error
D R 625 Permissive Regular Expression
D R 626 Null Byte Interaction Error (Poison Null Byte)
R 627 Dynamic Variable Evaluation
D R 628 Function Call with Incorrectly Specified Arguments
DNR 629 Weaknesses in OWASP Top Ten (2007)
R 630 Weaknesses Examined by SAMATE
R 631 Resource-specific Weaknesses
R 632 Weaknesses that Affect Files or Directories
R 633 Weaknesses that Affect Memory
R 634 Weaknesses that Affect System Processes
R 635 Weaknesses Used by NVD
DNR 636 Design Principle Violation: Not Failing Securely (aka 'Failing Open')
D R 637 Design Principle Violation: Not Using Economy of Mechanism
R 638 Design Principle Violation: Not Using Complete Mediation
R 639 Access Control Bypass Through User-Controlled Key
DNR 640 Weak Password Recovery Mechanism for Forgotten Password
R 641 Insufficient Filtering of File and Other Resource Names for Executable Content
R 642 External Control of User State Data
R 643 Unsafe Treatment of XPath Input
R 644 Insufficient Filtering of HTTP Headers for Scripting Syntax
R 645 Overly Restrictive Account Lockout Mechanism
R 646 Taking Actions based on File Name or Extension of a User Supplied File
R 647 Using Non-Canonical Paths for Authorization Decisions
R 648 Improper Use of Privileged APIs
R 649 Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking
R 650 Trusting HTTP Permission Methods on the Server Side
D R 651 Information Leak through WSDL File
R 652 Unsafe Treatment of XQuery Input
D R 653 Design Principle Violation: Insufficient Compartmentalization
R 654 Design Principle Violation: Reliance on a Single Factor in a Security Decision
R 655 Design Principle Violation: Failure to Satisfy Psychological Acceptability
D R 656 Design Principle Violation: Reliance on Security through Obscurity
D R 657 Violation of Secure Design Principles
DN 658 Weaknesses in Software Written in C
DN 659 Weaknesses in Software Written in C++
DN 660 Weaknesses in Software Written in Java
DN 661 Weaknesses in Software Written in PHP
R 662 Insufficient Synchronization
R 663 Use of a Non-reentrant Function in an Unsynchronized Context
D R 664 Insufficient Control of a Resource Through its Lifetime
R 665 Incorrect or Incomplete Initialization
D 666 Operation on Resource in Wrong Phase of Lifetime
R 667 Insufficient Locking
R 668 Exposure of Resource to Wrong Sphere
R 669 Incorrect Resource Transfer Between Spheres
D R 670 Always-Incorrect Control Flow Implementation
D R 671 Design Principle Violation: Lack of Administrator Control over Security
R 672 Use of a Resource after Expiration or Release
D R 673 External Influence of Sphere Definition
R 674 Uncontrolled Recursion
R 675 Duplicate Operations on Resource
R 676 Use of Potentially Dangerous Function
D 678 Composites
R 680 Integer Overflow to Buffer Overflow
R 681 Incorrect Conversion between Numeric Types
R 682 Incorrect Calculation
D R 683 Function Call With Incorrect Order of Arguments
D R 684 Failure to Provide Specified Functionality
R 685 Function Call With Incorrect Number of Arguments
D R 686 Function Call With Incorrect Argument Type
R 687 Function Call With Incorrectly Specified Argument Value
R 688 Function Call With Incorrect Variable or Reference as Argument
R 689 Permission Race Condition During Resource Copy
D R 690 Unchecked Return Value to NULL Pointer Dereference
R 691 Insufficient Control Flow Management
R 692 Incomplete Blacklist to Cross-Site Scripting
D R 693 Protection Mechanism Failure
DNR 1000 Research Concepts
Back to top
Detailed Difference Report
Detailed Difference Report
1 Location
Major Relationships
Minor None
2 Environment
Major Relationships
Minor None
3 Technology-specific Environment Issues
Major Relationships
Minor None
4 J2EE Environment Issues
Major Relationships, Taxonomy_Mappings
Minor None
5 J2EE Misconfiguration: Data Transmission Without Encryption
Major Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
6 J2EE Misconfiguration: Insufficient Session-ID Length
Major Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
7 J2EE Misconfiguration: Missing Error Handling
Major Demonstrative_Examples, Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
8 J2EE Misconfiguration: Entity Bean Declared Remote
Major Demonstrative_Examples, Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
9 J2EE Misconfiguration: Weak Access Permissions for EJB Methods
Major Demonstrative_Examples, Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
10 ASP.NET Environment Issues
Major Relationships, Taxonomy_Mappings
Minor None
11 ASP.NET Misconfiguration: Creating Debug Binary
Major Demonstrative_Examples, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
12 ASP.NET Misconfiguration: Missing Custom Error Handling
Major Demonstrative_Examples, Other_Notes, Potential_Mitigations, References, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
13 ASP.NET Misconfiguration: Password in Configuration File
Major Demonstrative_Examples, Potential_Mitigations, References, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
14 Compiler Removal of Code to Clear Buffers
Major Demonstrative_Examples, Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
15 External Control of System or Configuration Setting
Major Demonstrative_Examples, Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Description
16 Configuration
Major Relationships
Minor None
17 Code
Major Relationships
Minor None
18 Source Code
Major Relationships, Taxonomy_Mappings
Minor None
19 Data Handling
Major Relationships
Minor None
20 Insufficient Input Validation
Major Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
21 Pathname Traversal and Equivalence Errors
Major Relationships, Taxonomy_Mappings, Type
Minor Applicable_Platforms
22 Path Traversal
Major Alternate_Terms, Other_Notes, Potential_Mitigations, Relationship_Notes, Relationships, Relevant_Properties, Taxonomy_Mappings, Time_of_Introduction, Weakness_Ordinalities
Minor Applicable_Platforms, Causal_Nature
23 Relative Path Traversal
Major Demonstrative_Examples, Potential_Mitigations, References, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
24 Path Traversal: '../filedir'
Major Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
25 Path Traversal: '/../filedir'
Major Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
26 Path Traversal: '/dir/../filename'
Major Applicable_Platforms, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
27 Path Traversal: 'dir/../../filename'
Major Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
28 Path Traversal: '..\filename'
Major Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
29 Path Traversal: '\..\filename'
Major Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
30 Path Traversal: '\dir\..\filename'
Major Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
31 Path Traversal: 'dir\..\filename'
Major Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
32 Path Traversal: '...' (Triple Dot)
Major Maintenance_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
33 Path Traversal: '....' (Multiple Dot)
Major Maintenance_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
34 Path Traversal: '....//'
Major Potential_Mitigations, Relationship_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
35 Path Traversal: '.../...//'
Major Description, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
36 Absolute Path Traversal
Major Demonstrative_Examples, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
37 Path Traversal: '/absolute/pathname/here'
Major Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
38 Path Traversal: '\absolute\pathname\here'
Major Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
39 Path Traversal: 'C:dirname'
Major Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
40 Path Traversal: '\\UNC\share\name\' (Windows UNC Share)
Major Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
41 Failure to Resolve Path Equivalence
Major Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction, Type
Minor Applicable_Platforms
42 Path Equivalence: 'filename.' (Trailing Dot)
Major Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
43 Path Equivalence: 'filename....' (Multiple Trailing Dot)
Major Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
44 Path Equivalence: 'file.name' (Internal Dot)
Major Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
45 Path Equivalence: 'file...name' (Multiple Internal Dot)
Major Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
46 Path Equivalence: 'filename ' (Trailing Space)
Major Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
47 Path Equivalence: ' filename (Leading Space)
Major Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
48 Path Equivalence: 'file name' (Internal Whitespace)
Major Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
49 Path Equivalence: 'filename/' (Trailing Slash)
Major Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
50 Path Equivalence: '//multiple/leading/slash'
Major Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
51 Path Equivalence: '/multiple//internal/slash'
Major Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
52 Path Equivalence: '/multiple/trailing/slash//'
Major Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
53 Path Equivalence: '\multiple\\internal\backslash'
Major Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
54 Path Equivalence: 'filedir\' (Trailing Backslash)
Major Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
55 Path Equivalence: '/./' (Single Dot Directory)
Major Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
56 Path Equivalence: 'filedir*' (Wildcard)
Major Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
57 Path Equivalence: 'dirname/fakechild/../realchild/filename'
Major Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
58 Path Equivalence: Windows 8.3 Filename
Major Applicable_Platforms, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
59 Failure to Resolve Links Before File Access (aka 'Link Following')
Major Alternate_Terms, Applicable_Platforms, Other_Notes, Relationship_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction, Weakness_Ordinalities
Minor Causal_Nature
60 UNIX Path Link Problems
Major Relationships, Taxonomy_Mappings
Minor Applicable_Platforms
61 UNIX Symbolic Link (Symlink) Following
Major Observed_Examples, Other_Notes, Relationships, Research_Gaps, Taxonomy_Mappings, Time_of_Introduction, Weakness_Ordinalities
Minor Alternate_Terms, Applicable_Platforms, Causal_Nature
62 UNIX Hard Link
Major Applicable_Platforms, Relationships, Taxonomy_Mappings, Time_of_Introduction, Weakness_Ordinalities
Minor Causal_Nature
63 Windows Path Link Problems
Major Applicable_Platforms, Relationships
Minor None
64 Windows Shortcut Following (.LNK)
Major Applicable_Platforms, Relationships, Taxonomy_Mappings, Time_of_Introduction, Weakness_Ordinalities
Minor Alternate_Terms, Causal_Nature
65 Windows Hard Link
Major Applicable_Platforms, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
66 Failure to Handle File Names that Identify Virtual Resources
Major Description, Relationships, Taxonomy_Mappings, Time_of_Introduction, Type
Minor Applicable_Platforms
67 Failure to Handle Windows Device Names
Major Applicable_Platforms, Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction, Weakness_Ordinalities
Minor Causal_Nature
68 Windows Virtual File Problems
Major Relationships, Taxonomy_Mappings
Minor Applicable_Platforms
69 Failure to Handle Windows ::DATA Alternate Data Stream
Major Applicable_Platforms, Background_Details, Description, Other_Notes, References, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
70 Mac Virtual File Problems
Major Relationships, Taxonomy_Mappings
Minor Applicable_Platforms
71 Apple '.DS_Store'
Major Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
72 Apple HFS+ Alternate Data Stream
Major Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
73 External Control of File Name or Path
Major Demonstrative_Examples, Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction, Weakness_Ordinalities
Minor Applicable_Platforms, Causal_Nature
74 Failure to Sanitize Data into a Different Plane (aka 'Injection')
Major Common_Consequences, Description, Other_Notes, Relationship_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction, Weakness_Ordinalities
Minor Applicable_Platforms, Causal_Nature
75 Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)
Major Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
76 Failure to Resolve Equivalent Special Elements into a Different Plane
Major Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction, Weakness_Ordinalities
Minor Applicable_Platforms, Causal_Nature
77 Failure to Sanitize Data into a Control Plane (aka 'Command Injection')
Major Common_Consequences, Demonstrative_Examples, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction, Weakness_Ordinalities
Minor Applicable_Platforms, Causal_Nature
78 Failure to Sanitize Data into an OS Command (aka 'OS Command Injection')
Major Demonstrative_Examples, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction, White_Box_Definitions
Minor Alternate_Terms, Applicable_Platforms
79 Failure to Sanitize Directives in a Web Page (aka 'Cross-site scripting' (XSS))
Major Alternate_Terms, Applicable_Platforms, Background_Details, Common_Consequences, Demonstrative_Examples, Description, Other_Notes, References, Relationships, Taxonomy_Mappings, Time_of_Introduction, Weakness_Ordinalities
Minor Causal_Nature
80 Failure to Sanitize Script-Related HTML Tags in a Web Page (Basic XSS)
Major Demonstrative_Examples, Relationships, Taxonomy_Mappings, Time_of_Introduction, Weakness_Ordinalities, White_Box_Definitions
Minor Applicable_Platforms, Causal_Nature
81 Failure to Sanitize Directives in an Error Message Web Page
Major Description, Relationships, Taxonomy_Mappings, Time_of_Introduction, Weakness_Ordinalities
Minor Applicable_Platforms, Causal_Nature
82 Failure to Sanitize Script in Attributes of IMG Tags in a Web Page
Major Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
83 Failure to Sanitize Script in Attributes in a Web Page
Major Observed_Examples, Relationships, Taxonomy_Mappings, Time_of_Introduction, Weakness_Ordinalities
Minor Applicable_Platforms, Causal_Nature
84 Failure to Resolve Encoded URI Schemes in a Web Page
Major Relationships, Taxonomy_Mappings, Time_of_Introduction, Weakness_Ordinalities
Minor Applicable_Platforms, Causal_Nature
85 Doubled Character XSS Manipulations
Major Relationships, Taxonomy_Mappings, Time_of_Introduction, Weakness_Ordinalities
Minor Applicable_Platforms, Causal_Nature
86 Failure to Sanitize Invalid Characters in Identifiers in Web Pages
Major Description, Name, Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
87 Failure to Sanitize Alternate XSS Syntax
Major Demonstrative_Examples, Name, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
88 Argument Injection or Modification
Major Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction, Weakness_Ordinalities
Minor Applicable_Platforms, Causal_Nature
89 Failure to Sanitize Data within SQL Queries (aka 'SQL Injection')
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Modes_of_Introduction, Name, Other_Notes, Potential_Mitigations, Relationship_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction, White_Box_Definitions
Minor None
90 Failure to Sanitize Data into LDAP Queries (aka 'LDAP Injection')
Major Applicable_Platforms, Demonstrative_Examples, Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
91 XML Injection (aka Blind XPath Injection)
Major Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
92 Custom Special Character Injection
Major Maintenance_Notes, Relationship_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction, Weakness_Ordinalities
Minor Applicable_Platforms, Causal_Nature
93 Failure to Sanitize CRLF Sequences (aka 'CRLF Injection')
Major Demonstrative_Examples, Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction, Weakness_Ordinalities
Minor Applicable_Platforms, Causal_Nature
94 Code Injection
Major Applicable_Platforms, Relationships, Research_Gaps, Taxonomy_Mappings, Time_of_Introduction
Minor None
95 Insufficient Control of Directives in Dynamically Evaluated Code (aka 'Eval Injection')
Major Applicable_Platforms, Demonstrative_Examples, Description, Modes_of_Introduction, Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction, Weakness_Ordinalities
Minor Alternate_Terms, Causal_Nature
96 Insufficient Control of Directives in Statically Saved Code (Static Code Injection)
Major Applicable_Platforms, Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction, Weakness_Ordinalities
Minor Causal_Nature
97 Failure to Sanitize Server-Side Includes (SSI) Within a Web Page
Major Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
98 Insufficient Control of Filename for Include/Require Statement in PHP Program (aka 'PHP File Inclusion')
Major Relationship_Notes, Relationships, Research_Gaps, Taxonomy_Mappings, Time_of_Introduction
Minor Alternate_Terms, Applicable_Platforms
99 Insufficient Control of Resource Identifiers (aka 'Resource Injection')
Major Demonstrative_Examples, Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction, Weakness_Ordinalities, White_Box_Definitions
Minor Applicable_Platforms, Causal_Nature
100 Technology-Specific Input Validation Problems
Major Relationships, Time_of_Introduction
Minor None
101 Struts Validation Problems
Major Description, Relationships, Type
Minor Applicable_Platforms
102 Struts: Duplicate Validation Forms
Major Demonstrative_Examples, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction, Weakness_Ordinalities
Minor Applicable_Platforms, Causal_Nature
103 Struts: Incomplete validate() Method Definition
Major Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction, Weakness_Ordinalities
Minor Applicable_Platforms, Causal_Nature
104 Struts: Form Bean Does Not Extend Validation Class
Major Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction, Weakness_Ordinalities
Minor Applicable_Platforms, Causal_Nature
105 Struts: Form Field Without Validator
Major Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction, Weakness_Ordinalities
Minor Applicable_Platforms, Causal_Nature
106 Struts: Plug-in Framework not in Use
Major Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction, Weakness_Ordinalities
Minor Applicable_Platforms, Causal_Nature
107 Struts: Unused Validation Form
Major Description, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction, Weakness_Ordinalities
Minor Applicable_Platforms, Causal_Nature
108 Struts: Unvalidated Action Form
Major Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction, Weakness_Ordinalities
Minor Applicable_Platforms, Causal_Nature
109 Struts: Validator Turned Off
Major Demonstrative_Examples, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction, Weakness_Ordinalities
Minor Applicable_Platforms, Causal_Nature
110 Struts: Validator Without Form Field
Major Demonstrative_Examples, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction, Weakness_Ordinalities
Minor Applicable_Platforms, Causal_Nature
111 Direct Use of Unsafe JNI
Major Demonstrative_Examples, Other_Notes, Potential_Mitigations, References, Relationships, Taxonomy_Mappings, Time_of_Introduction, Weakness_Ordinalities
Minor Applicable_Platforms, Causal_Nature
112 Missing XML Validation
Major Demonstrative_Examples, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction, Weakness_Ordinalities
Minor Applicable_Platforms, Causal_Nature
113 Failure to Sanitize CRLF Sequences in HTTP Headers (aka 'HTTP Response Splitting')
Major Demonstrative_Examples, Observed_Examples, Other_Notes, Potential_Mitigations, References, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
114 Process Control
Major Demonstrative_Examples, Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
115 Misinterpretation of Input
Major Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
116 Insufficient Output Sanitization
Major Demonstrative_Examples, Name, Relationships, Time_of_Introduction
Minor Applicable_Platforms
117 Incorrect Output Sanitization for Logs
Major Demonstrative_Examples, Other_Notes, Potential_Mitigations, References, Relationships, Taxonomy_Mappings, Time_of_Introduction, Weakness_Ordinalities
Minor Applicable_Platforms, Causal_Nature
118 Improper Access of Indexable Resource (aka 'Range Error')
Major Description, Name, Relationships, Time_of_Introduction
Minor Applicable_Platforms
119 Failure to Constrain Operations within the Bounds of an Allocated Memory Buffer
Major Description, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
120 Unbounded Transfer ('Classic Buffer Overflow')
Major Alternate_Terms, Applicable_Platforms, Common_Consequences, Observed_Examples, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction, Weakness_Ordinalities
Minor Causal_Nature
121 Stack-based Buffer Overflow
Major Alternate_Terms, Applicable_Platforms, Background_Details, Common_Consequences, Demonstrative_Examples, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction, Weakness_Ordinalities
Minor Causal_Nature, Likelihood_of_Exploit
122 Heap-based Buffer Overflow
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction, Weakness_Ordinalities
Minor Causal_Nature
123 Write-what-where Condition
Major Applicable_Platforms, Common_Consequences, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction, Weakness_Ordinalities
Minor Causal_Nature
124 Boundary Beginning Violation ('Buffer Underwrite')
Major Alternate_Terms, Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Relationship_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction, Weakness_Ordinalities
Minor Causal_Nature
125 Out-of-bounds Read
Major Applicable_Platforms, Relationships, Taxonomy_Mappings, Weakness_Ordinalities
Minor Causal_Nature
126 Buffer Over-read
Major Applicable_Platforms, Relationships, Taxonomy_Mappings, Weakness_Ordinalities
Minor Causal_Nature
127 Buffer Under-read
Major Applicable_Platforms, Relationships, Taxonomy_Mappings, Weakness_Ordinalities
Minor Causal_Nature
128 Wrap-around Error
Major Applicable_Platforms, Background_Details, Common_Consequences, Potential_Mitigations, Relationship_Notes, Relationships, Taxonomy_Mappings, Weakness_Ordinalities
Minor Causal_Nature
129 Unchecked Array Indexing
Major Alternate_Terms, Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Other_Notes, Relationships, Taxonomy_Mappings, Weakness_Ordinalities
Minor Causal_Nature
130 Failure to Handle Length Parameter Inconsistency
Major Applicable_Platforms, Description, Name, Observed_Examples, Potential_Mitigations, Relationship_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction, Weakness_Ordinalities
Minor Alternate_Terms, Causal_Nature
131 Incorrect Calculation of Buffer Size
Major Applicable_Platforms, Maintenance_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction, Type
Minor None
132 DEPRECATED (Duplicate): Miscalculated Null Termination
Major Applicable_Platforms, Causal_Nature, Common_Consequences, Demonstrative_Examples, Description, Likelihood_of_Exploit, Name, Potential_Mitigations, Relationships, Type
Minor Weakness_Ordinalities
133 String Errors
Major Relationships
Minor None
134 Uncontrolled Format String
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Detection_Factors, Modes_of_Introduction, Other_Notes, Potential_Mitigations, Relationships, Research_Gaps, Taxonomy_Mappings, Weakness_Ordinalities
Minor Causal_Nature, Functional_Areas, White_Box_Definitions
135 Incorrect Calculation of Multi-Byte String Length
Major Applicable_Platforms, Demonstrative_Examples, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
136 Type Errors
Major Relationships
Minor None
137 Representation Errors
Major Relationships
Minor None
138 Failure to Sanitize Special Elements
Major Description, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
139 DEPRECATED: General Special Element Problems
Major Applicable_Platforms, Description, Functional_Areas, Name, Potential_Mitigations, Relationships, Type
Minor None
140 Failure to Sanitize Delimiters
Major Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
141 Failure to Sanitize Parameter/Argument Delimiters
Major Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
142 Failure to Sanitize Value Delimiters
Major Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
143 Failure to Sanitize Record Delimiters
Major Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
144 Failure to Sanitize Line Delimiters
Major Potential_Mitigations, Relationship_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
145 Failure to Sanitize Section Delimiters
Major Potential_Mitigations, Relationship_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
146 Failure to Sanitize Expression/Command Delimiters
Major Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
147 Failure to Sanitize Input Terminators
Major Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
148 Failure to Sanitize Input Leaders
Major Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
149 Failure to Sanitize Quoting Syntax
Major Observed_Examples, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
150 Failure to Sanitize Escape, Meta, or Control Sequences
Major Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
151 Failure to Sanitize Comment Element
Major Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
152 Failure to Sanitize Macro Symbol
Major Observed_Examples, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
153 Failure to Sanitize Substitution Character
Major Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
154 Failure to Sanitize Variable Name Delimiter
Major Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
155 Failure to Sanitize Wildcard or Matching Symbol
Major Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
156 Failure to Sanitize Whitespace
Major Description, Potential_Mitigations, Relationship_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Alternate_Terms, Applicable_Platforms
157 Failure to Sanitize Paired Delimiters
Major Demonstrative_Examples, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
158 Failure to Sanitize Null Byte or NUL Character
Major Potential_Mitigations, Relationship_Notes, Relationships, Taxonomy_Mappings
Minor Applicable_Platforms
159 Failure to Sanitize Special Element
Major Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
160 Failure to Sanitize Leading Special Element
Major Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
161 Failure to Sanitize Multiple Leading Special Elements
Major Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
162 Failure to Sanitize Trailing Special Element
Major Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
163 Failure to Sanitize Multiple Trailing Special Elements
Major Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
164 Failure to Sanitize Internal Special Element
Major Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
165 Failure to Sanitize Multiple Internal Special Elements
Major Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
166 Failure to Handle Missing Special Element
Major Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
167 Failure to Handle Additional Special Element
Major Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
168 Failure to Resolve Inconsistent Special Elements
Major Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
169 Technology-Specific Special Elements
Major Other_Notes, Relationships, Taxonomy_Mappings
Minor Applicable_Platforms
170 Improper Null Termination
Major Applicable_Platforms, Causal_Nature, Common_Consequences, Demonstrative_Examples, Description, Likelihood_of_Exploit, Maintenance_Notes, Other_Notes, Potential_Mitigations, Relationship_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction, Weakness_Ordinalities
Minor White_Box_Definitions
171 Cleansing, Canonicalization, and Comparison Errors
Major Relationships, Taxonomy_Mappings
Minor Applicable_Platforms
172 Encoding Error
Major Maintenance_Notes, Potential_Mitigations, Relationship_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
173 Failure to Handle Alternate Encoding
Major Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
174 Double Decoding of the Same Data
Major Observed_Examples, Potential_Mitigations, Relationships, Taxonomy_Mappings
Minor Applicable_Platforms
175 Failure to Handle Mixed Encoding
Major Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
176 Failure to Handle Unicode Encoding
Major Demonstrative_Examples, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
177 Failure to Handle URL Encoding (Hex Encoding)
Major Observed_Examples, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
178 Failure to Resolve Case Sensitivity
Major Demonstrative_Examples, Description, Observed_Examples, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
179 Incorrect Behavior Order: Early Validation
Major Modes_of_Introduction, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
180 Incorrect Behavior Order: Validate Before Canonicalize
Major Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction, Type
Minor Applicable_Platforms
181 Incorrect Behavior Order: Validate Before Filter
Major Functional_Areas, Potential_Mitigations, Relationships, Research_Gaps, Taxonomy_Mappings, Time_of_Introduction, Type
Minor Alternate_Terms, Applicable_Platforms
182 Collapse of Data Into Unsafe Value
Major Description, Potential_Mitigations, Relationship_Notes, Relationships, Relevant_Properties, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
183 Permissive Whitelist
Major Description, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction, Weakness_Ordinalities
Minor Applicable_Platforms
184 Incomplete Blacklist
Major Demonstrative_Examples, Detection_Factors, Other_Notes, Potential_Mitigations, Relationship_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction, Weakness_Ordinalities
Minor Applicable_Platforms
185 Incorrect Regular Expression
Major Description, Name, Observed_Examples, Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
186 Overly Restrictive Regular Expression
Major Potential_Mitigations, Relationship_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
187 Partial Comparison
Major Description, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction, Weakness_Ordinalities
Minor Applicable_Platforms
188 Reliance on Data/Memory Layout
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
189 Numeric Errors
Major Relationships, Taxonomy_Mappings
Minor Applicable_Platforms
190 Integer Overflow (Wrap or Wraparound)
Major Common_Consequences, Demonstrative_Examples, Potential_Mitigations, Relationship_Notes, Relationships, Taxonomy_Mappings, Terminology_Notes
Minor None
191 Integer Underflow (Wrap or Wraparound)
Major Alternate_Terms, Applicable_Platforms, Demonstrative_Examples, Relationships, Taxonomy_Mappings
Minor None
192 Integer Coercion Error
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Maintenance_Notes, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings
Minor None
193 Off-by-one Error
Major Alternate_Terms, Common_Consequences, Observed_Examples, Relationship_Notes, Relationships, Taxonomy_Mappings
Minor Applicable_Platforms
194 Incorrect Sign Extension
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Relationships, Taxonomy_Mappings
Minor None
195 Signed to Unsigned Conversion Error
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Other_Notes, Relationships, Taxonomy_Mappings
Minor None
196 Unsigned to Signed Conversion Error
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings
Minor None
197 Numeric Truncation Error
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Other_Notes, Relationships, Taxonomy_Mappings
Minor None
198 Use of Incorrect Byte Ordering
Major Detection_Factors, Relationships, Research_Gaps, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
199 Information Management Errors
Major Relationships
Minor Applicable_Platforms
200 Information Leak (Information Disclosure)
Major Likelihood_of_Exploit, Relationships, Taxonomy_Mappings, Time_of_Introduction, Weakness_Ordinalities
Minor Applicable_Platforms
201 Information Leak Through Sent Data
Major Common_Consequences, Demonstrative_Examples, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
202 Privacy Leak through Data Queries
Major Common_Consequences, Demonstrative_Examples, Description, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
203 Discrepancy Information Leaks
Major Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
204 Response Discrepancy Information Leak
Major Potential_Mitigations, Relationship_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
205 Behavioral Discrepancy Information Leak
Major Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
206 Internal Behavioral Inconsistency Information Leak
Major Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
207 External Behavioral Inconsistency Information Leak
Major Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
208 Timing Discrepancy Information Leak
Major Other_Notes, Relationship_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
209 Error Message Information Leaks
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
210 Product-Generated Error Message Information Leak
Major Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
211 Product-External Error Message Information Leak
Major Applicable_Platforms, Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
212 Cross-boundary Cleansing Information Leak
Major Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
213 Intended Information Leak
Major Demonstrative_Examples, Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
214 Process Environment Information Leak
Major Demonstrative_Examples, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
215 Information Leak Through Debug Information
Major Demonstrative_Examples, Potential_Mitigations, Relationship_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
216 Containment Errors (Container Errors)
Major Maintenance_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
217 Failure to Protect Stored Data from Modification
Major Common_Consequences, Demonstrative_Examples, Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Alternate_Terms, Applicable_Platforms
218 DEPRECATED (Duplicate): Failure to provide confidentiality for stored data
Major Alternate_Terms, Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Likelihood_of_Exploit, Name, Potential_Mitigations, Relationships, Type
Minor None
219 Sensitive Data Under Web Root
Major Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
220 Sensitive Data Under FTP Root
Major Background_Details, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
221 Information Loss or Omission
Major Description, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
222 Truncation of Security-relevant Information
Major Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
223 Omission of Security-relevant Information
Major Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
224 Obscured Security-relevant Information by Alternate Name
Major Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
225 DEPRECATED (Duplicate): General Information Management Problems
Major Relationships
Minor None
226 Sensitive Information Uncleared Before Release
Major Other_Notes, Relationship_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction, Weakness_Ordinalities
Minor Applicable_Platforms, Causal_Nature, Functional_Areas
227 Failure to Fulfill API Contract (aka 'API Abuse')
Major Description, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Alternate_Terms
228 Failure to Handle Syntactically Invalid Structure
Major Description, Maintenance_Notes, Name, Relationships, Relevant_Properties, Taxonomy_Mappings, Time_of_Introduction
Minor None
229 Improper Handling of Values
Major Relationships, Time_of_Introduction
Minor None
230 Failure to Handle Missing Value
Major Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
231 Failure to Handle Extra Value
Major Modes_of_Introduction, Relationship_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
232 Failure to Handle Undefined Value
Major Demonstrative_Examples, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
233 Parameter Problems
Major Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
234 Failure to Handle Missing Parameter
Major Common_Consequences, Demonstrative_Examples, Observed_Examples, Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
235 Failure to Handle Extra Parameter
Major Modes_of_Introduction, Relationship_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
236 Failure to Handle Undefined Parameter
Major Observed_Examples, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
237 Element Problems
Major Relationships, Taxonomy_Mappings
Minor None
238 Failure to Handle Missing Element
Major Relationship_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction, Weakness_Ordinalities
Minor Applicable_Platforms, Causal_Nature
239 Failure to Handle Incomplete Element
Major Observed_Examples, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
240 Failure to Resolve Inconsistent Elements
Major Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
241 Failure to Handle Wrong Data Type
Major Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
242 Use of Inherently Dangerous Function
Major Applicable_Platforms, Demonstrative_Examples, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Type, Weakness_Ordinalities
Minor Causal_Nature
243 Failure to Change Working Directory in chroot Jail
Major Applicable_Platforms, Background_Details, Demonstrative_Examples, Description, Relationships, Taxonomy_Mappings, Weakness_Ordinalities
Minor Causal_Nature
244 Failure to Clear Heap Memory Before Release (aka 'Heap Inspection')
Major Applicable_Platforms, Demonstrative_Examples, Name, Other_Notes, Relationships, Taxonomy_Mappings, White_Box_Definitions
Minor None
245 J2EE Bad Practices: Direct Management of Connections
Major Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction, Weakness_Ordinalities
Minor Applicable_Platforms, Causal_Nature
246 J2EE Bad Practices: Direct Use of Sockets
Major Demonstrative_Examples, Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction, Weakness_Ordinalities
Minor Applicable_Platforms, Causal_Nature
247 Reliance on DNS Lookups in a Security Decision
Major Demonstrative_Examples, Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
248 Uncaught Exception
Major Applicable_Platforms, Demonstrative_Examples, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
249 Often Misused: Path Manipulation
Major Applicable_Platforms, Demonstrative_Examples, Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction, White_Box_Definitions
Minor None
250 Design Principle Violation: Failure to Use Least Privilege
Major Description, Modes_of_Introduction, Other_Notes, Relationship_Notes, Relationships, Taxonomy_Mappings
Minor Applicable_Platforms
251 Often Misused: String Management
Major Applicable_Platforms, Demonstrative_Examples, Relationships, Taxonomy_Mappings, White_Box_Definitions
Minor None
252 Unchecked Return Value
Major Common_Consequences, Demonstrative_Examples, Other_Notes, Relationships, Taxonomy_Mappings
Minor Applicable_Platforms
253 Misinterpreted Function Return Value
Major Common_Consequences, Demonstrative_Examples, Other_Notes, Relationships, Taxonomy_Mappings
Minor Applicable_Platforms
254 Security Features
Major Relationships, Taxonomy_Mappings
Minor None
255 Credentials Management
Major Relationships, Taxonomy_Mappings
Minor Applicable_Platforms
256 Plaintext Storage of a Password
Major Demonstrative_Examples, Other_Notes, Relationships, Taxonomy_Mappings, Weakness_Ordinalities
Minor Applicable_Platforms, Causal_Nature
257 Storing Passwords in a Recoverable Format
Major Common_Consequences, Demonstrative_Examples, Other_Notes, Relationships, Taxonomy_Mappings, Weakness_Ordinalities
Minor Applicable_Platforms, Causal_Nature
258 Empty Password in Configuration File
Major Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction, Weakness_Ordinalities
Minor Applicable_Platforms, Causal_Nature
259 Hard-Coded Password
Major Common_Consequences, Demonstrative_Examples, Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction, Weakness_Ordinalities, White_Box_Definitions
Minor Applicable_Platforms, Causal_Nature
260 Password in Configuration File
Major Demonstrative_Examples, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
261 Weak Cryptography for Passwords
Major Demonstrative_Examples, Other_Notes, Relationships, Taxonomy_Mappings
Minor Applicable_Platforms
262 Not Using Password Aging
Major Common_Consequences, Demonstrative_Examples, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings
Minor Applicable_Platforms
263 Password Aging with Long Expiration
Major Common_Consequences, Demonstrative_Examples, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings
Minor Applicable_Platforms
264 Permissions, Privileges, and Access Controls
Major Relationships, Taxonomy_Mappings
Minor Applicable_Platforms
265 Privilege / Sandbox Issues
Major Description, Relationship_Notes, Relationships, Taxonomy_Mappings, Theoretical_Notes
Minor None
266 Incorrect Privilege Assignment
Major Demonstrative_Examples, Description, Relationships, Taxonomy_Mappings, Time_of_Introduction, Weakness_Ordinalities
Minor Applicable_Platforms, Causal_Nature
267 Privilege Defined With Unsafe Actions
Major Description, Maintenance_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
268 Privilege Chaining
Major Other_Notes, Relationship_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction, Weakness_Ordinalities
Minor Applicable_Platforms, Causal_Nature
269 Insecure Privilege Management
Major Description, Maintenance_Notes, Name, Relationships, Taxonomy_Mappings, Time_of_Introduction, Weakness_Ordinalities
Minor Applicable_Platforms, Causal_Nature
270 Privilege Context Switching Error
Major Description, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
271 Privilege Dropping / Lowering Errors
Major Description, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction, Weakness_Ordinalities
Minor Applicable_Platforms, Causal_Nature
272 Least Privilege Violation
Major Common_Consequences, Demonstrative_Examples, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction, Weakness_Ordinalities
Minor Applicable_Platforms, Causal_Nature
273 Failure to Check Whether Privileges Were Dropped Successfully
Major Common_Consequences, Demonstrative_Examples, Description, Modes_of_Introduction, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction, Weakness_Ordinalities
Minor Applicable_Platforms, Causal_Nature
274 Failure to Handle Insufficient Privileges
Major Description, Maintenance_Notes, Relationship_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction, Weakness_Ordinalities
Minor Applicable_Platforms, Causal_Nature
275 Permission Issues
Major Relationships, Taxonomy_Mappings
Minor None
276 Insecure Default Permissions
Major Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction, Weakness_Ordinalities
Minor Applicable_Platforms, Causal_Nature
277 Insecure Inherited Permissions
Major Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
278 Insecure Preserved Inherited Permissions
Major Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
279 Insecure Execution-assigned Permissions
Major Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
280 Failure to Handle Insufficient Permissions or Privileges
Major Maintenance_Notes, Potential_Mitigations, Relationship_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
281 Permission Preservation Failure
Major Relationships, Taxonomy_Mappings, Time_of_Introduction, Weakness_Ordinalities
Minor Applicable_Platforms
282 Improper Ownership Management
Major Maintenance_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
283 Unverified Ownership
Major Relationship_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
284 Access Control (Authorization) Issues
Major Alternate_Terms, Background_Details, Description, Maintenance_Notes, Name, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
285 Missing or Inconsistent Access Control
Major Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
286 Incorrect User Management
Major Description, Maintenance_Notes, Name, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
287 Insufficient Authentication
Major Alternate_Terms, Common_Consequences, Relationship_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
288 Authentication Bypass Using an Alternate Path or Channel
Major Description, Modes_of_Introduction, Name, Observed_Examples, Relationship_Notes, Relationships, Taxonomy_Mappings, Type
Minor Applicable_Platforms
289 Authentication Bypass by Alternate Name
Major Description, Other_Notes, Potential_Mitigations, Relationship_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
290 Authentication Bypass by Spoofing
Major Demonstrative_Examples, Description, Relationship_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
291 Trusting Self-reported IP Address
Major Common_Consequences, Demonstrative_Examples, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Weakness_Ordinalities
Minor Applicable_Platforms, Causal_Nature
292 Trusting Self-reported DNS Name
Major Common_Consequences, Demonstrative_Examples, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings
Minor Applicable_Platforms
293 Using Referer Field for Authentication
Major Alternate_Terms, Background_Details, Common_Consequences, Demonstrative_Examples, Potential_Mitigations, Relationships, Relevant_Properties, Taxonomy_Mappings
Minor Applicable_Platforms
294 Authentication Bypass by Capture-replay
Major Common_Consequences, Demonstrative_Examples, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings
Minor Applicable_Platforms
295 Certificate Issues
Major Relationships, Taxonomy_Mappings
Minor Applicable_Platforms
296 Failure to Follow Chain of Trust in Certificate Validation
Major Common_Consequences, Demonstrative_Examples, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
297 Failure to Validate Host-specific Certificate Data
Major Common_Consequences, Demonstrative_Examples, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
298 Failure to Validate Certificate Expiration
Major Common_Consequences, Demonstrative_Examples, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
299 Failure to Check for Certificate Revocation
Major Common_Consequences, Demonstrative_Examples, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
300 Channel Accessible by Non-Endpoint (aka 'Man-in-the-Middle')
Major Demonstrative_Examples, Description, Maintenance_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
301 Reflection Attack in an Authentication Protocol
Major Common_Consequences, Demonstrative_Examples, Description, Maintenance_Notes, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
302 Authentication Bypass by Assumed-Immutable Data
Major Demonstrative_Examples, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
303 Improper Implementation of Authentication Algorithm
Major Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
304 Missing Critical Step in Authentication
Major Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
305 Authentication Bypass by Primary Weakness
Major Relationship_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
306 No Authentication for Critical Function
Major Relationship_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
307 Failure to Restrict Excessive Authentication Attempts
Major Demonstrative_Examples, Relationships, Taxonomy_Mappings
Minor Applicable_Platforms
308 Use of Single-factor Authentication
Major Common_Consequences, Demonstrative_Examples, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings
Minor Applicable_Platforms
309 Use of Password System for Primary Authentication
Major Background_Details, Common_Consequences, Demonstrative_Examples, Potential_Mitigations, Relationships, Taxonomy_Mappings
Minor Applicable_Platforms
310 Cryptographic Issues
Major Maintenance_Notes, Relationship_Notes, Relationships, Taxonomy_Mappings
Minor Applicable_Platforms
311 Failure to Encrypt Sensitive Data
Major Common_Consequences, Demonstrative_Examples, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
312 Plaintext Storage of Sensitive Information
Major Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
313 Plaintext Storage in a File or on Disk
Major Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
314 Plaintext Storage in the Registry
Major Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
315 Plaintext Storage in a Cookie
Major Demonstrative_Examples, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
316 Plaintext Storage in Memory
Major Description, Other_Notes, Relationship_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
317 Plaintext Storage in GUI
Major Applicable_Platforms, Description, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
318 Plaintext Storage in Executable
Major Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
319 Plaintext Transmission of Sensitive Information
Major Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
320 Key Management Errors
Major Maintenance_Notes, Relationships, Taxonomy_Mappings
Minor Applicable_Platforms
321 Use of Hard-coded Cryptographic Key
Major Common_Consequences, Demonstrative_Examples, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms, Description
322 Key Exchange without Entity Authentication
Major Common_Consequences, Demonstrative_Examples, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
323 Reusing a Nonce, Key Pair in Encryption
Major Background_Details, Common_Consequences, Demonstrative_Examples, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
324 Use of a Key Past its Expiration Date
Major Common_Consequences, Demonstrative_Examples, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
325 Missing Required Cryptographic Step
Major Description, Functional_Areas, Modes_of_Introduction, Observed_Examples, Relationship_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
326 Weak Encryption
Major Maintenance_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings
Minor Applicable_Platforms
327 Use of a Broken or Risky Cryptographic Algorithm
Major Background_Details, Common_Consequences, Demonstrative_Examples, Description, Potential_Mitigations, Relationships, Taxonomy_Mappings
Minor Applicable_Platforms
328 Reversible One-Way Hash
Major Observed_Examples, Relationships, Taxonomy_Mappings
Minor Applicable_Platforms
329 Not Using a Random IV with CBC Mode
Major Background_Details, Common_Consequences, Demonstrative_Examples, Functional_Areas, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
330 Use of Insufficiently Random Values
Major Background_Details, Demonstrative_Examples, Other_Notes, Relationship_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction, Weakness_Ordinalities
Minor Applicable_Platforms, Functional_Areas
331 Insufficient Entropy
Major Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
332 Insufficient Entropy in PRNG
Major Common_Consequences, Demonstrative_Examples, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
333 Failure to Handle Insufficient Entropy in TRNG
Major Common_Consequences, Demonstrative_Examples, Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
334 Small Space of Random Values
Major Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
335 PRNG Seed Error
Major Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
336 Same Seed in PRNG
Major Demonstrative_Examples, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
337 Predictable Seed in PRNG
Major Demonstrative_Examples, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
338 Use of Cryptographically Weak PRNG
Major Common_Consequences, Demonstrative_Examples, Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
339 Small Seed Space in PRNG
Major Maintenance_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
340 Predictability Problems
Major Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
341 Predictable from Observable State
Major Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
342 Predictable Exact Value from Previous Values
Major Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
343 Predictable Value Range from Previous Values
Major Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
344 Use of Invariant Value in Dynamically Changing Context
Major Other_Notes, Relationship_Notes, Relationships, Relevant_Properties, Taxonomy_Mappings, Time_of_Introduction, Weakness_Ordinalities
Minor Applicable_Platforms
345 Insufficient Verification of Data Authenticity
Major Maintenance_Notes, Relationship_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
346 Origin Validation Error
Major Relationship_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction, Weakness_Ordinalities
Minor Applicable_Platforms
347 Improperly Verified Signature
Major Demonstrative_Examples, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
348 Use of Less Trusted Source
Major Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
349 Acceptance of Extraneous Untrusted Data With Trusted Data
Major Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
350 Improperly Trusted Reverse DNS
Major Demonstrative_Examples, Relationships, Taxonomy_Mappings
Minor Applicable_Platforms
351 Insufficient Type Distinction
Major Relationship_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
352 Cross-Site Request Forgery (CSRF)
Major Alternate_Terms, Description, Other_Notes, Relationship_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
353 Failure to Add Integrity Check Value
Major Common_Consequences, Demonstrative_Examples, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
354 Failure to Check Integrity Check Value
Major Common_Consequences, Demonstrative_Examples, Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
355 User Interface Security Issues
Major Relationships, Taxonomy_Mappings
Minor Applicable_Platforms
356 Product UI does not Warn User of Unsafe Actions
Major Relationship_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
357 Insufficient UI Warning of Dangerous Operations
Major Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
358 Improperly Implemented Security Check for Standard
Major Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
359 Privacy Violation
Major Demonstrative_Examples, Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
360 Trust of System Event Data
Major Common_Consequences, Demonstrative_Examples, Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
361 Time and State
Major Relationships, Taxonomy_Mappings
Minor None
362 Race Condition
Major Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
363 Race Condition Enabling Link Following
Major Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
364 Signal Handler Race Condition
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
365 Race Condition in Switch
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
366 Race Condition within a Thread
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
367 Time-of-check Time-of-use Race Condition
Major Common_Consequences, Demonstrative_Examples, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction, White_Box_Definitions
Minor Applicable_Platforms
368 Context Switching Race Condition
Major Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
369 Divide By Zero
Major Common_Consequences, Demonstrative_Examples, Description, Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
370 Race Condition in Checking for Certificate Revocation
Major Common_Consequences, Demonstrative_Examples, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
371 State Issues
Major Relationships
Minor None
372 Incomplete Internal State Distinction
Major Maintenance_Notes, Relationship_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
373 State Synchronization Error
Major Common_Consequences, Demonstrative_Examples, Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
374 Mutable Objects Passed by Reference
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
375 Passing Mutable Objects to an Untrusted Method
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
376 Temporary File Issues
Major Relationships
Minor None
377 Insecure Temporary File
Major Demonstrative_Examples, Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
378 Creation of Temporary File With Insecure Permissions
Major Common_Consequences, Demonstrative_Examples, Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
379 Creation of Temporary File in Directory with Insecure Permissions
Major Common_Consequences, Demonstrative_Examples, Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
380 Technology-Specific Time and State Issues
Major Relationships
Minor None
381 J2EE Time and State Issues
Major Relationships
Minor None
382 J2EE Bad Practices: Use of System.exit()
Major Demonstrative_Examples, Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
383 J2EE Bad Practices: Direct Use of Threads
Major Demonstrative_Examples, Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
384 Session Fixation
Major Demonstrative_Examples, Description, Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
385 Covert Timing Channel
Major Common_Consequences, Demonstrative_Examples, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
386 Symbolic Name not Mapping to Correct Object
Major Common_Consequences, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
387 Signal Errors
Major Applicable_Platforms, Description, Maintenance_Notes, Observed_Examples, Other_Notes, Relationships, Taxonomy_Mappings, Type
Minor None
388 Error Handling
Major Common_Consequences, Demonstrative_Examples, Description, Relationships, Taxonomy_Mappings
Minor None
389 Error Conditions, Return Values, Status Codes
Major Other_Notes, Relationships, Taxonomy_Mappings
Minor Applicable_Platforms
390 Detection of Error Condition Without Action
Major Demonstrative_Examples, Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
391 Unchecked Error Condition
Major Demonstrative_Examples, Maintenance_Notes, Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction, White_Box_Definitions
Minor Applicable_Platforms
392 Failure to Report Error in Status Code
Major Demonstrative_Examples, Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
393 Return of Wrong Status Code
Major Demonstrative_Examples, Maintenance_Notes, Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
394 Unexpected Status Code or Return Value
Major Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
395 Use of NullPointerException Catch to Detect NULL Pointer Dereference
Major Demonstrative_Examples, Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
396 Declaration of Catch for Generic Exception
Major Applicable_Platforms, Demonstrative_Examples, Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
397 Declaration of Throws for Generic Exception
Major Applicable_Platforms, Demonstrative_Examples, Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
398 Indicator of Poor Code Quality
Major Description, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
399 Resource Management Errors
Major Other_Notes, Relationships, Taxonomy_Mappings
Minor Applicable_Platforms
400 Resource Exhaustion
Major Common_Consequences, Demonstrative_Examples, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms, Likelihood_of_Exploit
401 Failure to Release Memory Before Removing Last Reference (aka 'Memory Leak')
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Other_Notes, Potential_Mitigations, References, Relationship_Notes, Relationships, Taxonomy_Mappings, Terminology_Notes, Time_of_Introduction
Minor White_Box_Definitions
402 Transmission of Private Resources into a New Sphere (aka 'Resource Leak')
Major Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
403 UNIX File Descriptor Leak
Major Applicable_Platforms, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
404 Improper Resource Shutdown or Release
Major Demonstrative_Examples, Description, Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
405 Asymmetric Resource Consumption (Amplification)
Major Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
406 Network Amplification
Major Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
407 Algorithmic Complexity
Major Common_Consequences, Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
408 Incorrect Behavior Order: Early Amplification
Major Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
409 Failure to Handle Highly Compressed Data (Data Amplification)
Major Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
410 Insufficient Resource Pool
Major Common_Consequences, Demonstrative_Examples, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
411 Resource Locking Problems
Major Relationships, Taxonomy_Mappings
Minor None
412 Unrestricted Lock on Critical Resource
Major Common_Consequences, Description, Detection_Factors, Observed_Examples, Potential_Mitigations, Relationship_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
413 Insufficient Resource Locking
Major Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
414 Missing Lock Check
Major Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
415 Double Free
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Maintenance_Notes, Other_Notes, Potential_Mitigations, Relationship_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction, White_Box_Definitions
Minor Alternate_Terms
416 Use After Free
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Observed_Examples, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction, White_Box_Definitions
Minor Alternate_Terms
417 Channel and Path Errors
Major Other_Notes, Relationships, Taxonomy_Mappings
Minor Applicable_Platforms
418 Channel Errors
Major Relationships, Taxonomy_Mappings
Minor Applicable_Platforms
419 Unprotected Primary Channel
Major Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
420 Unprotected Alternate Channel
Major Potential_Mitigations, Relationship_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
421 Race Condition During Access to Alternate Channel
Major Observed_Examples, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction, Type
Minor Applicable_Platforms
422 Unprotected Windows Messaging Channel ('Shatter')
Major Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
423 Proxied Trusted Channel
Major Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
424 Failure to Protect Alternate Path
Major Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
425 Direct Request ('Forced Browsing')
Major Alternate_Terms, Demonstrative_Examples, Potential_Mitigations, Relationship_Notes, Relationships, Taxonomy_Mappings, Theoretical_Notes, Time_of_Introduction
Minor Applicable_Platforms
426 Untrusted Search Path
Major Common_Consequences, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Alternate_Terms, Applicable_Platforms
427 Uncontrolled Search Path Element
Major Observed_Examples, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
428 Unquoted Search Path or Element
Major Demonstrative_Examples, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
429 Handler Errors
Major Other_Notes, Relationships, Taxonomy_Mappings
Minor None
430 Deployment of Wrong Handler
Major Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
431 Missing Handler
Major Demonstrative_Examples, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
432 Dangerous Handler not Disabled During Sensitive Operations
Major Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
433 Unparsed Raw Web Content Delivery
Major Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
434 Unrestricted File Upload
Major Alternate_Terms, Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
435 Interaction Error
Major Relationship_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
436 Interpretation Conflict
Major Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
437 Incomplete Model of Endpoint Features
Major Demonstrative_Examples, Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
438 Behavioral Problems
Major Relationships, Taxonomy_Mappings
Minor None
439 Behavioral Change in New Version or Environment
Major Observed_Examples, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Alternate_Terms, Applicable_Platforms
440 Expected Behavior Violation
Major Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
441 Unintended Proxy/Intermediary
Major Observed_Examples, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
442 Web Problems
Major Description, Relationships, Taxonomy_Mappings
Minor None
443 DEPRECATED (Duplicate): HTTP response splitting
Major Relationships
Minor None
444 Inconsistent Interpretation of HTTP Requests (aka 'HTTP Request Smuggling')
Major Name, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
445 User Interface Errors
Major Relationships, Taxonomy_Mappings
Minor Applicable_Platforms
446 UI Discrepancy for Security Feature
Major Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction, Type
Minor Applicable_Platforms
447 Unimplemented or Unsupported Feature in UI
Major Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
448 Obsolete Feature in UI
Major Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
449 The UI Performs the Wrong Action
Major Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
450 Multiple Interpretations of UI Input
Major Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
451 UI Misrepresentation of Critical Information
Major Maintenance_Notes, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
452 Initialization and Cleanup Errors
Major Other_Notes, Relationships, Taxonomy_Mappings
Minor Applicable_Platforms
453 Insecure Default Variable Initialization
Major Applicable_Platforms, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
454 External Initialization of Trusted Variables
Major Applicable_Platforms, Demonstrative_Examples, Description, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
455 Non-exit on Failed Initialization
Major Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
456 Missing Initialization
Major Demonstrative_Examples, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
457 Use of Uninitialized Variable
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Observed_Examples, Other_Notes, Potential_Mitigations, References, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
458 DEPRECATED: Incorrect Initialization
Major Relationships
Minor None
459 Incomplete Cleanup
Major Demonstrative_Examples, Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Alternate_Terms, Applicable_Platforms
460 Improper Cleanup on Thrown Exception
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
461 Data Structure Issues
Major Relationships
Minor None
462 Duplicate Key in Associative List (Alist)
Major Applicable_Platforms, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
463 Deletion of Data Structure Sentinel
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
464 Addition of Data Structure Sentinel
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
465 Pointer Issues
Major Relationships
Minor None
466 Return of Pointer Value Outside of Expected Range
Major Applicable_Platforms, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction, White_Box_Definitions
Minor None
467 Use of sizeof() on a Pointer Type
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction, Weakness_Ordinalities, White_Box_Definitions
Minor None
468 Incorrect Pointer Scaling
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction, White_Box_Definitions
Minor None
469 Use of Pointer Subtraction to Determine Size
Major Applicable_Platforms, Common_Consequences, Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction, White_Box_Definitions
Minor None
470 Use of Externally-Controlled Input to Select Classes or Code (aka 'Unsafe Reflection')
Major Demonstrative_Examples, Description, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction, White_Box_Definitions
Minor Applicable_Platforms
471 Modification of Assumed-Immutable Data (MAID)
Major Demonstrative_Examples, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
472 External Control of Assumed-Immutable Web Parameter
Major Demonstrative_Examples, Description, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Alternate_Terms, Applicable_Platforms
473 PHP External Variable Modification
Major Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
474 Use of Function with Inconsistent Implementations
Major Applicable_Platforms, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
475 Undefined Behavior for Input to API
Major Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
476 NULL Pointer Dereference
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction, Weakness_Ordinalities
Minor None
477 Use of Obsolete Functions
Major Demonstrative_Examples, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
478 Failure to Use Default Case in Switch
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction, Weakness_Ordinalities
Minor None
479 Unsafe Function Call from a Signal Handler
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
480 Use of Incorrect Operator
Major Applicable_Platforms, Demonstrative_Examples, Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
481 Assigning instead of Comparing
Major Applicable_Platforms, Demonstrative_Examples, Description, Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
482 Comparing instead of Assigning
Major Applicable_Platforms, Demonstrative_Examples, Description, Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
483 Incorrect Block Delimitation
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
484 Omitted Break Statement
Major Applicable_Platforms, Demonstrative_Examples, Description, Detection_Factors, Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
485 Insufficient Encapsulation
Major Description, Maintenance_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Terminology_Notes, Time_of_Introduction
Minor None
486 Comparison of Classes by Name
Major Common_Consequences, Demonstrative_Examples, Description, Other_Notes, Relationships, Relevant_Properties, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
487 Reliance on Package-level Scope
Major Common_Consequences, Demonstrative_Examples, Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
488 Data Leak Between Sessions
Major Demonstrative_Examples, Description, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
489 Leftover Debug Code
Major Common_Consequences, Demonstrative_Examples, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction, White_Box_Definitions
Minor Applicable_Platforms
490 Mobile Code Issues
Major Relationships
Minor None
491 Public cloneable() Method Without Final (aka 'Object Hijack')
Major Demonstrative_Examples, Potential_Mitigations, References, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
492 Use of Inner Class Containing Sensitive Data
Major Common_Consequences, Demonstrative_Examples, Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
493 Critical Public Variable Without Final Modifier
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Likelihood_of_Exploit, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
494 Download of Untrusted Mobile Code Without Integrity Check
Major Demonstrative_Examples, Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
495 Private Array-Typed Field Returned From A Public Method
Major Applicable_Platforms, Demonstrative_Examples, Relationships, Taxonomy_Mappings, Time_of_Introduction, White_Box_Definitions
Minor None
496 Public Data Assigned to Private Array-Typed Field
Major Applicable_Platforms, Demonstrative_Examples, Relationships, Taxonomy_Mappings, Time_of_Introduction, White_Box_Definitions
Minor None
497 Information Leak of System Data
Major Demonstrative_Examples, Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction, Type
Minor Applicable_Platforms
498 Information Leak through Class Cloning
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
499 Serializable Class Containing Sensitive Data
Major Common_Consequences, Demonstrative_Examples, Description, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
500 Static Field Not Marked Final
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction, White_Box_Definitions
Minor None
501 Trust Boundary Violation
Major Demonstrative_Examples, Description, Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
502 Deserialization of Untrusted Data
Major Common_Consequences, Demonstrative_Examples, Description, Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
503 Byte/Object Code
Major Relationships, Taxonomy_Mappings
Minor None
504 Motivation/Intent
Major Relationships, Taxonomy_Mappings
Minor None
505 Intentionally Introduced Weakness
Major Demonstrative_Examples, Description, Relationships, Taxonomy_Mappings
Minor None
506 Embedded Malicious Code
Major Demonstrative_Examples, Description, Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
507 Trojan Horse
Major Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
508 Non-Replicating Malicious Code
Major Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
509 Replicating Malicious Code (Virus or Worm)
Major Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
510 Trapdoor
Major Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
511 Logic/Time Bomb
Major Demonstrative_Examples, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
512 Spyware
Major Potential_Mitigations, Relationships, Time_of_Introduction
Minor None
513 Intentionally Introduced Nonmalicious Weakness
Major Relationships, Taxonomy_Mappings
Minor None
514 Covert Channel
Major Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
515 Covert Storage Channel
Major Common_Consequences, Demonstrative_Examples, Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
516 DEPRECATED (Duplicate): Covert Timing Channel
Major Relationships
Minor None
517 Other Intentional, Nonmalicious Weakness
Major Relationships, Taxonomy_Mappings
Minor None
518 Inadvertently Introduced Weakness
Major Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
519 .NET Environment Issues
Major Relationships
Minor None
520 .NET Misconfiguration: Use of Impersonation
Major Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
521 Weak Password Requirements
Major Description, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
522 Insufficiently Protected Credentials
Major Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
523 Unprotected Transport of Credentials
Major Background_Details, Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
524 Information Leak Through Caching
Major Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
525 Information Leak Through Browser Caching
Major Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
526 Information Leak Through Environmental Variables
Major Potential_Mitigations, Relationships, Time_of_Introduction
Minor None
527 Information Leak Through CVS Repository
Major Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
528 Information Leak Through Core Dump Files
Major Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
529 Information Leak Through Access Control List Files
Major Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
530 Information Leak Through Backup (.~bk) Files
Major Common_Consequences, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
531 Information Leak Through Test Code
Major Demonstrative_Examples, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
532 Information Leak Through Log Files
Major Demonstrative_Examples, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
533 Information Leak Through Server Log Files
Major Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
534 Information Leak Through Debug Log Files
Major Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
535 Information Leak Through Shell Error Message
Major Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
536 Information Leak Through Servlet Runtime Error Message
Major Common_Consequences, Demonstrative_Examples, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
537 Information Leak Through Java Runtime Error Message
Major Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
538 File and Directory Information Leaks
Major Potential_Mitigations, Relationships, Time_of_Introduction, Type
Minor Applicable_Platforms
539 Information Leak Through Persistent Cookies
Major Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
540 Information Leak Through Source Code
Major Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
541 Information Leak Through Include Source Code
Major Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
542 Information Leak Through Cleanup Log Files
Major Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
543 Use of Singleton Pattern in a Non-thread-safe Manner
Major Demonstrative_Examples, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
544 Missing Error Handling Mechanism
Major Description, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
545 Use of Dynamic Class Loading
Major Demonstrative_Examples, Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
546 Suspicious Comment
Major Demonstrative_Examples, Description, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
547 Use of Hard-coded, Security-relevant Constants
Major Demonstrative_Examples, Description, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
548 Information Leak Through Directory Listing
Major Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
549 Missing Password Field Masking
Major Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
550 Information Leak Through Server Error Message
Major Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
551 Incorrect Behavior Order: Authorization Before Parsing and Canonicalization
Major Demonstrative_Examples, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction, Type
Minor None
552 Files or Directories Accessible to External Parties
Major Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
553 Command Shell in Externally Accessible Directory
Major Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
554 ASP.NET Misconfiguration: Not Using Input Validation Framework
Major Description, Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction, Type
Minor Applicable_Platforms
555 J2EE Misconfiguration: Plaintext Password in Configuration File
Major Demonstrative_Examples, Description, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
556 ASP.NET Misconfiguration: Use of Identity Impersonation
Major Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
557 Concurrency Issues
Major Relationships
Minor None
558 Use of getlogin() in Multithreaded Application
Major Applicable_Platforms, Demonstrative_Examples, Description, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
559 Often Misused: Arguments and Parameters
Major Other_Notes, Relationships
Minor None
560 Use of umask() with chmod-style Argument
Major Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings
Minor Applicable_Platforms
561 Dead Code
Major Demonstrative_Examples, Description, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
562 Return of Stack Variable Address
Major Applicable_Platforms, Demonstrative_Examples, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
563 Unused Variable
Major Demonstrative_Examples, Description, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
564 SQL Injection: Hibernate
Major Demonstrative_Examples, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
565 Use of Cookies in Security Decision
Major Demonstrative_Examples, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
566 Access Control Bypass Through User-Controlled SQL Primary Key
Major Demonstrative_Examples, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
567 Unsynchronized Access to Shared Data
Major Demonstrative_Examples, Other_Notes, Relationships, Time_of_Introduction
Minor Applicable_Platforms
568 finalize() Method Without super.finalize()
Major Demonstrative_Examples, Other_Notes, Potential_Mitigations, Relationships, Time_of_Introduction
Minor Applicable_Platforms
569 Expression Issues
Major Relationships
Minor None
570 Expression is Always False
Major Demonstrative_Examples, Other_Notes, Potential_Mitigations, Relationships, Time_of_Introduction
Minor Applicable_Platforms
571 Expression is Always True
Major Demonstrative_Examples, Other_Notes, Potential_Mitigations, Relationships, Time_of_Introduction
Minor Applicable_Platforms
572 Call to Thread run() instead of start()
Major Demonstrative_Examples, Other_Notes, Potential_Mitigations, Relationships, Time_of_Introduction
Minor Applicable_Platforms
573 Failure to Follow Specification
Major Description, Relationships, Time_of_Introduction
Minor None
574 EJB Bad Practices: Use of Synchronization Primitives
Major Other_Notes, Potential_Mitigations, Relationships, Time_of_Introduction
Minor Applicable_Platforms
575 EJB Bad Practices: Use of AWT Swing
Major Other_Notes, Potential_Mitigations, Relationships, Time_of_Introduction
Minor Applicable_Platforms
576 EJB Bad Practices: Use of Java I/O
Major Other_Notes, Potential_Mitigations, Relationships, Time_of_Introduction
Minor Applicable_Platforms
577 EJB Bad Practices: Use of Sockets
Major Other_Notes, Potential_Mitigations, Relationships, Time_of_Introduction
Minor Applicable_Platforms
578 EJB Bad Practices: Use of Class Loader
Major Other_Notes, Potential_Mitigations, Relationships, Time_of_Introduction
Minor Applicable_Platforms
579 J2EE Bad Practices: Non-serializable Object Stored in Session
Major Demonstrative_Examples, Other_Notes, Relationships, Time_of_Introduction
Minor Applicable_Platforms
580 clone() Method Without super.clone()
Major Demonstrative_Examples, Other_Notes, Potential_Mitigations, Relationships, Time_of_Introduction
Minor Applicable_Platforms
581 Object Model Violation: Just One of Equals and Hashcode Defined
Major Common_Consequences, Other_Notes, Potential_Mitigations, Relationships, Time_of_Introduction
Minor Applicable_Platforms
582 Array Declared Public, Final, and Static
Major Demonstrative_Examples, Description, Other_Notes, Relationships, Time_of_Introduction, Weakness_Ordinalities
Minor Applicable_Platforms
583 finalize() Method Declared Public
Major Demonstrative_Examples, Other_Notes, Relationships, Time_of_Introduction
Minor Applicable_Platforms
584 Return Inside Finally Block
Major Demonstrative_Examples, Potential_Mitigations, Relationships, Time_of_Introduction
Minor None
585 Empty Synchronized Block
Major Demonstrative_Examples, Other_Notes, Potential_Mitigations, Relationships, Time_of_Introduction
Minor Applicable_Platforms
586 Explicit Call to Finalize()
Major Demonstrative_Examples, Other_Notes, Potential_Mitigations, Relationships, Time_of_Introduction
Minor Applicable_Platforms, Name
587 Assignment of a Fixed Address to a Pointer
Major Applicable_Platforms, Demonstrative_Examples, Description, Other_Notes, Relationships, Time_of_Introduction, Weakness_Ordinalities, White_Box_Definitions
Minor None
588 Attempt to Access Child of a Non-structure Pointer
Major Demonstrative_Examples, Other_Notes, Relationships, Time_of_Introduction
Minor None
589 Call to Non-ubiquitous API
Major Other_Notes, Relationships, Time_of_Introduction
Minor None
590 Free of Invalid Pointer Not on the Heap
Major Demonstrative_Examples, Description, Other_Notes, Potential_Mitigations, Relationships, Time_of_Introduction
Minor None
591 Sensitive Data Storage in Improperly Locked Memory
Major Common_Consequences, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
592 Authentication Bypass Issues
Major Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
593 Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created
Major Common_Consequences, Demonstrative_Examples, Other_Notes, Potential_Mitigations, Relationships, Time_of_Introduction
Minor None
594 J2EE Framework: Saving Unserializable Objects to Disk
Major Common_Consequences, Other_Notes, Relationships, Time_of_Introduction
Minor Applicable_Platforms
595 Incorrect Syntactic Object Comparison
Major Demonstrative_Examples, Description, Other_Notes, Relationships, Time_of_Introduction
Minor None
596 Incorrect Semantic Object Comparison
Major Demonstrative_Examples, Description, Detection_Factors, Relationships, Time_of_Introduction
Minor None
597 Use of Wrong Operator in String Comparison
Major Demonstrative_Examples, Description, Potential_Mitigations, Relationships, Time_of_Introduction
Minor None
598 Information Leak Through Query Strings in GET Request
Major Other_Notes, Potential_Mitigations, Relationships, Time_of_Introduction
Minor None
599 Trust of OpenSSL Certificate Without Validation
Major Common_Consequences, Demonstrative_Examples, Other_Notes, Potential_Mitigations, Relationships, Time_of_Introduction
Minor None
600 Failure to Catch All Exceptions (Missing Catch Block)
Major Demonstrative_Examples, Other_Notes, Potential_Mitigations, Relationships, Time_of_Introduction
Minor None
601 URL Redirection to Untrusted Site (aka 'Open Redirect')
Major Alternate_Terms, Background_Details, Description, Detection_Factors, Likelihood_of_Exploit, Name, Observed_Examples, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
602 Design Principle Violation: Client-Side Enforcement of Server-Side Security
Major Demonstrative_Examples, Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction, Weakness_Ordinalities
Minor Applicable_Platforms
603 Use of Client-Side Authentication
Major Description, Observed_Examples, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
604 Deprecated
Major Relationships, View_Structure
Minor None
605 Multiple Binds to the Same Port
Major Common_Consequences, Demonstrative_Examples, Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
606 Unchecked Input for Loop Condition
Major Demonstrative_Examples, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction, Type
Minor None
607 Public Static Final Field References Mutable Object
Major Demonstrative_Examples, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
608 Struts: Non-private Field in ActionForm Class
Major Relationships, Taxonomy_Mappings, Time_of_Introduction, Weakness_Ordinalities
Minor Applicable_Platforms, Causal_Nature
609 Double-Checked Locking
Major Demonstrative_Examples, Description, Relationships, Taxonomy_Mappings
Minor Applicable_Platforms
610 Externally Controlled Reference to a Resource in Another Sphere
Major Other_Notes, Relationships, Taxonomy_Mappings
Minor None
611 Information Leak Through XML External Entity File Disclosure
Major Description, Observed_Examples, Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
612 Information Leak Through Indexing of Private Data
Major Description, Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
613 Insufficient Session Expiration
Major Demonstrative_Examples, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
614 Sensitive Cookie in HTTPS Session Without "Secure" Attribute
Major Demonstrative_Examples, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
615 Information Leak Through Comments
Major Demonstrative_Examples, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor None
616 Incomplete Identification of Uploaded File Variables (PHP)
Major Demonstrative_Examples, Observed_Examples, Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction, Weakness_Ordinalities
Minor Applicable_Platforms
617 Reachable Assertion
Major Demonstrative_Examples, Description, Observed_Examples, Other_Notes, Potential_Mitigations, Relationships, Time_of_Introduction, Weakness_Ordinalities
Minor None
618 Exposed Unsafe ActiveX Method
Major Observed_Examples, Other_Notes, Relationships, Time_of_Introduction, Weakness_Ordinalities
Minor None
619 Dangling Database Cursor (aka 'Cursor Injection')
Major Other_Notes, Relationships, Time_of_Introduction
Minor Applicable_Platforms
620 Unverified Password Change
Major Demonstrative_Examples, Description, Observed_Examples, Other_Notes, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
621 Variable Extraction Error
Major Description, Observed_Examples, Other_Notes, Relationships, Time_of_Introduction, Weakness_Ordinalities
Minor Alternate_Terms, Applicable_Platforms
622 Unvalidated Function Hook Arguments
Major Description, Observed_Examples, Other_Notes, Relationships, Time_of_Introduction
Minor Applicable_Platforms
623 Unsafe ActiveX Control Marked Safe For Scripting
Major Description, Observed_Examples, Relationships, Time_of_Introduction, Weakness_Ordinalities
Minor None
624 Executable Regular Expression Error
Major Applicable_Platforms, Observed_Examples, Relationships, Time_of_Introduction
Minor None
625 Permissive Regular Expression
Major Applicable_Platforms, Demonstrative_Examples, Description, Observed_Examples, Other_Notes, Relationships, Time_of_Introduction, Weakness_Ordinalities
Minor None
626 Null Byte Interaction Error (Poison Null Byte)
Major Applicable_Platforms, Description, Observed_Examples, Other_Notes, Relationships, Time_of_Introduction, Weakness_Ordinalities
Minor None
627 Dynamic Variable Evaluation
Major Applicable_Platforms, Relationships, Time_of_Introduction
Minor Alternate_Terms
628 Function Call with Incorrectly Specified Arguments
Major Description, Other_Notes, Relationships, Weakness_Ordinalities
Minor Applicable_Platforms
629 Weaknesses in OWASP Top Ten (2007)
Major Description, Name, References, Relationship_Notes, Relationships, View_Audience, View_Structure
Minor None
630 Weaknesses Examined by SAMATE
Major References, Relationships, View_Structure
Minor None
631 Resource-specific Weaknesses
Major Relationships, View_Structure
Minor None
632 Weaknesses that Affect Files or Directories
Major Relationships
Minor None
633 Weaknesses that Affect Memory
Major Relationships
Minor None
634 Weaknesses that Affect System Processes
Major Relationships
Minor None
635 Weaknesses Used by NVD
Major Maintenance_Notes, References, Relationships, View_Structure
Minor None
636 Design Principle Violation: Not Failing Securely (aka 'Failing Open')
Major Common_Consequences, Demonstrative_Examples, Description, Name, Relationships, Taxonomy_Mappings, Time_of_Introduction, Weakness_Ordinalities
Minor Alternate_Terms, Applicable_Platforms, Causal_Nature
637 Design Principle Violation: Not Using Economy of Mechanism
Major Demonstrative_Examples, Description, Relationships, Time_of_Introduction, Weakness_Ordinalities
Minor Alternate_Terms, Applicable_Platforms, Causal_Nature
638 Design Principle Violation: Not Using Complete Mediation
Major Common_Consequences, Demonstrative_Examples, Observed_Examples, Relationships, Time_of_Introduction, Weakness_Ordinalities
Minor Applicable_Platforms, Causal_Nature
639 Access Control Bypass Through User-Controlled Key
Major Common_Consequences, Relationships, Type
Minor Applicable_Platforms
640 Weak Password Recovery Mechanism for Forgotten Password
Major Common_Consequences, Description, Maintenance_Notes, Name, Relationships
Minor Applicable_Platforms
641 Insufficient Filtering of File and Other Resource Names for Executable Content
Major Common_Consequences, Relationships
Minor Applicable_Platforms
642 External Control of User State Data
Major Common_Consequences, Demonstrative_Examples, Relationships
Minor Applicable_Platforms
643 Unsafe Treatment of XPath Input
Major Common_Consequences, Demonstrative_Examples, Relationships
Minor Applicable_Platforms
644 Insufficient Filtering of HTTP Headers for Scripting Syntax
Major Common_Consequences, Demonstrative_Examples, Observed_Examples, Relationships
Minor Applicable_Platforms
645 Overly Restrictive Account Lockout Mechanism
Major Common_Consequences, Enabling_Factors_for_Exploitation, Relationships
Minor Applicable_Platforms
646 Taking Actions based on File Name or Extension of a User Supplied File
Major Common_Consequences, Observed_Examples, Relationships, Time_of_Introduction
Minor Applicable_Platforms
647 Using Non-Canonical Paths for Authorization Decisions
Major Common_Consequences, Relationships, Time_of_Introduction
Minor Applicable_Platforms
648 Improper Use of Privileged APIs
Major Common_Consequences, Relationships, Time_of_Introduction
Minor Applicable_Platforms
649 Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking
Major Common_Consequences, Observed_Examples, Relationships
Minor Applicable_Platforms
650 Trusting HTTP Permission Methods on the Server Side
Major Common_Consequences, Relationships, Time_of_Introduction
Minor Applicable_Platforms
651 Information Leak through WSDL File
Major Applicable_Platforms, Common_Consequences, Description, Relationships, Time_of_Introduction
Minor None
652 Unsafe Treatment of XQuery Input
Major Common_Consequences, Relationships
Minor Applicable_Platforms
653 Design Principle Violation: Insufficient Compartmentalization
Major Alternate_Terms, Common_Consequences, Demonstrative_Examples, Description, Other_Notes, Relationships, Time_of_Introduction, Weakness_Ordinalities
Minor Applicable_Platforms, Causal_Nature
654 Design Principle Violation: Reliance on a Single Factor in a Security Decision
Major Alternate_Terms, Common_Consequences, Demonstrative_Examples, Other_Notes, Relationships, Time_of_Introduction, Weakness_Ordinalities
Minor Applicable_Platforms, Causal_Nature
655 Design Principle Violation: Failure to Satisfy Psychological Acceptability
Major Common_Consequences, Demonstrative_Examples, Other_Notes, Relationships, Time_of_Introduction, Weakness_Ordinalities
Minor Applicable_Platforms, Causal_Nature
656 Design Principle Violation: Reliance on Security through Obscurity
Major Common_Consequences, Demonstrative_Examples, Description, Other_Notes, Relationships, Time_of_Introduction, Weakness_Ordinalities
Minor Alternate_Terms, Applicable_Platforms, Causal_Nature
657 Violation of Secure Design Principles
Major Description, Relationships, Time_of_Introduction
Minor None
658 Weaknesses in Software Written in C
Major Description, Name, View_Filter, View_Structure
Minor None
659 Weaknesses in Software Written in C++
Major Description, Name, View_Filter, View_Structure
Minor None
660 Weaknesses in Software Written in Java
Major Description, Name, View_Filter, View_Structure
Minor None
661 Weaknesses in Software Written in PHP
Major Description, Name, View_Filter, View_Structure
Minor None
662 Insufficient Synchronization
Major Potential_Mitigations, Relationships, Time_of_Introduction
Minor None
663 Use of a Non-reentrant Function in an Unsynchronized Context
Major Potential_Mitigations, References, Relationships, Time_of_Introduction
Minor None
664 Insufficient Control of a Resource Through its Lifetime
Major Description, Maintenance_Notes, Potential_Mitigations, Relationships, Time_of_Introduction, Type
Minor None
665 Incorrect or Incomplete Initialization
Major Demonstrative_Examples, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Applicable_Platforms
666 Operation on Resource in Wrong Phase of Lifetime
Major Description, Potential_Mitigations, Time_of_Introduction
Minor None
667 Insufficient Locking
Major Demonstrative_Examples, Potential_Mitigations, Relationships, Time_of_Introduction
Minor None
668 Exposure of Resource to Wrong Sphere
Major Other_Notes, Relationships, Time_of_Introduction
Minor None
669 Incorrect Resource Transfer Between Spheres
Major Other_Notes, Relationships, Time_of_Introduction
Minor None
670 Always-Incorrect Control Flow Implementation
Major Description, Other_Notes, Relationships, Time_of_Introduction
Minor None
671 Design Principle Violation: Lack of Administrator Control over Security
Major Description, Relationships, Time_of_Introduction
Minor None
672 Use of a Resource after Expiration or Release
Major Relationships, Time_of_Introduction
Minor None
673 External Influence of Sphere Definition
Major Demonstrative_Examples, Description, Other_Notes, Relationships, Time_of_Introduction
Minor None
674 Uncontrolled Recursion
Major Common_Consequences, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction
Minor Alternate_Terms, Applicable_Platforms
675 Duplicate Operations on Resource
Major Other_Notes, Relationships, Time_of_Introduction
Minor Applicable_Platforms
676 Use of Potentially Dangerous Function
Major Applicable_Platforms, Demonstrative_Examples, Other_Notes, Potential_Mitigations, Relationships, Taxonomy_Mappings, Time_of_Introduction, Weakness_Ordinalities
Minor Causal_Nature
677 Weakness Base Elements
Major View_Filter, View_Structure
Minor None
678 Composites
Major Description, View_Filter, View_Structure
Minor None
679 Chain Elements
Major View_Filter, View_Structure
Minor None
680 Integer Overflow to Buffer Overflow
Major Relationships
Minor Applicable_Platforms
681 Incorrect Conversion between Numeric Types
Major Demonstrative_Examples, Potential_Mitigations, Relationships, Time_of_Introduction
Minor None
682 Incorrect Calculation
Major Potential_Mitigations, Relationships, Time_of_Introduction
Minor None
683 Function Call With Incorrect Order of Arguments
Major Demonstrative_Examples, Description, Other_Notes, Potential_Mitigations, Relationships, Weakness_Ordinalities
Minor None
684 Failure to Provide Specified Functionality
Major Description, Potential_Mitigations, Relationships, Time_of_Introduction
Minor None
685 Function Call With Incorrect Number of Arguments
Major Applicable_Platforms, Detection_Factors, Other_Notes, Potential_Mitigations, Relationships, Weakness_Ordinalities
Minor None
686 Function Call With Incorrect Argument Type
Major Description, Other_Notes, Potential_Mitigations, Relationships, Weakness_Ordinalities
Minor None
687 Function Call With Incorrectly Specified Argument Value
Major Demonstrative_Examples, Detection_Factors, Other_Notes, Potential_Mitigations, Relationships, Weakness_Ordinalities
Minor None
688 Function Call With Incorrect Variable or Reference as Argument
Major Applicable_Platforms, Demonstrative_Examples, Detection_Factors, Other_Notes, Potential_Mitigations, Relationships, Weakness_Ordinalities
Minor None
689 Permission Race Condition During Resource Copy
Major Applicable_Platforms, Other_Notes, Relationships, Weakness_Ordinalities
Minor None
690 Unchecked Return Value to NULL Pointer Dereference
Major Applicable_Platforms, Demonstrative_Examples, Description, Detection_Factors, Other_Notes, Relationships
Minor None
691 Insufficient Control Flow Management
Major Other_Notes, Relationships, Time_of_Introduction
Minor Applicable_Platforms
692 Incomplete Blacklist to Cross-Site Scripting
Major Applicable_Platforms, Other_Notes, Relationships
Minor None
693 Protection Mechanism Failure
Major Description, Other_Notes, Relationships, Time_of_Introduction
Minor Applicable_Platforms
1000 Research Concepts
Major Description, Name, Relationships, View_Audience, View_Structure
Minor None
2000 Comprehensive CWE Dictionary
Major View_Structure
Minor None
Back to top
Page Last Updated: January 05, 2017
 

Use of the Common Weakness Enumeration (CWE™) and the associated references from this website are subject to the Terms of Use. CWE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and managed by the Homeland Security Systems Engineering and Development Institute (HSSEDI) which is operated by The MITRE Corporation (MITRE). Copyright © 2006–2025, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.